CBOR decode the attestationObject

Question

I'm trying to implement webauthn and getting tripped up at the CBOR decoding part. The webauthn method returns a byte array which has to be CBOR decoded to get a json object. Since I have to send this byte array to the php server I convert it into base64 encoding to send it via ajax.

Once I receive it, in PHP I perform a base64_decode and pass it into the CBOR decoder.

$attestationDecoded = base64_decode($attestationString);
$attestationObject = \CBOR\CBOREncoder::decode($attestationDecoded);

This gives me an output like this

Array
(
    [fmt] => none
    [attStmt] => Array
        (
        )

    [authData] => CBOR\Types\CBORByteString Object
        (
            [byte_string:CBOR\Types\CBORByteString:private] => I�
���ht4��dv`[�䮹��2Ǚ\���cE
�X$Jh���%��j���.�a{��g�r,*�~����
        )
)

The authData is where the information I need is but I can't figure out how to convert this into a usable JSON string or php array. For context, this is the guide I'm following and if you search for the heading "Parsing the authenticator data", that is what I need to do in php but I can't find any resource on how to do this in php.

I've tried base64decode, mb_convert_encoding, passing it again into the CBOR decoder etc but nothing works.

Here's a sample base64 encoded string so you can test out yourself.

$attestationString = 'o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBZ0mWDeWIDoxodDQXD2R2YFuP5K65ooYyx5lc87qDHZdjRQAAAAAAAAAAAAAAAAAAAAAAAAAAACCLYg9301sjLI-9num_RMORAERiSadbMUKGX8LpnLRGRaQBAwM5AQAgWQEA6zHIUbPhjXt6mCLjOnFbL5k6oV6fw00u8XYSm3Zy3BBClX_BGugmndYAmRhU8qwcCzBGvd3OYccYIVX10vvSanAnBToh-uiGlniCFpA_dH6dFUWhK4A1w6STOOR54KOVe-lo98jIKHbQHChxyqu9iF1D5pMYvAtnKdJDGCWZ7v_etxjmk1GMbIi1aeZ1jlSv6L1rxmZNZjtqsQ5kms532JxgawNfv1sPFMItoVYCB2tVOSrS1Y6voGsHTrXAj-4BdQpEtiAss8GFlm6nDZ-dvW9wK7HeJE8yStUkVKzdkAh0AWSImNCEsMD-iaLAVq3bm9C0HER3L90f2igb1MVdmyFDAQAB';

Answer 1

Note that there are provisions in WebAuthn to save you some of this bother: https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy

But, taking your attestation string, it parses into the following CBOR structure:

{"fmt": "none", "attStmt": {}, "authData": h'49960DE5880E8C687434170F6476605B8FE4AEB9A28632C7995CF3BA831D976345000000000000000000000000000000000000000000208B620F77D35B232C8FBD9EE9BF44C39100446249A75B3142865FC2E99CB44645A401030339010020590100EB31C851B3E18D7B7A9822E33A715B2F993AA15E9FC34D2EF176129B7672DC1042957FC11AE8269DD600991854F2AC1C0B3046BDDDCE61C7182155F5D2FBD26A7027053A21FAE88696788216903F747E9D1545A12B8035C3A49338E479E0A3957BE968F7C8C82876D01C2871CAABBD885D43E69318BC0B6729D243182599EEFFDEB718E693518C6C88B569E6758E54AFE8BD6BC6664D663B6AB10E649ACE77D89C606B035FBF5B0F14C22DA15602076B55392AD2D58EAFA06B074EB5C08FEE01750A44B6202CB3C185966EA70D9F9DBD6F702BB1DE244F324AD52454ACDD90087401648898D084B0C0FE89A2C056ADDB9BD0B41C44772FDD1FDA281BD4C55D9B2143010001'}

The authData there is a binary format: https://www.w3.org/TR/webauthn-2/#authenticator-data

Pulling it apart:

• RP ID hash: 49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763
• flags: 0x45
• Signature counter: zero
• AAGUID: 00000000000000000000000000000000
• Credential ID length: 0x20
• Credential ID: 8b620f77d35b232c8fbd9ee9bf44c39100446249a75b3142865fc2e99cb44645

The the remainder is CBOR data that decodes to

{1: 3, 3: -257, -1: h'EB31C851B3E18D7B7A9822E33A715B2F993AA15E9FC34D2EF176129B7672DC1042957FC11AE8269DD600991854F2AC1C0B3046BDDDCE61C7182155F5D2FBD26A7027053A21FAE88696788216903F747E9D1545A12B8035C3A49338E479E0A3957BE968F7C8C82876D01C2871CAABBD885D43E69318BC0B6729D243182599EEFFDEB718E693518C6C88B569E6758E54AFE8BD6BC6664D663B6AB10E649ACE77D89C606B035FBF5B0F14C22DA15602076B55392AD2D58EAFA06B074EB5C08FEE01750A44B6202CB3C185966EA70D9F9DBD6F702BB1DE244F324AD52454ACDD90087401648898D084B0C0FE89A2C056ADDB9BD0B41C44772FDD1FDA281BD4C55D9B', -2: h'010001'}

(Unusually an RSA key.)