[WinHTTP] Certificate caching on WinHttpHandler to eliminate extra call to Custom Certificate Validation

src/libraries/Common/src/Interop/Windows/WinHttp/Interop.winhttp_types.cs

@@ -336,6 +336,14 @@ public struct WINHTTP_ASYNC_RESULT
             public uint dwError;
         }
 
+        [StructLayout(LayoutKind.Sequential)]
+        public unsafe struct WINHTTP_CONNECTION_INFO
+        {
+            public uint cbSize;
+            public uint __alignment;
+            public fixed byte LocalAddress[128];
+            public fixed byte RemoteAddress[128];
+        }
 
         [StructLayout(LayoutKind.Sequential)]
         public struct tcp_keepalive

src/libraries/System.Net.Http.WinHttpHandler/src/System.Net.Http.WinHttpHandler.csproj

@@ -80,6 +80,7 @@ System.Net.Http.WinHttpHandler</PackageDescription>
              Link="Common\System\Runtime\ExceptionServices\ExceptionStackTrace.cs" />
     <Compile Include="$(CommonPath)\System\Threading\Tasks\RendezvousAwaitable.cs"
              Link="Common\System\Threading\Tasks\RendezvousAwaitable.cs" />
+    <Compile Include="System\Net\Http\CachedCertificateValue.cs" />
     <Compile Include="System\Net\Http\NetEventSource.WinHttpHandler.cs" />
     <Compile Include="System\Net\Http\NoWriteNoSeekStreamContent.cs" />
     <Compile Include="System\Net\Http\WinHttpAuthHelper.cs" />

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/CachedCertificateValue.cs

@@ -0,0 +1,15 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace System.Net.Http
+{
+    internal sealed class CachedCertificateValue(byte[] rawCertificateData, long lastUsedTime)
+    {
+        public byte[] RawCertificateData { get; } = rawCertificateData;
+        public long LastUsedTime { get; set; } = lastUsedTime;
+    }
+}

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs

@@ -1,8 +1,10 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Diagnostics.CodeAnalysis;
 using System.IO;
 using System.Net.Http.Headers;
 using System.Net.Security;
@@ -46,6 +48,8 @@ public class WinHttpHandler : HttpMessageHandler
         private static readonly StringWithQualityHeaderValue s_gzipHeaderValue = new StringWithQualityHeaderValue("gzip");
         private static readonly StringWithQualityHeaderValue s_deflateHeaderValue = new StringWithQualityHeaderValue("deflate");
         private static readonly Lazy<bool> s_supportsTls13 = new Lazy<bool>(CheckTls13Support);
+        private static readonly TimeSpan s_cleanCachedCertificateTimeout = TimeSpan.FromMinutes(1);
+        private static readonly long s_staleTimeout = (long)s_cleanCachedCertificateTimeout.TotalSeconds * Stopwatch.Frequency;
 
         [ThreadStatic]
         private static StringBuilder? t_requestHeadersBuilder;
@@ -93,9 +97,27 @@ private Func<
         private volatile int _disposed;
         private SafeWinHttpHandle? _sessionHandle;
         private readonly WinHttpAuthHelper _authHelper = new WinHttpAuthHelper();
+        private readonly Timer? _certificateCleanupTimer;
+        private bool _isTimerRunning;
+        private ConcurrentDictionary<IPAddress, CachedCertificateValue> _cachedCertificates = new();
 
         public WinHttpHandler()
         {
+            if (WinHttpRequestCallback.CertificateCachingAppContextSwitchEnabled)
+            {
+                WeakReference<WinHttpHandler> thisRef = new(this);
+                _certificateCleanupTimer = new Timer(
+                    static s =>
+                    {
+                        if (((WeakReference<WinHttpHandler>)s!).TryGetTarget(out WinHttpHandler? thisRef))
+                        {
+                            thisRef.ClearStaleCertificates();
+                        }
+                    },
+                    thisRef,
+                    Timeout.Infinite,
+                    Timeout.Infinite);
+            }
         }
 
         #region Properties
@@ -541,9 +563,10 @@ protected override void Dispose(bool disposing)
         {
             if (Interlocked.CompareExchange(ref _disposed, 1, 0) == 0)
             {
-                if (disposing && _sessionHandle != null)
+                if (disposing)
                 {
-                    _sessionHandle.Dispose();
+                    _sessionHandle?.Dispose();
+                    _certificateCleanupTimer?.Dispose();
                 }
             }
 
@@ -1649,7 +1672,8 @@ private void SetStatusCallback(
                 Interop.WinHttp.WINHTTP_CALLBACK_FLAG_ALL_COMPLETIONS |
                 Interop.WinHttp.WINHTTP_CALLBACK_FLAG_HANDLES |
                 Interop.WinHttp.WINHTTP_CALLBACK_FLAG_REDIRECT |
-                Interop.WinHttp.WINHTTP_CALLBACK_FLAG_SEND_REQUEST;
+                Interop.WinHttp.WINHTTP_CALLBACK_FLAG_SEND_REQUEST |
+                Interop.WinHttp.WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER;
 
             IntPtr oldCallback = Interop.WinHttp.WinHttpSetStatusCallback(
                 requestHandle,
@@ -1735,5 +1759,87 @@ private RendezvousAwaitable<int> InternalReceiveResponseHeadersAsync(WinHttpRequ
 
             return state.LifecycleAwaitable;
         }
+
+        internal bool GetCertificateFromCache(IPAddress ipAddress, [MaybeNullWhen(false)] out byte[] rawCertificateBytes)
+        {
+            if (_cachedCertificates.TryGetValue(ipAddress, out CachedCertificateValue? cachedValue))
+            {
+                cachedValue.LastUsedTime = Stopwatch.GetTimestamp();
+                rawCertificateBytes = cachedValue.RawCertificateData;
+                return true;
+            }
+
+            rawCertificateBytes = null;
+            return false;
+        }
+
+        internal bool TryAddCertificateToCache(IPAddress address, byte[] rawCertificateData)
+        {
+            bool result = _cachedCertificates.TryAdd(address, new CachedCertificateValue(rawCertificateData, Stopwatch.GetTimestamp()));
+            if (result)
+            {
+                EnsureCleanupTimerRunning();
+            }
+            return result;
+        }
+
+        internal bool TryRemoveCertificateFromCache(IPAddress address)
+        {
+            bool result = _cachedCertificates.TryRemove(address, out CachedCertificateValue? _);
+            if (result)
+            {
+                StopCleanupTimerIfEmpty();
+            }
+            return result;
+        }
+
+        private void ChangeCleanerTimer(TimeSpan timeout)
+        {
+            Debug.Assert(_certificateCleanupTimer != null);
+            if (_certificateCleanupTimer!.Change(timeout, Timeout.InfiniteTimeSpan))
+            {
+                lock (_lockObject)
+                {
+                    _isTimerRunning = timeout != Timeout.InfiniteTimeSpan;
+                }
+            }
+        }
+
+        private void ClearStaleCertificates()
+        {
+            Debug.Assert(_certificateCleanupTimer != null);
+
+            foreach (KeyValuePair<IPAddress, CachedCertificateValue> kvPair in _cachedCertificates)
+            {
+                if (IsStale(kvPair.Value.LastUsedTime))
+                {
+                    _cachedCertificates.TryRemove(kvPair.Key, out CachedCertificateValue? _);
+                }
+            }
+
+            ChangeCleanerTimer(_cachedCertificates.IsEmpty ? Timeout.InfiniteTimeSpan : s_cleanCachedCertificateTimeout);
+
+            static bool IsStale(long lastUsedTime)
+            {
+                long now = Stopwatch.GetTimestamp();
+                return (now - lastUsedTime) > s_staleTimeout;
+            }
+        }
+
+        private void EnsureCleanupTimerRunning()
+        {
+            if (!_cachedCertificates.IsEmpty && !_isTimerRunning)
+            {
+                ChangeCleanerTimer(s_cleanCachedCertificateTimeout);
+            }
+        }
+
+        private void StopCleanupTimerIfEmpty()
+        {
+            if (_cachedCertificates.IsEmpty && _isTimerRunning)
+            {
+                ChangeCleanerTimer(Timeout.InfiniteTimeSpan);
+            }
+        }
     }
 }

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpRequestCallback.cs

@@ -2,12 +2,16 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System;
+using System.Buffers.Binary;
 using System.Diagnostics;
 using System.IO;
+using System.Linq;
 using System.Net.Security;
+using System.Net.Sockets;
+using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography.X509Certificates;
-
+using System.Threading;
 using SafeWinHttpHandle = Interop.WinHttp.SafeWinHttpHandle;
 
 namespace System.Net.Http
@@ -20,6 +24,8 @@ internal static class WinHttpRequestCallback
         public static Interop.WinHttp.WINHTTP_STATUS_CALLBACK StaticCallbackDelegate =
             new Interop.WinHttp.WINHTTP_STATUS_CALLBACK(WinHttpCallback);
 
+        public static bool CertificateCachingAppContextSwitchEnabled { get; } = AppContext.TryGetSwitch("System.Net.Http.UseWinHttpCertificateCaching", out bool enabled) && enabled;
+
         public static void WinHttpCallback(
             IntPtr handle,
             IntPtr context,
@@ -56,6 +62,14 @@ private static void RequestCallback(
             {
                 switch (internetStatus)
                 {
+                    case Interop.WinHttp.WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER:
+                        if (CertificateCachingAppContextSwitchEnabled)
+                        {
+                            IPAddress connectedToIPAddress = IPAddress.Parse(Marshal.PtrToStringUni(statusInformation)!);
+                            OnRequestConnectedToServer(state, connectedToIPAddress);
+                        }
+                        return;
+
                     case Interop.WinHttp.WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING:
                         OnRequestHandleClosing(state);
                         return;
@@ -121,6 +135,21 @@ private static void RequestCallback(
             }
         }
 
+        private static void OnRequestConnectedToServer(WinHttpRequestState state, IPAddress connectedIPAddress)
+        {
+            Debug.Assert(state != null);
+            Debug.Assert(state.Handler != null);
+
+            if (state.Handler.TryRemoveCertificateFromCache(connectedIPAddress))
+            {
+                if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(null, $"Removed cached certificate for {connectedIPAddress}");
+            }
+            else
+            {
+                if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(null, $"No cached certificate for {connectedIPAddress} to remove");
+            }
+        }
+
         private static void OnRequestHandleClosing(WinHttpRequestState state)
         {
             Debug.Assert(state != null, "OnRequestSendRequestComplete: state is null");
@@ -231,6 +260,7 @@ private static void OnRequestRedirect(WinHttpRequestState state, Uri redirectUri
         private static void OnRequestSendingRequest(WinHttpRequestState state)
         {
             Debug.Assert(state != null, "OnRequestSendingRequest: state is null");
+            Debug.Assert(state.Handler != null, "OnRequestSendingRequest: state.Handler is null");
             Debug.Assert(state.RequestMessage != null, "OnRequestSendingRequest: state.RequestMessage is null");
             Debug.Assert(state.RequestMessage.RequestUri != null, "OnRequestSendingRequest: state.RequestMessage.RequestUri is null");
 
@@ -279,6 +309,53 @@ private static void OnRequestSendingRequest(WinHttpRequestState state)
                 var serverCertificate = new X509Certificate2(certHandle);
                 Interop.Crypt32.CertFreeCertificateContext(certHandle);
 
+                IPAddress? ipAddress = null;
+                if (CertificateCachingAppContextSwitchEnabled)
+                {
+                    unsafe
+                    {
+                        Interop.WinHttp.WINHTTP_CONNECTION_INFO connectionInfo;
+                        Interop.WinHttp.WINHTTP_CONNECTION_INFO* pConnectionInfo = &connectionInfo;
+                        uint infoSize = (uint)sizeof(Interop.WinHttp.WINHTTP_CONNECTION_INFO);
+                        if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(state, $"sizeof(WINHTTP_CONNECTION_INFO)={infoSize}");
+                        if (Interop.WinHttp.WinHttpQueryOption(
+                            state.RequestHandle,
+                            // This option is available on Windows XP SP2 and later; Windows 2003 with SP1 and later.
+                            Interop.WinHttp.WINHTTP_OPTION_CONNECTION_INFO,
+                            (IntPtr)pConnectionInfo,
+                            ref infoSize))
+                        {
+                            ReadOnlySpan<byte> remoteAddressSpan = new ReadOnlySpan<byte>(connectionInfo.RemoteAddress, 128);
+                            AddressFamily addressFamily = (AddressFamily)(remoteAddressSpan[0] + (remoteAddressSpan[1] << 8));
+                            ipAddress = addressFamily switch
+                            {
+                                AddressFamily.InterNetwork => new IPAddress(BinaryPrimitives.ReadUInt32LittleEndian(remoteAddressSpan.Slice(4))),
+                                AddressFamily.InterNetworkV6 => new IPAddress(remoteAddressSpan.Slice(8, 16).ToArray()),
+                                _ => null
+                            };
+                            Debug.Assert(ipAddress != null, "AddressFamily is not supported");
+                            if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(state, $"ipAddress: {ipAddress}");
+
+                        }
+                        else
+                        {
+                            int lastError = Marshal.GetLastWin32Error();
+                            if (NetEventSource.Log.IsEnabled()) NetEventSource.Error(state, $"Error getting WINHTTP_OPTION_CONNECTION_INFO, {lastError}");
+                        }
+                    }
+
+                    if (ipAddress is not null && state.Handler.GetCertificateFromCache(ipAddress, out byte[]? rawCertData) && rawCertData.SequenceEqual(serverCertificate.RawData))
+                    {
+                        if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(state, $"Skipping certificate validation. ipAddress: {ipAddress}, Thumbprint: {serverCertificate.Thumbprint}");
+                        serverCertificate.Dispose();
+                        return;
+                    }
+                    else
+                    {
+                        if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(state, $"Certificate validation is required! IPAddress = {ipAddress}, Thumbprint: {serverCertificate.Thumbprint}");
+                    }
+                }
+
                 X509Chain? chain = null;
                 SslPolicyErrors sslPolicyErrors;
                 bool result = false;
@@ -298,6 +375,10 @@ private static void OnRequestSendingRequest(WinHttpRequestState state)
                         serverCertificate,
                         chain,
                         sslPolicyErrors);
+                    if (CertificateCachingAppContextSwitchEnabled && result && ipAddress is not null)
+                    {
+                        _ = state.Handler.TryAddCertificateToCache(ipAddress, serverCertificate.RawData);
+                    }
                 }
                 catch (Exception ex)
                 {