Avoid frequent calls to CertificateValidationPal.IsLocalCertificateUs…

…ed (dotnet#100513) * Avoid frequent calls to CertificateValidationPal.IsLocalCertificateUsed * Code review feedback
matouskozak · Apr 30, 2024 · d275fdb · d275fdb
1 parent d811c59
commit d275fdb
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs
@@ -360,6 +360,9 @@ private async Task ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[
                 }
 
                 token.ReleasePayload();
+
+                // reset the cached flag which has potentially outdated value.
+                _localClientCertificateUsed = -1;
             }
 
             if (NetEventSource.Log.IsEnabled())

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs
@@ -57,6 +57,9 @@ internal static bool DisableTlsResume
         private X509Certificate2? _remoteCertificate;
         private bool _remoteCertificateExposed;
 
+        // -1 for uninitialized, 0 for false, 1 for true, should be accessed via IsLocalClientCertificateUsed property
+        private int _localClientCertificateUsed = -1;
+
         // These are the MAX encrypt buffer output sizes, not the actual sizes.
         private int _headerSize = 5; //ATTN must be set to at least 5 by default
         private int _trailerSize = 16;
@@ -82,11 +85,28 @@ internal X509Certificate? LocalServerCertificate
             }
         }
 
+        // IsLocalCertificateUsed is expensive, but it does not change during the lifetime of the SslStream except for renegotiation, so we
+        // can cache the value.
+        private bool IsLocalClientCertificateUsed
+        {
+            get
+            {
+                if (_localClientCertificateUsed == -1)
+                {
+                    _localClientCertificateUsed = CertificateValidationPal.IsLocalCertificateUsed(_credentialsHandle, _securityContext!)
+                        ? 1
+                        : 0;
+                }
+
+                return _localClientCertificateUsed == 1;
+            }
+        }
+
         internal X509Certificate? LocalClientCertificate
         {
             get
             {
-                if (_selectedClientCertificate != null && CertificateValidationPal.IsLocalCertificateUsed(_credentialsHandle, _securityContext!))
+                if (_selectedClientCertificate != null && IsLocalClientCertificateUsed)
                 {
                     return _selectedClientCertificate;
                 }