Question posted in 
I want to write a functional test for my endpoints to register a user with WebAuthn.
The first call is to Register Device Options. This is easy as it requires no payload.
Next is Register Device, which requires passing an attestation object.
In JavaScript I could generate like this:
import { startRegistration } from "@simplewebauthn/browser";
const attResp = await startRegistration(optionsJson)
const attestation = JSON.stringify(attResp)
Maybe there would be a solution involving v8js passing in the optionsJson, but I’d rather not have to use v8.
I suppose an api call to another container running node might work.
But really I want a PHP only solution.
Is it possible to generate a WebAuthn attestation object using php?
2
Answers
Generating a WebAuthn attestation object in PHP is challenging because it requires cryptographic operations and interactions with the client-side WebAuth API, which is not directly accessible in PHP.
The
startRegistrationfunction from@simplewebauthn/browseris a client-side Javascript function that issues the WebAuth API to generate the attestation object. This function is not available in PHP and has no direct equivalent.However, you can try this
attestation object
PHP has a cryptography library, such as OpenSSL, but implementing the WebAuthn protocol from scratch would be a significant undertaking.
Technically, there is nothing to prevent you from generating Attestation and Assertion Responses in PHP.
There are keypair generators, CBOR encoders and projects that implement Webauthn[1].
But since PHP is used on the server side and is mainly used to verify Authenticator responses, the existing implementations only offer to read these responses and not generate them.
Nevertheless, it does not seem difficult to me to create a valid response and make a software Authenticator for testing or any other use (and TBH this is something I have in mind for a while).
[1] I am the author of the above mentioned libraries