feat(macos): add mTLS client certificate and CA pinning support#1707
Open
ShaunMurphy wants to merge 1 commit into
Open
feat(macos): add mTLS client certificate and CA pinning support#1707ShaunMurphy wants to merge 1 commit into
ShaunMurphy wants to merge 1 commit into
Conversation
Add two new WebViewBuilder methods for mutual TLS authentication: - `with_client_certificate(p12_data, password)`: provide a PKCS#12 client certificate for TLS client authentication. Uses SecPKCS12Import to extract the identity in memory without keychain access. - `with_trusted_ca(der_data)`: pin a custom CA certificate for server trust evaluation. Uses SecTrustSetAnchorCertificates to trust the CA without importing it into the system trust store. Both methods avoid keychain operations and user prompts (Touch ID, password dialogs). The certificate data is stored in memory and used directly during WKNavigationDelegate authentication challenges. Security: - CF objects from SecCertificateCreateWithData and SecPKCS12Import are properly released via CFRelease - Server trust fallback uses PerformDefaultHandling (not UseCredential) to preserve default WKWebView security behavior - Failed CA pinning evaluation cancels the challenge rather than falling through to accept untrusted servers Currently implemented for macOS/iOS. Windows/Linux/Android store the data for future use. Closes tauri-apps#1706
ShaunMurphy
force-pushed
the
feat/mtls-client-certificate
branch
from
0adb91b to
52ea816
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
with_client_certificate(p12_data, password)builder method for mTLS client authenticationwith_trusted_ca(der_data)builder method for custom CA server trust pinningdidReceiveAuthenticationChallengeinWryNavigationDelegateon macOSMotivation
WKWebView on macOS does not auto-present client certificates during TLS handshakes. Unlike Safari or Windows WebView2, a
WKNavigationDelegatemust explicitly handledidReceiveAuthenticationChallengeand provide anNSURLCredentialwith aSecIdentityRef.There is currently no wry API to provide client certificates or pin custom CA certificates, making mTLS connections impossible without bypassing wry.
Implementation
Client certificate:
SecPKCS12Importextracts theSecIdentityReffrom the PKCS#12 data in memory. No keychain access or user prompts needed.CA pinning:
SecTrustSetAnchorCertificatespins the custom CA during server trust evaluation. No system trust store import or Touch ID prompts needed.Both operations are in-memory only, producing zero user-facing prompts.
Files changed:
src/lib.rs: NewWebViewAttributesfields andWebViewBuildermethodssrc/wkwebview/class/wry_navigation_delegate.rs: New ivars anddidReceiveAuthenticationChallengedelegate methodsrc/wkwebview/navigation_auth.rs: Authentication challenge handler implementationsrc/wkwebview/mod.rs: Module declaration, pass cert data to delegateCargo.toml: EnableNSURLAuthenticationChallenge,NSURLCredential,NSURLProtectionSpacefeaturesPlatform support
Test plan
cargo checkpasses with zero warningscargo testpasses (7 passed, 0 failed)winitexample runs without crash on macOS 26.3.1multiwebviewexample runs without crash