Skip to content

avoid allocating collection for intermediate certificates #68188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wfurt merged 4 commits into from
Apr 19, 2022
Merged

avoid allocating collection for intermediate certificates #68188

wfurt merged 4 commits into from
Apr 19, 2022

Conversation

@wfurt
Copy link
Member

@wfurt wfurt commented Apr 18, 2022

There are actually two collection we will save in this change for each TLS handshake:

Current code always allocates X509Certificate2Collection to store intermediate certificates from handshake just to add all of them to X509Chain before validation. This change fixes the internal API so that we allocate X509Chain as needed and we add any intermediate certificates to it directly without need to allocate extra collection. (using ref X509Chain?)

The second collocation comes surprisingly from null check:

if (_chainPolicy != null && _chainPolicy.CustomTrustStore != null)

does not really work well with

 public X509Certificate2Collection CustomTrustStore => _customTrustStore ??= new X509Certificate2Collection();

CustomTrustStore will never be null and the check will allocate in typical case.

@wfurt wfurt requested review from a team and stephentoub April 18, 2022 23:31
@wfurt wfurt self-assigned this Apr 18, 2022
@ghost
Copy link

ghost commented Apr 18, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

There are actually two collection we will save in this change for each TLS handshake:

Current code always allocates X509Certificate2Collection to store intermediate certificates from handshake just to add all of them to X509Chain before validation. This change fixes the internal API so that we allocate X509Chain as needed and we add any intermediate certificates to it directly without need to allocate extra collection. (using ref X509Chain?)

The second collocation comes surprisingly from null check:

if (_chainPolicy != null && _chainPolicy.CustomTrustStore != null)

does not really work well with

 public X509Certificate2Collection CustomTrustStore => _customTrustStore ??= new X509Certificate2Collection();

CustomTrustStore will never be null and the check will allocate in typical case.

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Security
Milestone: -

rzikm
rzikm approved these changes Apr 19, 2022
View reviewed changes
Copy link
Member

@rzikm rzikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, modulo comments.

campersau
campersau reviewed Apr 19, 2022
View reviewed changes
src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpRequestCallback.cs
X509Certificate2Collection remoteCertificateStore =
UnmanagedCertificateContext.GetRemoteCertificatesFromStoreContext(certHandle);
X509Certificate2Collection remoteCertificateStore = new X509Certificate2Collection();
UnmanagedCertificateContext.GetRemoteCertificatesFromStoreContext(certHandle, remoteCertificateStore);
Copy link
Contributor

@campersau campersau Apr 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
UnmanagedCertificateContext.GetRemoteCertificatesFromStoreContext(certHandle, remoteCertificateStore);
UnmanagedCertificateContext.GetRemoteCertificatesFromStoreContext(certHandle, remoteCertificateStore);

@wfurt wfurt merged commit 37ad965 into dotnet:main Apr 19, 2022
@wfurt wfurt deleted the collection branch April 19, 2022 20:49
directhex pushed a commit to directhex/runtime that referenced this pull request Apr 21, 2022
@wfurt
avoid allocating collection for intermediate certificates (dotnet#68188)
4576be0 
* avoid allocating collection for intermediate certificates

* fix NRE for custom trust

* feedback from review
@ghost ghost locked as resolved and limited conversation to collaborators May 20, 2022
@karelz karelz added this to the 7.0.0 milestone Jul 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rzikm rzikm rzikm approved these changes

@stephentoub stephentoub Awaiting requested review from stephentoub

+1 more reviewer

@campersau campersau campersau left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@wfurt wfurt

Labels

area-System.Net.Security

Projects

None yet

Milestone

7.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@wfurt @campersau @rzikm @karelz