Use certificates from smartcards

[PeerWitthoeft]

What would you like?

Hello,

i would like to use certificates provided by an secure smartcard.

Why is this needed?

Our Applications uses a secure smartcard with stored certifikate for authentifikation. For login, the user has to select his certificate in the browser. In our test environment this is handled by softcertificates (pfx-files). Due to security this is not allowed in production, where we would like to create some monitoring-like tests with cypress. So we need to use the "real" certificate from a hardware smartcard.

Other

No response

[flotwig]

Hi @PeerWitthoeft, I'm unclear as to if you are reporting a bug, or what specifically you are asking for. What you're proposing sounds like it should "just work", Cypress doesn't do anything special to block the browser process from accessing peripherals. Can you clarify the ask?

[PeerWitthoeft]

Hi @flotwig, sorry to make in more complicated than it is ;) For our tests in production, we need certificates from the microsoft certificate store. These are unavailable with cypress. I assume, cypress uses another (maybe own generated) store for certificates instead. Is it possible to make the use of the default certificate store configurable?

[rachelruderman]

Hi @PeerWitthoeft! Currently we support configuring the certificate authority and client certificates. Does this address your issue?

[PeerWitthoeft]

Hey @rachelruderman , unfortunately this solution is not possible in our environment, as we don't have access to any pfx- or pem-files.

[rachelruderman]

Thanks for the clarification, @PeerWitthoeft! I've consulted with the team and have some follow-ups for ya:

I assume, cypress uses another (maybe own generated) store for certificates instead.

We don't use another certificate store; we do disable SSL verification in the browser, but if I understand correctly, you're not talking about SSL certificates

For our tests in production, we need certificates from the microsoft certificate store. These are unavailable with cypress.

When you say, "These are unavailable with cypress", do you mean regular Chrome has what you need, but Cypress doesn't? Can you share some test code that doesn't work?

Resources that may help:

• Stack exchange article on programmatically exporting certificates
• The full list of CLI opts we pass to Chrome. --use-mock-keychain seems kind of suspect. Can you try omitting this arg and let me know if that helps? Cypress doc on how to modify browser launch args

[AtofStryker]

Unfortunately we have to close this issue due to inactivity. Please comment if there is new information to provide concerning the original issue and we can reopen.

[PeerWitthoeft]

Hello again, sorry for the late answer. We made a few more researches and got the following results:

With Chrome and without Cypress:

• The Browser shows the client certificate dialog:

• the Browser accesses the certificate store files to show the usable certificates:

With Chrome and Cypress

• The Browser does not show the client certificate dialog, but tries to authenticate with null certificate

• The browser only uses files in cypress path:

Sorry for censor almost half of the screenshots. Our company is very strict with security-issues ;) For the same reason, i am not allowed to share test-code here. It consists only of 3 steps:

1. visit login-site (no, i am not allowed to write which site it is)
2. select login with client certificate
3. select confirm button

then the selection for the certificate pops up. I hope this helps to analyze our issue!

[tbiethman]

@PeerWitthoeft @rachelruderman had suggested this in a comment above:

• The full list of CLI opts we pass to Chrome. --use-mock-keychain seems kind of suspect. Can you try omitting this arg and let me know if that helps? Cypress doc on how to modify browser launch args

Were you able to give that a try?

[PeerWitthoeft]

@tbiethman Yes, i tried it, but without any changes in behavior

[tbiethman]

@PeerWitthoeft I see, thanks for double checking that. Without more specifics, it is difficult to try and reproduce this issue. Is there any way for you to provide a minimal reproduction that exhibits the issues you're seeing?

For your screenshot above regarding "The browser only uses files in cypress path:":

What application is that/how are your viewing that data? I apologize, I'm unfamiliar with Windows certificate management.

[PeerWitthoeft]

@tbiethman I am currently trying to get permission to share some test code here.

For the screenshot: is used the process monitor of sysinternals tool suite, available here: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon. This tool documents almost all activities of all processes running in windows. Filtering the correct entries is quite... lets call it "interesting" ;)

[PeerWitthoeft]

I have the permission to share some of our testcode:

it('should be able to use log in', () => { cy.visit('apps.datev.de/km-kalkulation'); cy.get('#label_secure18').click(); cy.get('#btn_MethodNext').click(); })

The popup for the certificate should show, if the user has an client-certificate in his own certificates in microsoft certificate store

[tbiethman]

Having site under test does help give some context, thank you. Have you explored using Chrome's AutoSelectCertificateForUrls policy? I'm unfamiliar with how dynamic the smartcard cert data/locations are, but it seems like that might be the best way to avoid the certificate popup altogether, which would be necessary for Cypress to test your application. The certificate selection popup is shown by the browser, not by your app, and thus you cannot interact with it using Cypress commands in an automated fashion.

[mjhenkes]

@PeerWitthoeft, This seems like a limitation with cypress today. I've converted this to a feature request.

[PeerWitthoeft]

@tbiethman , i tried the AutoSelectCertificateForUrls policy, but with no other outcome. The browser still won't use any certificates from the store. I know about the fact, that Cypress can't handle browser dialogs, but we have some ideas for this problem.

[Arachnatur]

Hello, it's been some time since the last comment.. any updates on this?

[AtofStryker]

Hi @Arachnatur. No updates yet. I do not see this work being prioritized by the team and might be a good opportunity for an open source contribution if any is up for the task!

[meshuggahbobo]

Totally agree! I also need this feature as the AutoSelectCertificateForUrls policy doesn't work (I perform a task with Selenium inside Cypress project to perform a login for some tests with AutoSelectCertificateForUrls policy and it's working)

[meshuggahbobo]

Right now, if you need a workaround for some of your tests that need login via smartcards, here the steps:

1. Add a task for login that perform a new selenium-webdriver process for opening the login (I know... but right now is the only way that i found)
2. Hit the button/link that invoke the login via certificate + pin digit; it's importatnt that the action is invoke via the executeScript
3. Await the Promise that launch the powershell script that select the certificate and digit the pin

cypress.config.js

on('task', {
          loginSmartCard: async (pin) => {
            driver = new Builder()
              .setChromeOptions(chromeCapabilities)
              .forBrowser('chrome')
              .build()

            await driver.switchTo().window(driver.getWindowHandle())
            await driver.get('https://mywebsite.com/login')

            const button = driver.findElement(By.xpath("//button[contains(text(), 'LOGIN')]"))
            driver.executeScript("arguments[0].click();", button)

            await new Promise((resolve, reject) => {
              const child = spawn('powershell.exe', ['-ExecutionPolicy', 'ByPass', '-File', process.cwd() + "\\utils\\login.ps1", '-pin', pin])

              child.on('close', (code) => {
                if (code === 0) {
                  resolve()
                } else {
                  reject(new Error(`Child process exited with code ${code}`))
                }
              })
            })
......

login.ps1

param (
    [Parameter(Mandatory=$true)][string]$pin
 )

Start-Sleep -Milliseconds 2000

$wshell = New-Object -ComObject wscript.shell;
$wshell.AppActivate('Title of the Window - Google Chrome')
Start-Sleep -Milliseconds 500
$wshell.SendKeys('{ENTER}')

Start-Sleep -Milliseconds 2000

$wshell = New-Object -ComObject wscript.shell;
$wshell.AppActivate('Windows Security')
Start-Sleep -Milliseconds 500
$wshell.SendKeys($pin)
$wshell.SendKeys('{ENTER}')

[Arachnatur]

@meshuggahbobo Thank you very much for the workaround. Doesn't work for me, unfortunately, because the system is very restrictive (no selenium driver for me..). Still, nice work, thanks 👍 @AtofStryker Thanks for your reply - If I can find the time, I'll take your challenge - seems kind of sad that cypress can't do this, it's such an amazing framework otherwise! I realize it's probably not an important feature for most people, because in the wild you can use more comfortable logins. Still, there are some of us who must do testing on somewhat old-fashioned and/or restrictive corporate systems.

[bimimicah]

@AtofStryker @mjhenkes @flotwig @Arachnatur This would need to be implemented at the Cypress proxy level, just like the file-based clientCertificates support.

Basically the differences between smartcard-based client certificates and file-based client certificates are:

• the client certificate and key are stored in a PIV slot on the hardware security module (HSM), such as a Yubikey or the US gov's Common Access Card (CAC).
• the key never leaves the HSM, so it can't be stolen from the users' filesystem like a key file. However, this also means you can't just grab the key and plug it into the existing clientCertificates code Cypress has.
• instead, you need to get the PIN for the smart card from the user (on demand, not from a file, for security) and pass that with the data to be signed to the HSM directly, which then handles all the signing itself.

Cypress is using node.js' 'tls' module under the hood, so instead of passing the 'cert' or 'pfx' options to tls.connect(), you would instead pass the 'clientCertEngine', 'privateKeyEngine' options with the name of an OpenSSL engine that communicates with the HSM, as well as pass the 'privateKeyIdentifier' option with the PKCS#11 URI pointing to the smart card and slot to use. See https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions for a list of the securecontextoptions for tls.connect().

You'll also need to bundle the "OpenSSL engine that communicates with the HSM" mentioned earlier. An example would be the libp11 engine from the OpenSC team, and the underlying OpenSC library. If setup and configured with the default config mentioned on the libp11 page, the engine name you pass to tls.connect() would be 'pkcs11', and you would pass the PIN as the 'pin-value' attribute of the PKCS#11 URI.

HSM-based (smartcard-based) client certificates are fundamentally more secure than storing them in the file system, especially when the current Cypress implementation doesn't have a way to get the passphrase protecting the keys at runtime, instead the passphrase must be stored in plain text on the file system as well.

I hope that the Cypress team will seriously consider adding this support.

[bimimicah]

So, to summarize, unless I'm missing something, to implement this, Cypress would need to:

• bundle an OpenSSL HSM engine with appropriate default config.
• add to the Cypress config format something like 'smartcardURI' as an option under clientCertificates.certs.
• if 'smartcardURI' is set:
  • get the PIN from the user at run-time and add that to 'smartcardURI' and pass the whole thing as 'privateKeyIdentifier' to tls.connect().
  • pass the bundled HSM engine name as 'clientCertEngine' and 'privateKeyEngine' to tls.connect()
  • or, optionally, continue using 'cert' with a certificate file rather than 'clientCertEngine' and only pass 'privateKeyEngine' and 'privateKeyIdentifier' to tls.connect()

The user would then just set 'smartcardURI' as a valid PKCS#11 URI pointing to the desired HSM device and slot. (and, as optionally noted above, set 'cert' to a certificate file that goes with the private key on the HSM))