Properly dispose intermediate certificates in SslStream (#117667)

rzikm · web-flow · commit 901395a1cb00 · 2025-07-18T07:53:52.000+02:00
* Dispose intermediate certs from internally created SslStreamCertificateContext

* Dispose intermediates received over the wire

* Release specific platform resources on linux as well

* Fix build

* Dispose ChainElement certificates in SslStreamCertificateContext.Windows build.

* Assert in tests that certificates are not disposed

* Fix Duplicate

* Check against ExtraStore and CustomTrastStore disposal

* Fix crash
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs
@@ -9,7 +9,7 @@
 
 namespace System.Net.Security
 {
-    internal sealed class SslAuthenticationOptions
+    internal sealed class SslAuthenticationOptions : IDisposable
     {
         private const string EnableOcspStaplingContextSwitchName = "System.Net.Security.EnableServerOcspStaplingFromOnlyCertificateOnLinux";
 
@@ -153,7 +153,7 @@ internal void UpdateOptions(SslServerAuthenticationOptions sslServerAuthenticati
                     bool ocspFetch = false;
                     _ = AppContext.TryGetSwitch(EnableOcspStaplingContextSwitchName, out ocspFetch);
                     // given cert is X509Certificate2 with key. We can use it directly.
-                    CertificateContext = SslStreamCertificateContext.Create(certificateWithKey, additionalCertificates: null, offline: false, trust: null, noOcspFetch: !ocspFetch);
+                    SetCertificateContextFromCert(certificateWithKey, !ocspFetch);
                 }
                 else
                 {
@@ -165,7 +165,7 @@ internal void UpdateOptions(SslServerAuthenticationOptions sslServerAuthenticati
                         throw new AuthenticationException(SR.net_ssl_io_no_server_cert);
                     }
 
-                    CertificateContext = SslStreamCertificateContext.Create(certificateWithKey);
+                    SetCertificateContextFromCert(certificateWithKey);
                 }
             }
 
@@ -195,13 +195,22 @@ private static SslProtocols FilterOutIncompatibleSslProtocols(SslProtocols proto
             return protocols;
         }
 
+        internal void SetCertificateContextFromCert(X509Certificate2 certificate, bool? noOcspFetch = null)
+        {
+            CertificateContext = SslStreamCertificateContext.Create(certificate, null, offline: false, null, noOcspFetch ?? true);
+            OwnsCertificateContext = true;
+        }
+
         internal bool AllowRenegotiation { get; set; }
         internal string TargetHost { get; set; }
         internal X509CertificateCollection? ClientCertificates { get; set; }
         internal List<SslApplicationProtocol>? ApplicationProtocols { get; set; }
         internal bool IsServer { get; set; }
         internal bool IsClient => !IsServer;
-        internal SslStreamCertificateContext? CertificateContext { get; set; }
+        internal SslStreamCertificateContext? CertificateContext { get; private set; }
+        // If true, the certificate context was created by the SslStream and
+        // certificates inside should be disposed when no longer needed.
+        internal bool OwnsCertificateContext { get; private set; }
         internal SslProtocols EnabledSslProtocols { get; set; }
         internal X509RevocationMode CertificateRevocationCheckMode { get; set; }
         internal EncryptionPolicy EncryptionPolicy { get; set; }
@@ -221,5 +230,17 @@ private static SslProtocols FilterOutIncompatibleSslProtocols(SslProtocols proto
 #if TARGET_ANDROID
         internal SslStream.JavaProxy? SslStreamProxy { get; set; }
 #endif
+
+        public void Dispose()
+        {
+            if (OwnsCertificateContext && CertificateContext != null)
+            {
+                CertificateContext.ReleaseResources();
+            }
+
+#if TARGET_ANDROID
+            SslStreamProxy?.Dispose();
+#endif
+        }
     }
 }
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs
@@ -176,9 +176,7 @@ internal void CloseContext()
             _securityContext?.Dispose();
             _credentialsHandle?.Dispose();
 
-#if TARGET_ANDROID
-            _sslAuthenticationOptions.SslStreamProxy?.Dispose();
-#endif
+            _sslAuthenticationOptions.Dispose();
         }
 
         //
@@ -583,11 +581,7 @@ internal bool AcquireClientCredentials(ref byte[]? thumbPrint, bool newCredentia
 
             if (newCredentialsRequested)
             {
-                if (selectedCert != null)
-                {
-                    // build the cert context only if it was not provided by the user
-                    _sslAuthenticationOptions.CertificateContext ??= SslStreamCertificateContext.Create(selectedCert);
-                }
+                UpdateCertificateContext(selectedCert);
 
                 if (SslStreamPal.TryUpdateClintCertificate(_credentialsHandle, _securityContext, _sslAuthenticationOptions))
                 {
@@ -645,31 +639,30 @@ internal bool AcquireClientCredentials(ref byte[]? thumbPrint, bool newCredentia
                         NetEventSource.Log.UsingCachedCredential(this);
                     _credentialsHandle = cachedCredentialHandle;
                     cachedCred = true;
-                    if (selectedCert != null)
-                    {
-                        _sslAuthenticationOptions.CertificateContext ??= SslStreamCertificateContext.Create(selectedCert!);
-                    }
+                    UpdateCertificateContext(selectedCert);
                 }
                 else
                 {
-                    if (selectedCert != null)
-                    {
-                        _sslAuthenticationOptions.CertificateContext ??= SslStreamCertificateContext.Create(selectedCert!);
-                    }
+                    UpdateCertificateContext(selectedCert);
 
                     _credentialsHandle = AcquireCredentialsHandle(_sslAuthenticationOptions, newCredentialsRequested);
                     thumbPrint = guessedThumbPrint; // Delay until here in case something above threw.
                 }
             }
             finally
             {
-                if (selectedCert != null)
-                {
-                    _sslAuthenticationOptions.CertificateContext ??= SslStreamCertificateContext.Create(selectedCert);
-                }
+                UpdateCertificateContext(selectedCert);
             }
 
             return cachedCred;
+
+            void UpdateCertificateContext(X509Certificate2? cert)
+            {
+                if (cert != null && _sslAuthenticationOptions.CertificateContext == null)
+                {
+                    _sslAuthenticationOptions.SetCertificateContextFromCert(cert);
+                }
+            }
         }
 
         private static List<T> EnsureInitialized<T>(ref List<T>? list) => list ??= new List<T>();
@@ -743,7 +736,7 @@ private bool AcquireServerCredentials(ref byte[]? thumbPrint)
                 }
 
                 Debug.Assert(localCertificate.Equals(selectedCert), "'selectedCert' does not match 'localCertificate'.");
-                _sslAuthenticationOptions.CertificateContext = SslStreamCertificateContext.Create(selectedCert);
+                _sslAuthenticationOptions.SetCertificateContextFromCert(selectedCert);
             }
 
             Debug.Assert(_sslAuthenticationOptions.CertificateContext != null);
@@ -1054,6 +1047,13 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot
             bool success = false;
             X509Chain? chain = null;
 
+            // We need to note the number of certs in ExtraStore that were
+            // provided (by the user), we will add more from the received peer
+            // chain and we want to dispose only these after we perform the
+            // validation.
+            // TODO: this forces allocation of X509Certificate2Collection
+            int preexistingExtraCertsCount = _sslAuthenticationOptions.CertificateChainPolicy?.ExtraStore?.Count ?? 0;
+
             try
             {
                 X509Certificate2? certificate = CertificateValidationPal.GetRemoteCertificate(_securityContext, ref chain, _sslAuthenticationOptions.CertificateChainPolicy);
@@ -1164,6 +1164,12 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot
 
                 if (chain != null)
                 {
+                    // Dispose only the certificates that were added by GetRemoteCertificate
+                    for (int i = preexistingExtraCertsCount; i < chain.ChainPolicy.ExtraStore.Count; i++)
+                    {
+                        chain.ChainPolicy.ExtraStore[i].Dispose();
+                    }
+
                     int elementsCount = chain.ChainElements.Count;
                     for (int i = 0; i < elementsCount; i++)
                     {
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
@@ -416,5 +416,19 @@ private static string MakeUrl(string baseUri, ArraySegment<char> encodedRequest)
 
             return uriString;
         }
+
+        partial void ReleasePlatformSpecificResources()
+        {
+            Debug.Assert(_staplingForbidden, "Shouldn't release resources while OCSP stapling may be happening on the background.");
+
+            CertificateHandle.Dispose();
+            KeyHandle.Dispose();
+            _rootCertificate?.Dispose();
+
+            foreach (X509Certificate2 cert in _privateIntermediateCertificates)
+            {
+                cert.Dispose();
+            }
+        }
     }
 }
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Windows.cs
@@ -42,6 +42,8 @@ private SslStreamCertificateContext(X509Certificate2 target, ReadOnlyCollection<
                         count++;
                     }
 
+                    DisposeChainElements(chain);
+
                     // OS failed to build the chain but we have at least some intermediates.
                     // We will try to add them to "Intermediate Certification Authorities" store.
                     if (!osCanBuildChain)
@@ -92,6 +94,8 @@ private SslStreamCertificateContext(X509Certificate2 target, ReadOnlyCollection<
                                     }
                                 }
 
+                                DisposeChainElements(chain);
+
                                 if (!osCanBuildChain)
                                 {
                                     // Add also root to Intermediate CA store so OS can complete building chain.
@@ -123,6 +127,15 @@ static void TryAddToStore(X509Store store, X509Certificate2 certificate)
                     }
                 }
             }
+
+            static void DisposeChainElements(X509Chain chain)
+            {
+                int elementsCount = chain.ChainElements.Count;
+                for (int i = 0; i < elementsCount; i++)
+                {
+                    chain.ChainElements[i].Certificate.Dispose();
+                }
+            }
         }
     }
 }
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs
@@ -169,7 +169,29 @@ internal static SslStreamCertificateContext Create(
 
         internal SslStreamCertificateContext Duplicate()
         {
-            return new SslStreamCertificateContext(new X509Certificate2(TargetCertificate), IntermediateCertificates, Trust);
+            // Create will internally clone any certificates that it will
+            // retain, so we don't have to duplicate any of the instances here
+            X509Certificate2Collection intermediates = new X509Certificate2Collection();
+            foreach (X509Certificate2 cert in IntermediateCertificates)
+            {
+                intermediates.Add(cert);
+            }
+
+            return Create(new X509Certificate2(TargetCertificate), intermediates, trust: Trust);
+        }
+
+        internal void ReleaseResources()
+        {
+            // TargetCertificate is owned by the user, but we have created the cert context
+            // which looked up intermediate certificates and only we have reference to them.
+            foreach (X509Certificate2 cert in IntermediateCertificates)
+            {
+                cert.Dispose();
+            }
+
+            ReleasePlatformSpecificResources();
         }
+
+        partial void ReleasePlatformSpecificResources();
     }
 }
diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs
@@ -114,6 +114,10 @@ public async Task SslStream_RequireClientCert_IsMutuallyAuthenticated_ReturnsTru
                     Assert.False(server.IsMutuallyAuthenticated, "server.IsMutuallyAuthenticated");
                 }
             }
+
+            // Assert that the certificates are not being disposed
+            Assert.NotEqual(_clientCertificate.Handle, IntPtr.Zero);
+            Assert.NotEqual(_serverCertificate.Handle, IntPtr.Zero);
         }
 
         [ConditionalTheory(typeof(PlatformDetection), nameof(PlatformDetection.IsNotWindows7))]
@@ -152,7 +156,8 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                     // mutual authentication should only be set if server required client cert
                     Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated);
                     Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated);
-                };
+                }
+                ;
             }
         }
 
@@ -268,7 +273,8 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                     {
                         Assert.Null(server.RemoteCertificate);
                     }
-                };
+                }
+                ;
             }
         }
 
@@ -322,7 +328,8 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                     {
                         Assert.Null(server.RemoteCertificate);
                     }
-                };
+                }
+                ;
             }
         }
 
@@ -380,7 +387,8 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                     {
                         Assert.Null(server.RemoteCertificate);
                     }
-                };
+                }
+                ;
             }
         }
 
diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs
@@ -807,6 +807,18 @@ public async Task SslStream_ServerUntrustedCaWithCustomTrust_OK(bool usePartialC
 
                 await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
             }
+
+            // the ownership of the ExtraStore cert is not transferred to the
+            // SslStream, so we need to verify that the certs are still valid.
+            foreach (X509Certificate2 cert in clientOptions.CertificateChainPolicy.ExtraStore)
+            {
+                Assert.NotEqual(cert.Handle, IntPtr.Zero);
+            }
+
+            foreach (X509Certificate2 cert in clientOptions.CertificateChainPolicy.CustomTrustStore)
+            {
+                Assert.NotEqual(cert.Handle, IntPtr.Zero);
+            }
         }
 
         private async Task SslStream_ClientSendsChain_Core(SslClientAuthenticationOptions clientOptions, X509Certificate2Collection clientChain)

Original file line number	Diff line number	Diff line change
`@@ -416,5 +416,19 @@ private static string MakeUrl(string baseUri, ArraySegment<char> encodedRequest)`
`416`	`416`
`417`	`417`	`return uriString;`
`418`	`418`	`}`
	`419`	`+`
	`420`	`+ partial void ReleasePlatformSpecificResources()`
	`421`	`+ {`
	`422`	`+ Debug.Assert(_staplingForbidden, "Shouldn't release resources while OCSP stapling may be happening on the background.");`
	`423`	`+`
	`424`	`+ CertificateHandle.Dispose();`
	`425`	`+ KeyHandle.Dispose();`
	`426`	`+ _rootCertificate?.Dispose();`
	`427`	`+`
	`428`	`+ foreach (X509Certificate2 cert in _privateIntermediateCertificates)`
	`429`	`+ {`
	`430`	`+ cert.Dispose();`
	`431`	`+ }`
	`432`	`+ }`
`419`	`433`	`}`
`420`	`434`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ private SslStreamCertificateContext(X509Certificate2 target, ReadOnlyCollection<`
`42`	`42`	`count++;`
`43`	`43`	`}`
`44`	`44`
	`45`	`+ DisposeChainElements(chain);`
	`46`	`+`
`45`	`47`	`// OS failed to build the chain but we have at least some intermediates.`
`46`	`48`	`// We will try to add them to "Intermediate Certification Authorities" store.`
`47`	`49`	`if (!osCanBuildChain)`
`@@ -92,6 +94,8 @@ private SslStreamCertificateContext(X509Certificate2 target, ReadOnlyCollection<`
`92`	`94`	`}`
`93`	`95`	`}`
`94`	`96`
	`97`	`+ DisposeChainElements(chain);`
	`98`	`+`
`95`	`99`	`if (!osCanBuildChain)`
`96`	`100`	`{`
`97`	`101`	`// Add also root to Intermediate CA store so OS can complete building chain.`
`@@ -123,6 +127,15 @@ static void TryAddToStore(X509Store store, X509Certificate2 certificate)`
`123`	`127`	`}`
`124`	`128`	`}`
`125`	`129`	`}`
	`130`	`+`
	`131`	`+ static void DisposeChainElements(X509Chain chain)`
	`132`	`+ {`
	`133`	`+ int elementsCount = chain.ChainElements.Count;`
	`134`	`+ for (int i = 0; i < elementsCount; i++)`
	`135`	`+ {`
	`136`	`+ chain.ChainElements[i].Certificate.Dispose();`
	`137`	`+ }`
	`138`	`+ }`
`126`	`139`	`}`
`127`	`140`	`}`
`128`	`141`	`}`
Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,10 @@ public async Task SslStream_RequireClientCert_IsMutuallyAuthenticated_ReturnsTru`
`114`	`114`	`Assert.False(server.IsMutuallyAuthenticated, "server.IsMutuallyAuthenticated");`
`115`	`115`	`}`
`116`	`116`	`}`
	`117`	`+`
	`118`	`+ // Assert that the certificates are not being disposed`
	`119`	`+ Assert.NotEqual(_clientCertificate.Handle, IntPtr.Zero);`
	`120`	`+ Assert.NotEqual(_serverCertificate.Handle, IntPtr.Zero);`
`117`	`121`	`}`
`118`	`122`
`119`	`123`	`[ConditionalTheory(typeof(PlatformDetection), nameof(PlatformDetection.IsNotWindows7))]`
`@@ -152,7 +156,8 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(`
`152`	`156`	`// mutual authentication should only be set if server required client cert`
`153`	`157`	`Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated);`
`154`	`158`	`Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated);`
`155`		`- };`
	`159`	`+ }`
	`160`	`+ ;`
`156`	`161`	`}`
`157`	`162`	`}`
`158`	`163`
`@@ -268,7 +273,8 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(`
`268`	`273`	`{`
`269`	`274`	`Assert.Null(server.RemoteCertificate);`
`270`	`275`	`}`
`271`		`- };`
	`276`	`+ }`
	`277`	`+ ;`
`272`	`278`	`}`
`273`	`279`	`}`
`274`	`280`
`@@ -322,7 +328,8 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(`
`322`	`328`	`{`
`323`	`329`	`Assert.Null(server.RemoteCertificate);`
`324`	`330`	`}`
`325`		`- };`
	`331`	`+ }`
	`332`	`+ ;`
`326`	`333`	`}`
`327`	`334`	`}`
`328`	`335`
`@@ -380,7 +387,8 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(`
`380`	`387`	`{`
`381`	`388`	`Assert.Null(server.RemoteCertificate);`
`382`	`389`	`}`
`383`		`- };`
	`390`	`+ }`
	`391`	`+ ;`
`384`	`392`	`}`
`385`	`393`	`}`
`386`	`394`