Avoid rooting X509Certificate2 in SslSessionCache (#101120)

rzikm · campersau · web-flow · commit d30369a3b4c5 · 2024-04-16T23:03:52.000+02:00
* Avoid rooting X509Certificate2 in SslSessionCache

* Update src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs

Co-authored-by: campersau &lt;buchholz.bastian@googlemail.com&gt;

---------

Co-authored-by: campersau &lt;buchholz.bastian@googlemail.com&gt;
diff --git a/src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs b/src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs
@@ -335,13 +335,12 @@ internal sealed class SafeFreeCredential_SECURITY : SafeFreeCredentials
     {
 #pragma warning disable 0649
         // This is used only by SslStream but it is included elsewhere
-        public X509Certificate? LocalCertificate;
+        public bool HasLocalCertificate;
 #pragma warning restore 0649
         public SafeFreeCredential_SECURITY() : base() { }
 
         protected override bool ReleaseHandle()
         {
-            LocalCertificate?.Dispose();
             return Interop.SspiCli.FreeCredentialsHandle(ref _handle) == 0;
         }
     }
diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs
@@ -105,7 +105,7 @@ internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _credentialsHan
                 // This is TLS Resumed session. Windows can fail to query the local cert bellow.
                 // Instead, we will determine the usage form used credentials.
                 SafeFreeCredential_SECURITY creds = (SafeFreeCredential_SECURITY)_credentialsHandle!;
-                return creds.LocalCertificate != null;
+                return creds.HasLocalCertificate;
             }
 
             SafeFreeCertContext? localContext = null;
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs
@@ -233,8 +233,7 @@ public static SafeFreeCredentials AcquireCredentialsHandle(SslAuthenticationOpti
                 if (newCredentialsRequested && sslAuthenticationOptions.CertificateContext != null)
                 {
                     SafeFreeCredential_SECURITY handle = (SafeFreeCredential_SECURITY)cred;
-                    // We need to create copy to avoid Disposal issue.
-                    handle.LocalCertificate = new X509Certificate2(sslAuthenticationOptions.CertificateContext.TargetCertificate);
+                    handle.HasLocalCertificate = true;
                 }
 
                 return cred;

Original file line number	Diff line number	Diff line change
`@@ -335,13 +335,12 @@ internal sealed class SafeFreeCredential_SECURITY : SafeFreeCredentials`
`335`	`335`	`{`
`336`	`336`	`#pragma warning disable 0649`
`337`	`337`	`// This is used only by SslStream but it is included elsewhere`
`338`		`- public X509Certificate? LocalCertificate;`
	`338`	`+ public bool HasLocalCertificate;`
`339`	`339`	`#pragma warning restore 0649`
`340`	`340`	`public SafeFreeCredential_SECURITY() : base() { }`
`341`	`341`
`342`	`342`	`protected override bool ReleaseHandle()`
`343`	`343`	`{`
`344`		`- LocalCertificate?.Dispose();`
`345`	`344`	`return Interop.SspiCli.FreeCredentialsHandle(ref _handle) == 0;`
`346`	`345`	`}`
`347`	`346`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _credentialsHan`
`105`	`105`	`// This is TLS Resumed session. Windows can fail to query the local cert bellow.`
`106`	`106`	`// Instead, we will determine the usage form used credentials.`
`107`	`107`	`SafeFreeCredential_SECURITY creds = (SafeFreeCredential_SECURITY)_credentialsHandle!;`
`108`		`- return creds.LocalCertificate != null;`
	`108`	`+ return creds.HasLocalCertificate;`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`SafeFreeCertContext? localContext = null;`
Original file line number	Diff line number	Diff line change
`@@ -233,8 +233,7 @@ public static SafeFreeCredentials AcquireCredentialsHandle(SslAuthenticationOpti`
`233`	`233`	`if (newCredentialsRequested && sslAuthenticationOptions.CertificateContext != null)`
`234`	`234`	`{`
`235`	`235`	`SafeFreeCredential_SECURITY handle = (SafeFreeCredential_SECURITY)cred;`
`236`		`- // We need to create copy to avoid Disposal issue.`
`237`		`- handle.LocalCertificate = new X509Certificate2(sslAuthenticationOptions.CertificateContext.TargetCertificate);`
	`236`	`+ handle.HasLocalCertificate = true;`
`238`	`237`	`}`
`239`	`238`
`240`	`239`	`return cred;`