Avoid frequent calls to CertificateValidationPal.IsLocalCertificateUsed (#100513)

rzikm · web-flow · commit bc2bd2bd77ec · 2024-04-08T09:53:34.000+02:00
* Avoid frequent calls to CertificateValidationPal.IsLocalCertificateUsed

* Code review feedback
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs
@@ -360,6 +360,9 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[
                 }
 
                 token.ReleasePayload();
+
+                // reset the cached flag which has potentially outdated value.
+                _localClientCertificateUsed = -1;
             }
 
             if (NetEventSource.Log.IsEnabled())
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs
@@ -57,6 +57,9 @@ internal static bool DisableTlsResume
         private X509Certificate2? _remoteCertificate;
         private bool _remoteCertificateExposed;
 
+        // -1 for uninitialized, 0 for false, 1 for true, should be accessed via IsLocalClientCertificateUsed property
+        private int _localClientCertificateUsed = -1;
+
         // These are the MAX encrypt buffer output sizes, not the actual sizes.
         private int _headerSize = 5; //ATTN must be set to at least 5 by default
         private int _trailerSize = 16;
@@ -82,11 +85,28 @@ internal X509Certificate? LocalServerCertificate
             }
         }
 
+        // IsLocalCertificateUsed is expensive, but it does not change during the lifetime of the SslStream except for renegotiation, so we
+        // can cache the value.
+        private bool IsLocalClientCertificateUsed
+        {
+            get
+            {
+                if (_localClientCertificateUsed == -1)
+                {
+                    _localClientCertificateUsed = CertificateValidationPal.IsLocalCertificateUsed(_credentialsHandle, _securityContext!)
+                        ? 1
+                        : 0;
+                }
+
+                return _localClientCertificateUsed == 1;
+            }
+        }
+
         internal X509Certificate? LocalClientCertificate
         {
             get
             {
-                if (_selectedClientCertificate != null && CertificateValidationPal.IsLocalCertificateUsed(_credentialsHandle, _securityContext!))
+                if (_selectedClientCertificate != null && IsLocalClientCertificateUsed)
                 {
                     return _selectedClientCertificate;
                 }

Original file line number	Diff line number	Diff line change
`@@ -360,6 +360,9 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[`
`360`	`360`	`}`
`361`	`361`
`362`	`362`	`token.ReleasePayload();`
	`363`	`+`
	`364`	`+ // reset the cached flag which has potentially outdated value.`
	`365`	`+ _localClientCertificateUsed = -1;`
`363`	`366`	`}`
`364`	`367`
`365`	`368`	`if (NetEventSource.Log.IsEnabled())`