Skip to content

Fix memory leaks in CertificateManager by improving certificate disposal patterns #63321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Fix memory leaks in CertificateManager by improving certificate disposal patterns #63321

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6314908
Initial plan
Copilot Aug 18, 2025
483cc00
Fix memory leak in ImportCertificate method by properly disposing X50…
Copilot Aug 18, 2025
a76f546
Add certificate disposal in exception catch block for ImportCertifica…
Copilot Aug 19, 2025
3a6e45f
Refactor certificate disposal using try-finally pattern and fix dispo…
Copilot Aug 19, 2025
e2b7b68
Fix certificate disposal in all early exit cases of EnsureAspNetCoreH…
Copilot Aug 21, 2025
e9c4aad
Fix certificate disposal to only dispose new certificates, not existi…
Copilot Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 78 additions & 36 deletions src/Shared/CertificateGeneration/CertificateManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,18 +236,22 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(

var currentUserCertificates = ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: true, requireExportable: true);
var localMachineCertificates = ListCertificates(StoreName.My, StoreLocation.LocalMachine, isValid: true, requireExportable: true);
var certificates = currentUserCertificates.Concat(localMachineCertificates);
var allCertificates = currentUserCertificates.Concat(localMachineCertificates).ToList();

var filteredCertificates = certificates.Where(c => c.Subject == Subject);
var filteredCertificates = allCertificates.Where(c => c.Subject == Subject).ToList();

if (Log.IsEnabled())
{
var excludedCertificates = certificates.Except(filteredCertificates);
var excludedCertificates = allCertificates.Except(filteredCertificates);
Log.FilteredCertificates(ToCertificateDescription(filteredCertificates));
Log.ExcludedCertificates(ToCertificateDescription(excludedCertificates));
}

certificates = filteredCertificates;
// Dispose certificates we're not going to use
var certificatesToDispose = allCertificates.Except(filteredCertificates);
DisposeCertificates(certificatesToDispose);

var certificates = filteredCertificates;

X509Certificate2? certificate = null;
var isNewCertificate = false;
Expand Down Expand Up @@ -319,6 +323,7 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
Log.CreateDevelopmentCertificateError(e.ToString());
}
result = EnsureCertificateResult.ErrorCreatingTheCertificate;
DisposeCertificates(certificates);
return result;
}
Log.CreateDevelopmentCertificateEnd();
Expand All @@ -330,6 +335,11 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
catch (Exception e)
{
Log.SaveCertificateInStoreError(e.ToString());
if (isNewCertificate)
{
certificate?.Dispose();
}
DisposeCertificates(certificates);
result = EnsureCertificateResult.ErrorSavingTheCertificateIntoTheCurrentUserPersonalStore;
return result;
}
Expand Down Expand Up @@ -387,6 +397,11 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
result :
EnsureCertificateResult.ErrorExportingTheCertificate;

if (isNewCertificate)
{
certificate?.Dispose();
}
DisposeCertificates(certificates);
return result;
}
}
Expand All @@ -403,21 +418,41 @@ public EnsureCertificateResult EnsureAspNetCoreHttpsDevelopmentCertificate(
break;
case TrustLevel.Partial:
result = EnsureCertificateResult.PartiallyFailedToTrustTheCertificate;
if (isNewCertificate)
{
certificate?.Dispose();
}
DisposeCertificates(certificates);
return result;
case TrustLevel.None:
default: // Treat unknown status (should be impossible) as failure
result = EnsureCertificateResult.FailedToTrustTheCertificate;
if (isNewCertificate)
{
certificate?.Dispose();
}
DisposeCertificates(certificates);
return result;
}
}
catch (UserCancelledTrustException)
{
result = EnsureCertificateResult.UserCancelledTrustStep;
if (isNewCertificate)
{
certificate?.Dispose();
}
DisposeCertificates(certificates);
return result;
}
catch
{
result = EnsureCertificateResult.FailedToTrustTheCertificate;
if (isNewCertificate)
{
certificate?.Dispose();
}
DisposeCertificates(certificates);
return result;
}

Expand Down Expand Up @@ -454,51 +489,58 @@ internal ImportCertificateResult ImportCertificate(string certificatePath, strin
return ImportCertificateResult.ExistingCertificatesPresent;
}

X509Certificate2 certificate;
X509Certificate2? certificate = null;
try
{
Log.LoadCertificateStart(certificatePath);
certificate = new X509Certificate2(certificatePath, password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.EphemeralKeySet);
if (Log.IsEnabled())
try
{
Log.LoadCertificateEnd(GetDescription(certificate));
Log.LoadCertificateStart(certificatePath);
certificate = new X509Certificate2(certificatePath, password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.EphemeralKeySet);
if (Log.IsEnabled())
{
Log.LoadCertificateEnd(GetDescription(certificate));
}
}
}
catch (Exception e)
{
if (Log.IsEnabled())
catch (Exception e)
{
Log.LoadCertificateError(e.ToString());
if (Log.IsEnabled())
{
Log.LoadCertificateError(e.ToString());
}
return ImportCertificateResult.InvalidCertificate;
}
return ImportCertificateResult.InvalidCertificate;
}

// Note that we're checking Subject, rather than LocalhostHttpsDistinguishedName,
// because the tests use a different subject.
if (!string.Equals(certificate.Subject, Subject, StringComparison.Ordinal) || // Kestrel requires this
!IsHttpsDevelopmentCertificate(certificate))
{
if (Log.IsEnabled())
// Note that we're checking Subject, rather than LocalhostHttpsDistinguishedName,
// because the tests use a different subject.
if (!string.Equals(certificate.Subject, Subject, StringComparison.Ordinal) || // Kestrel requires this
!IsHttpsDevelopmentCertificate(certificate))
{
Log.NoHttpsDevelopmentCertificate(GetDescription(certificate));
if (Log.IsEnabled())
{
Log.NoHttpsDevelopmentCertificate(GetDescription(certificate));
}
return ImportCertificateResult.NoDevelopmentHttpsCertificate;
}
return ImportCertificateResult.NoDevelopmentHttpsCertificate;
}

try
{
SaveCertificate(certificate);
}
catch (Exception e)
{
if (Log.IsEnabled())
try
{
Log.SaveCertificateInStoreError(e.ToString());
certificate = SaveCertificate(certificate);
}
catch (Exception e)
{
if (Log.IsEnabled())
{
Log.SaveCertificateInStoreError(e.ToString());
}
return ImportCertificateResult.ErrorSavingTheCertificateIntoTheCurrentUserPersonalStore;
}
return ImportCertificateResult.ErrorSavingTheCertificateIntoTheCurrentUserPersonalStore;
}

return ImportCertificateResult.Succeeded;
return ImportCertificateResult.Succeeded;
}
finally
{
certificate?.Dispose();
}
}

public void CleanupHttpsCertificates()
Expand Down
Loading