[release/6.0] Avoid rooting X509Certificate2 in SslSessionCache (dotnet#101120)

rzikm · campersau · rzikm · commit 23f21e405cfa · 2024-04-17T09:54:03.000+02:00
* Avoid rooting X509Certificate2 in SslSessionCache

* Update src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs

Co-authored-by: campersau &lt;buchholz.bastian@googlemail.com&gt;

---------

Co-authored-by: campersau &lt;buchholz.bastian@googlemail.com&gt;
diff --git a/src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs b/src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs
@@ -322,14 +322,13 @@ public static unsafe int AcquireCredentialsHandle(
     internal sealed class SafeFreeCredential_SECURITY : SafeFreeCredentials
     {
 #pragma warning disable 0649
-         // This is used only by SslStream but it is included elsewhere
-         public X509Certificate? LocalCertificate;
- #pragma warning restore 0649
+        // This is used only by SslStream but it is included elsewhere
+        public bool HasLocalCertificate;
+#pragma warning restore 0649
         public SafeFreeCredential_SECURITY() : base() { }
 
         protected override bool ReleaseHandle()
         {
-            LocalCertificate?.Dispose();
             return Interop.SspiCli.FreeCredentialsHandle(ref _handle) == 0;
         }
     }
diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs
@@ -101,7 +101,7 @@ internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _credentialsHan
                 // This is TLS Resumed session. Windows can fail to query the local cert bellow.
                 // Instead, we will determine the usage form used credentials.
                 SafeFreeCredential_SECURITY creds = (SafeFreeCredential_SECURITY)_credentialsHandle!;
-                return creds.LocalCertificate != null;
+                return creds.HasLocalCertificate;
             }
 
             SafeFreeCertContext? localContext = null;
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs
@@ -112,10 +112,10 @@ public static SecurityStatusPal InitializeSecurityContext(ref SafeFreeCredential
             return SecurityStatusAdapterPal.GetSecurityStatusPalFromNativeInt(errorCode);
         }
 
-        public static SecurityStatusPal Renegotiate(ref SafeFreeCredentials? credentialsHandle, ref SafeDeleteSslContext? context, SslAuthenticationOptions sslAuthenticationOptions, out byte[]? outputBuffer )
+        public static SecurityStatusPal Renegotiate(ref SafeFreeCredentials? credentialsHandle, ref SafeDeleteSslContext? context, SslAuthenticationOptions sslAuthenticationOptions, out byte[]? outputBuffer)
         {
             byte[]? output = Array.Empty<byte>();
-            SecurityStatusPal status =  AcceptSecurityContext(ref credentialsHandle, ref context, Span<byte>.Empty, ref output, sslAuthenticationOptions);
+            SecurityStatusPal status = AcceptSecurityContext(ref credentialsHandle, ref context, Span<byte>.Empty, ref output, sslAuthenticationOptions);
             outputBuffer = output;
             return status;
         }
@@ -139,8 +139,7 @@ public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateC
                 if (newCredentialsRequested && certificateContext != null)
                 {
                     SafeFreeCredential_SECURITY handle = (SafeFreeCredential_SECURITY)cred;
-                    // We need to create copy to avoid Disposal issue.
-                    handle.LocalCertificate = new X509Certificate2(certificateContext.Certificate);
+                    handle.HasLocalCertificate = true;
                 }
 
                 return cred;
@@ -270,11 +269,11 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchCredentials(
             Interop.SspiCli.SCH_CREDENTIALS credential = default;
             credential.dwVersion = Interop.SspiCli.SCH_CREDENTIALS.CurrentVersion;
             credential.dwFlags = flags;
-            Interop.Crypt32.CERT_CONTEXT *certificateHandle = null;
+            Interop.Crypt32.CERT_CONTEXT* certificateHandle = null;
             if (certificate != null)
             {
                 credential.cCreds = 1;
-                certificateHandle = (Interop.Crypt32.CERT_CONTEXT *)certificate.Handle;
+                certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;
                 credential.paCred = &certificateHandle;
             }
 

Original file line number	Diff line number	Diff line change
`@@ -322,14 +322,13 @@ public static unsafe int AcquireCredentialsHandle(`
`322`	`322`	`internal sealed class SafeFreeCredential_SECURITY : SafeFreeCredentials`
`323`	`323`	`{`
`324`	`324`	`#pragma warning disable 0649`
`325`		`- // This is used only by SslStream but it is included elsewhere`
`326`		`- public X509Certificate? LocalCertificate;`
`327`		`- #pragma warning restore 0649`
	`325`	`+ // This is used only by SslStream but it is included elsewhere`
	`326`	`+ public bool HasLocalCertificate;`
	`327`	`+#pragma warning restore 0649`
`328`	`328`	`public SafeFreeCredential_SECURITY() : base() { }`
`329`	`329`
`330`	`330`	`protected override bool ReleaseHandle()`
`331`	`331`	`{`
`332`		`- LocalCertificate?.Dispose();`
`333`	`332`	`return Interop.SspiCli.FreeCredentialsHandle(ref _handle) == 0;`
`334`	`333`	`}`
`335`	`334`	`}`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _credentialsHan`
`101`	`101`	`// This is TLS Resumed session. Windows can fail to query the local cert bellow.`
`102`	`102`	`// Instead, we will determine the usage form used credentials.`
`103`	`103`	`SafeFreeCredential_SECURITY creds = (SafeFreeCredential_SECURITY)_credentialsHandle!;`
`104`		`- return creds.LocalCertificate != null;`
	`104`	`+ return creds.HasLocalCertificate;`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`SafeFreeCertContext? localContext = null;`
Original file line number	Diff line number	Diff line change
`@@ -112,10 +112,10 @@ public static SecurityStatusPal InitializeSecurityContext(ref SafeFreeCredential`
`112`	`112`	`return SecurityStatusAdapterPal.GetSecurityStatusPalFromNativeInt(errorCode);`
`113`	`113`	`}`
`114`	`114`
`115`		`- public static SecurityStatusPal Renegotiate(ref SafeFreeCredentials? credentialsHandle, ref SafeDeleteSslContext? context, SslAuthenticationOptions sslAuthenticationOptions, out byte[]? outputBuffer )`
	`115`	`+ public static SecurityStatusPal Renegotiate(ref SafeFreeCredentials? credentialsHandle, ref SafeDeleteSslContext? context, SslAuthenticationOptions sslAuthenticationOptions, out byte[]? outputBuffer)`
`116`	`116`	`{`
`117`	`117`	`byte[]? output = Array.Empty<byte>();`
`118`		`- SecurityStatusPal status = AcceptSecurityContext(ref credentialsHandle, ref context, Span<byte>.Empty, ref output, sslAuthenticationOptions);`
	`118`	`+ SecurityStatusPal status = AcceptSecurityContext(ref credentialsHandle, ref context, Span<byte>.Empty, ref output, sslAuthenticationOptions);`
`119`	`119`	`outputBuffer = output;`
`120`	`120`	`return status;`
`121`	`121`	`}`
`@@ -139,8 +139,7 @@ public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateC`
`139`	`139`	`if (newCredentialsRequested && certificateContext != null)`
`140`	`140`	`{`
`141`	`141`	`SafeFreeCredential_SECURITY handle = (SafeFreeCredential_SECURITY)cred;`
`142`		`- // We need to create copy to avoid Disposal issue.`
`143`		`- handle.LocalCertificate = new X509Certificate2(certificateContext.Certificate);`
	`142`	`+ handle.HasLocalCertificate = true;`
`144`	`143`	`}`
`145`	`144`
`146`	`145`	`return cred;`
`@@ -270,11 +269,11 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchCredentials(`
`270`	`269`	`Interop.SspiCli.SCH_CREDENTIALS credential = default;`
`271`	`270`	`credential.dwVersion = Interop.SspiCli.SCH_CREDENTIALS.CurrentVersion;`
`272`	`271`	`credential.dwFlags = flags;`
`273`		`- Interop.Crypt32.CERT_CONTEXT *certificateHandle = null;`
	`272`	`+ Interop.Crypt32.CERT_CONTEXT* certificateHandle = null;`
`274`	`273`	`if (certificate != null)`
`275`	`274`	`{`
`276`	`275`	`credential.cCreds = 1;`
`277`		`- certificateHandle = (Interop.Crypt32.CERT_CONTEXT *)certificate.Handle;`
	`276`	`+ certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;`
`278`	`277`	`credential.paCred = &certificateHandle;`
`279`	`278`	`}`
`280`	`279`