[release/6.0] Avoid rooting X509Certificate2 in SslSessionCache

src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs

@@ -322,14 +322,13 @@ public static unsafe int AcquireCredentialsHandle(
     internal sealed class SafeFreeCredential_SECURITY : SafeFreeCredentials
     {
 #pragma warning disable 0649
-         // This is used only by SslStream but it is included elsewhere
-         public X509Certificate? LocalCertificate;
- #pragma warning restore 0649
+        // This is used only by SslStream but it is included elsewhere
+        public bool HasLocalCertificate;
+#pragma warning restore 0649
         public SafeFreeCredential_SECURITY() : base() { }
 
         protected override bool ReleaseHandle()
         {
-            LocalCertificate?.Dispose();
             return Interop.SspiCli.FreeCredentialsHandle(ref _handle) == 0;
         }
     }

src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs

@@ -101,7 +101,7 @@ internal static bool IsLocalCertificateUsed(SafeFreeCredentials? _credentialsHan
                 // This is TLS Resumed session. Windows can fail to query the local cert bellow.
                 // Instead, we will determine the usage form used credentials.
                 SafeFreeCredential_SECURITY creds = (SafeFreeCredential_SECURITY)_credentialsHandle!;
-                return creds.LocalCertificate != null;
+                return creds.HasLocalCertificate;
             }
 
             SafeFreeCertContext? localContext = null;

src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs

@@ -112,10 +112,10 @@ public static SecurityStatusPal InitializeSecurityContext(ref SafeFreeCredential
             return SecurityStatusAdapterPal.GetSecurityStatusPalFromNativeInt(errorCode);
         }
 
-        public static SecurityStatusPal Renegotiate(ref SafeFreeCredentials? credentialsHandle, ref SafeDeleteSslContext? context, SslAuthenticationOptions sslAuthenticationOptions, out byte[]? outputBuffer )
+        public static SecurityStatusPal Renegotiate(ref SafeFreeCredentials? credentialsHandle, ref SafeDeleteSslContext? context, SslAuthenticationOptions sslAuthenticationOptions, out byte[]? outputBuffer)
         {
             byte[]? output = Array.Empty<byte>();
-            SecurityStatusPal status =  AcceptSecurityContext(ref credentialsHandle, ref context, Span<byte>.Empty, ref output, sslAuthenticationOptions);
+            SecurityStatusPal status = AcceptSecurityContext(ref credentialsHandle, ref context, Span<byte>.Empty, ref output, sslAuthenticationOptions);
             outputBuffer = output;
             return status;
         }
@@ -139,8 +139,7 @@ public static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateC
                 if (newCredentialsRequested && certificateContext != null)
                 {
                     SafeFreeCredential_SECURITY handle = (SafeFreeCredential_SECURITY)cred;
-                    // We need to create copy to avoid Disposal issue.
-                    handle.LocalCertificate = new X509Certificate2(certificateContext.Certificate);
+                    handle.HasLocalCertificate = true;
                 }
 
                 return cred;
@@ -270,11 +269,11 @@ public static unsafe SafeFreeCredentials AcquireCredentialsHandleSchCredentials(
             Interop.SspiCli.SCH_CREDENTIALS credential = default;
             credential.dwVersion = Interop.SspiCli.SCH_CREDENTIALS.CurrentVersion;
             credential.dwFlags = flags;
-            Interop.Crypt32.CERT_CONTEXT *certificateHandle = null;
+            Interop.Crypt32.CERT_CONTEXT* certificateHandle = null;
             if (certificate != null)
             {
                 credential.cCreds = 1;
-                certificateHandle = (Interop.Crypt32.CERT_CONTEXT *)certificate.Handle;
+                certificateHandle = (Interop.Crypt32.CERT_CONTEXT*)certificate.Handle;
                 credential.paCred = &certificateHandle;
             }