skip to Main Content

I want to write a functional test for my endpoints to register a user with WebAuthn.

The first call is to Register Device Options. This is easy as it requires no payload.

Next is Register Device, which requires passing an attestation object.

In JavaScript I could generate like this:

import { startRegistration } from "@simplewebauthn/browser";
const attResp = await startRegistration(optionsJson)
const attestation = JSON.stringify(attResp)

Maybe there would be a solution involving v8js passing in the optionsJson, but I’d rather not have to use v8.

I suppose an api call to another container running node might work.

But really I want a PHP only solution.

Is it possible to generate a WebAuthn attestation object using php?

2

Answers


  1. Generating a WebAuthn attestation object in PHP is challenging because it requires cryptographic operations and interactions with the client-side WebAuth API, which is not directly accessible in PHP.

    The startRegistration function from @simplewebauthn/browser is a client-side Javascript function that issues the WebAuth API to generate the attestation object. This function is not available in PHP and has no direct equivalent.

    However, you can try this

    1. Generate a random challenge
    2. Create a COSE (CBOR object Signing and Encryption) key pair
    3. Create a CBOR (Concise Binary Object Representation) encoded
      attestation object
    4. Sign the attestation object with the private key

    PHP has a cryptography library, such as OpenSSL, but implementing the WebAuthn protocol from scratch would be a significant undertaking.

    Login or Signup to reply.
  2. Technically, there is nothing to prevent you from generating Attestation and Assertion Responses in PHP.

    There are keypair generators, CBOR encoders and projects that implement Webauthn[1].

    But since PHP is used on the server side and is mainly used to verify Authenticator responses, the existing implementations only offer to read these responses and not generate them.
    Nevertheless, it does not seem difficult to me to create a valid response and make a software Authenticator for testing or any other use (and TBH this is something I have in mind for a while).


    [1] I am the author of the above mentioned libraries

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search