Is your feature request related to a problem? Please describe.
WKWebView on macOS does not auto-present client certificates for mTLS connections. Unlike Safari or Windows WebView2, WKWebView requires a WKNavigationDelegate that handles didReceiveAuthenticationChallenge and programmatically provides a SecIdentityRef via NSURLCredential. There is no wry API to provide client certificates or pin custom CA certificates.
Describe the solution you'd like
Two new builder methods on WebViewBuilder:
-
with_client_identity(p12_data: &[u8], password: &str) - Provide a PKCS#12 bundle containing the client certificate and private key. Internally uses SecPKCS12Import to extract the SecIdentityRef in memory (no keychain access needed). The identity is provided in the navigation delegate's didReceiveAuthenticationChallenge response for NSURLAuthenticationMethodClientCertificate challenges.
-
with_trusted_ca(der_data: &[u8]) - Provide a DER-encoded CA certificate for server trust pinning. Internally uses SecCertificateCreateWithData and SecTrustSetAnchorCertificates in the delegate's NSURLAuthenticationMethodServerTrust handler. This avoids importing the CA into the system keychain (which requires admin authentication on macOS).
Describe alternatives you've considered
- Importing certs into the macOS keychain via
security import CLI. This works but triggers keychain password prompts and Touch ID dialogs on macOS 26, which is unacceptable UX for embedded WebViews.
- Implementing the delegate in Rust via objc2. This crashes on macOS 26 because
WKNSURLAuthenticationChallenge is an NSProxy subclass that does not work with objc2's msg_send! type verification, and block2 block invocations crash in the run loop.
- Writing the delegate in native Objective-C and linking as a static library. This works and is what we use as a workaround, but it should be part of wry.
Additional context
This is macOS-specific. On Windows, WebView2 handles client certs via --auto-select-certificate-for-urls browser args and server trust via --ignore-certificate-errors.
The delegate must handle two challenge types in sequence:
NSURLAuthenticationMethodServerTrust - evaluate with pinned CA via SecTrustSetAnchorCertificatesNSURLAuthenticationMethodClientCertificate - provide identity via SecPKCS12Import and credentialWithIdentity:certificates:persistence:
Apple documentation confirms a delegate is always required for client cert presentation in WKWebView. There is no passive/automatic path.
Is your feature request related to a problem? Please describe.
WKWebView on macOS does not auto-present client certificates for mTLS connections. Unlike Safari or Windows WebView2, WKWebView requires a
WKNavigationDelegatethat handlesdidReceiveAuthenticationChallengeand programmatically provides aSecIdentityRefviaNSURLCredential. There is no wry API to provide client certificates or pin custom CA certificates.Describe the solution you'd like
Two new builder methods on
WebViewBuilder:with_client_identity(p12_data: &[u8], password: &str)- Provide a PKCS#12 bundle containing the client certificate and private key. Internally usesSecPKCS12Importto extract theSecIdentityRefin memory (no keychain access needed). The identity is provided in the navigation delegate'sdidReceiveAuthenticationChallengeresponse forNSURLAuthenticationMethodClientCertificatechallenges.with_trusted_ca(der_data: &[u8])- Provide a DER-encoded CA certificate for server trust pinning. Internally usesSecCertificateCreateWithDataandSecTrustSetAnchorCertificatesin the delegate'sNSURLAuthenticationMethodServerTrusthandler. This avoids importing the CA into the system keychain (which requires admin authentication on macOS).Describe alternatives you've considered
security importCLI. This works but triggers keychain password prompts and Touch ID dialogs on macOS 26, which is unacceptable UX for embedded WebViews.WKNSURLAuthenticationChallengeis anNSProxysubclass that does not work with objc2'smsg_send!type verification, andblock2block invocations crash in the run loop.Additional context
This is macOS-specific. On Windows, WebView2 handles client certs via
--auto-select-certificate-for-urlsbrowser args and server trust via--ignore-certificate-errors.The delegate must handle two challenge types in sequence:
NSURLAuthenticationMethodServerTrust- evaluate with pinned CA viaSecTrustSetAnchorCertificatesNSURLAuthenticationMethodClientCertificate- provide identity viaSecPKCS12ImportandcredentialWithIdentity:certificates:persistence:Apple documentation confirms a delegate is always required for client cert presentation in WKWebView. There is no passive/automatic path.