[Feature]: Add PKCS#11 support to clientCertificates

[Az8th]

🚀 Feature Request

Hi firstly, deep thanks for adding clientCertificates support in the first place !

Nevertheless, they lack a protocol I need and that I can't alter or mock, so would it be possible to widden its capabilities by supporting hardware certificates (such as those found on smartcard) using PKCS#11 URIs please ? (

You may know it by its API : Cryptoki. In fact, the public certificate can be extracted, but the private key is protected within the chip's token (which is basically what makes it secure)

The protocol is set in the RFC7512 and defines an URI that can take several arguments to identify a token (they can have multiple keys, and a single machine can have multiple slots)

Implementing an URI generator that seeks devices might be too time consumming, especially crossplatform wise, so I would suggest to keep things simple and only take a valid URI as an argument for a starter.

Example

Given the URI would be retrieived prior to the tests with a tool like pkcs11tool :

import { defineConfig } from '@playwright/test';

export default defineConfig({
  // ...
  use: {
    clientCertificates: [{
      origin: 'https://example.com',
      tokenURI: 'pkcs11:token=my-token;object=my-object;type=private?pin-value=1234',
      passphrase: '1234', //may be used here, but should be added under the hood to the URI
    }],
  },
  // ...
});

Motivation

Some governmental agencies, or environments that match high security standars such as banking or healthcare enforces identification by smartcard or usb flash drive.

In my case, there are tests that I can't automate as pin-protected smartcards are the only authorized method to access specific APIs or pages.

It would also make Playwright take a step towards web 3.0 as some blockchain applications involves Hardware Security Modules, which uses this protocol.

To help any person that would take a part in developping such support:

• No need for hardware : It is possible to emulate an HSM if you have no such devices, just use SoftHSM
• There is an open feature request for Cypress that pinpoints a lot of useful hints on how to achieive this (let's give them more reasons to switch for Playwright :P)

Thanks for reading, any clarification on the protocol itself or enhancement to my proposal are welcome :D

[mxschmitt]

Thank you for filing the feature request, lets collect feedback (upvotes for the first comment) for it.

[pavelfeldman]

It would also make Playwright take a step towards web 3.0 as some blockchain applications involves Hardware Security Modules, which uses this protocol.

This is an explicit non-goal for Playwright, closing as out of scope.

[Az8th]

@pavelfeldman I understand that supporting anything web 3 is a non goal, but that was only an example. My usecase is none of it : I would like to be able to test against healthcare protocols that requires higher authentication (in a sandbox env), like secured medical prescription.

I already have solutions to automate smartcards swapping and reading in CI, but unfortunately, by doing so, this makes the "Select certificate" dialog appears, altering any possibility of testing with Playwright has it can't interact with it :/

[Az8th]

Also, the recently added feature in #32200 which example is "The certificate could be coming in at runtime from a physical hardware token", shows the same need, which was fullfilled.

Still, it is already a major step to support this, it just lacks the PKCS#11 protocol handling to completely do so.