Reapply "Change HttpClient/SslStream default certificate revocation check mode to Online (#116098)"

This reverts commit defd136.

Author: rzikm

src/libraries/Common/tests/System/Net/Configuration.Certificates.Dynamic.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Net.Security;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
@@ -37,29 +38,6 @@ public static partial class Certificates
             private static readonly X509BasicConstraintsExtension s_eeConstraints =
                 new X509BasicConstraintsExtension(false, false, 0, false);
 
-            private static X509Certificate2 s_dynamicServerCertificate;
-            private static X509Certificate2Collection s_dynamicCaCertificates;
-            private static object certLock = new object();
-
-
-            // These Get* methods make a copy of the certificates so that consumers own the lifetime of the
-            // certificates handed back.  Consumers are expected to dispose of their certs when done with them.
-
-            public static X509Certificate2 GetDynamicServerCerttificate(X509Certificate2Collection? chainCertificates)
-            {
-                lock (certLock)
-                {
-                    if (s_dynamicServerCertificate == null)
-                    {
-                        CleanupCertificates();
-                        (s_dynamicServerCertificate, s_dynamicCaCertificates) = GenerateCertificates("localhost", nameof(Configuration) + nameof(Certificates));
-                    }
-
-                    chainCertificates?.AddRange(s_dynamicCaCertificates);
-                    return new X509Certificate2(s_dynamicServerCertificate);
-                }
-            }
-
             public static void CleanupCertificates([CallerMemberName] string? testName = null, StoreName storeName = StoreName.CertificateAuthority)
             {
                 string caName = $"O={testName}";
@@ -78,7 +56,9 @@ public static void CleanupCertificates([CallerMemberName] string? testName = nul
                         }
                     }
                 }
-                catch { };
+                catch
+                {
+                }
 
                 try
                 {
@@ -95,7 +75,9 @@ public static void CleanupCertificates([CallerMemberName] string? testName = nul
                         }
                     }
                 }
-                catch { };
+                catch
+                {
+                }
             }
 
             internal static X509ExtensionCollection BuildTlsServerCertExtensions(string serverName)
@@ -119,7 +101,68 @@ private static X509ExtensionCollection BuildTlsCertExtensions(string targetName,
                 return extensions;
             }
 
-            public static (X509Certificate2 certificate, X509Certificate2Collection) GenerateCertificates(string targetName, [CallerMemberName] string? testName = null, bool longChain = false, bool serverCertificate = true, bool ephemeralKey = false)
+            internal class PkiHolder : IDisposable
+            {
+                internal CertificateAuthority Root { get; }
+                internal CertificateAuthority[] Intermediates { get; }
+                public X509Certificate2 EndEntity { get; }
+                public X509Certificate2Collection IssuerChain { get; }
+                internal RevocationResponder Responder { get; }
+
+                private readonly string? _testName;
+
+                public PkiHolder(string? testName, CertificateAuthority root, CertificateAuthority[] intermediates, X509Certificate2 endEntity, RevocationResponder responder)
+                {
+                    _testName = testName;
+                    Root = root;
+                    Intermediates = intermediates;
+                    EndEntity = endEntity;
+                    Responder = responder;
+
+                    // Walk the intermediates backwards so we build the chain collection as
+                    // Issuer3
+                    // Issuer2
+                    // Issuer1
+                    // Root
+                    IssuerChain = new X509Certificate2Collection();
+                    for (int i = intermediates.Length - 1; i >= 0; i--)
+                    {
+                        CertificateAuthority authority = intermediates[i];
+
+                        IssuerChain.Add(authority.CloneIssuerCert());
+                    }
+
+                    IssuerChain.Add(root.CloneIssuerCert());
+                }
+
+                public SslStreamCertificateContext CreateSslStreamCertificateContext()
+                {
+                    return SslStreamCertificateContext.Create(EndEntity, IssuerChain);
+                }
+
+                public void Dispose()
+                {
+                    foreach (CertificateAuthority authority in Intermediates)
+                    {
+                        authority.Dispose();
+                    }
+                    Root.Dispose();
+                    EndEntity.Dispose();
+                    Responder.Dispose();
+
+                    foreach (X509Certificate2 authority in IssuerChain)
+                    {
+                        authority.Dispose();
+                    }
+
+                    if (PlatformDetection.IsWindows && _testName != null)
+                    {
+                        CleanupCertificates(_testName);
+                    }
+                }
+            }
+
+            internal static PkiHolder GenerateCertificates(string targetName, [CallerMemberName] string? testName = null, bool longChain = false, bool serverCertificate = true, bool ephemeralKey = false)
             {
                 const int keySize = 2048;
                 if (PlatformDetection.IsWindows && testName != null)
@@ -131,7 +174,7 @@ public static (X509Certificate2 certificate, X509Certificate2Collection) Generat
                 X509ExtensionCollection extensions = BuildTlsCertExtensions(targetName, serverCertificate);
 
                 CertificateAuthority.BuildPrivatePki(
-                    PkiOptions.IssuerRevocationViaCrl,
+                    PkiOptions.AllRevocation,
                     out RevocationResponder responder,
                     out CertificateAuthority root,
                     out CertificateAuthority[] intermediates,
@@ -142,34 +185,15 @@ public static (X509Certificate2 certificate, X509Certificate2Collection) Generat
                     keyFactory: CertificateAuthority.KeyFactory.RSASize(keySize),
                     extensions: extensions);
 
-                // Walk the intermediates backwards so we build the chain collection as
-                // Issuer3
-                // Issuer2
-                // Issuer1
-                // Root
-                for (int i = intermediates.Length - 1; i >= 0; i--)
-                {
-                    CertificateAuthority authority = intermediates[i];
-
-                    chain.Add(authority.CloneIssuerCert());
-                    authority.Dispose();
-                }
-
-                chain.Add(root.CloneIssuerCert());
-
-                responder.Dispose();
-                root.Dispose();
-
                 if (!ephemeralKey && PlatformDetection.IsWindows)
                 {
                     X509Certificate2 ephemeral = endEntity;
                     endEntity = X509CertificateLoader.LoadPkcs12(endEntity.Export(X509ContentType.Pfx), (string?)null, X509KeyStorageFlags.Exportable);
                     ephemeral.Dispose();
                 }
 
-                return (endEntity, chain);
+                return new PkiHolder(testName, root, intermediates, endEntity, responder);
             }
-
         }
     }
 }

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs

@@ -48,7 +48,7 @@ public void Ctor_ExpectedDefaultValues()
             using (HttpClientHandler handler = CreateHttpClientHandler())
             {
                 Assert.Null(handler.ServerCertificateCustomValidationCallback);
-                Assert.False(handler.CheckCertificateRevocationList);
+                Assert.True(handler.CheckCertificateRevocationList);
             }
         }
 
@@ -232,7 +232,9 @@ public async Task NoCallback_BadCertificate_ThrowsException(string url)
         [ActiveIssue("https://github.com/dotnet/runtime/issues/106634", typeof(PlatformDetection), nameof(PlatformDetection.IsAlpine))]
         public async Task NoCallback_RevokedCertificate_NoRevocationChecking_Succeeds()
         {
-            using (HttpClient client = CreateHttpClient())
+            HttpClientHandler handler = CreateHttpClientHandler();
+            handler.CheckCertificateRevocationList = false;
+            using (HttpClient client = CreateHttpClient(handler))
             using (HttpResponseMessage response = await client.GetAsync(Configuration.Http.RevokedCertRemoteServer))
             {
                 Assert.Equal(HttpStatusCode.OK, response.StatusCode);
@@ -244,7 +246,6 @@ public async Task NoCallback_RevokedCertificate_NoRevocationChecking_Succeeds()
         public async Task NoCallback_RevokedCertificate_RevocationChecking_Fails()
         {
             HttpClientHandler handler = CreateHttpClientHandler();
-            handler.CheckCertificateRevocationList = true;
             using (HttpClient client = CreateHttpClient(handler))
             {
                 await Assert.ThrowsAsync<HttpRequestException>(() => client.GetAsync(Configuration.Http.RevokedCertRemoteServer));

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs

@@ -78,7 +78,7 @@ public void Ctor_ExpectedDefaultPropertyValues()
                 Assert.True(handler.SupportsRedirectConfiguration);
 
                 // Changes from .NET Framework.
-                Assert.False(handler.CheckCertificateRevocationList);
+                Assert.True(handler.CheckCertificateRevocationList);
                 Assert.Equal(0, handler.MaxRequestContentBufferSize);
                 Assert.Equal(SslProtocols.None, handler.SslProtocols);
             }

src/libraries/System.Net.Http.WinHttpHandler/src/System.Net.Http.WinHttpHandler.csproj

@@ -96,6 +96,8 @@ System.Net.Http.WinHttpHandler</PackageDescription>
     <Compile Include="System\Net\Http\WinHttpTraceHelper.cs" />
     <Compile Include="System\Net\Http\WinHttpTrailersHelper.cs" />
     <Compile Include="System\Net\Http\WinHttpTransportContext.cs" />
+    <Compile Include="$(CommonPath)System\AppContextSwitchHelper.cs"
+             Link="Common\System\AppContextSwitchHelper.cs" />
     <Compile Include="$(CommonPath)System\IO\StreamHelpers.CopyValidation.cs"
              Link="Common\System\IO\StreamHelpers.CopyValidation.cs" />
     <Compile Include="$(CommonPath)System\Net\Logging\NetEventSource.Common.cs"

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs

@@ -43,6 +43,11 @@ public class WinHttpHandler : HttpMessageHandler
         internal static readonly Version HttpVersion20 = new Version(2, 0);
         internal static readonly Version HttpVersion30 = new Version(3, 0);
         internal static readonly Version HttpVersionUnknown = new Version(0, 0);
+        internal static bool DefaultCertificateRevocationCheck { get; } =
+            AppContextSwitchHelper.GetBooleanConfig(
+                "System.Net.Security.NoRevocationCheckByDefault",
+                "DOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULT") ? false : true;
+
         internal static bool CertificateCachingAppContextSwitchEnabled { get; } = AppContext.TryGetSwitch("System.Net.Http.UseWinHttpCertificateCaching", out bool enabled) && enabled;
         private static readonly TimeSpan s_maxTimeout = TimeSpan.FromMilliseconds(int.MaxValue);
 
@@ -68,7 +73,7 @@ private Func<
             X509Chain,
             SslPolicyErrors,
             bool>? _serverCertificateValidationCallback;
-        private bool _checkCertificateRevocationList;
+        private bool _checkCertificateRevocationList = DefaultCertificateRevocationCheck;
         private ClientCertificateOption _clientCertificateOption = ClientCertificateOption.Manual;
         private X509Certificate2Collection? _clientCertificates; // Only create collection when required.
         private ICredentials? _serverCredentials;

src/libraries/System.Net.Http.WinHttpHandler/tests/UnitTests/System.Net.Http.WinHttpHandler.Unit.Tests.csproj

@@ -24,6 +24,8 @@
              Link="Common\Interop\Windows\WinHttp\Interop.SafeWinHttpHandle.cs" />
     <Compile Include="$(CommonPath)Interop\Windows\WinHttp\Interop.winhttp_types.cs"
              Link="Common\Interop\Windows\WinHttp\Interop.winhttp_types.cs" />
+    <Compile Include="$(CommonPath)System\AppContextSwitchHelper.cs"
+             Link="Common\System\AppContextSwitchHelper.cs" />
     <Compile Include="$(CommonPath)System\CharArrayHelpers.cs"
              Link="Common\System\CharArrayHelpers.cs" />
     <Compile Include="$(CommonPath)System\Obsoletions.cs"

src/libraries/System.Net.Http.WinHttpHandler/tests/UnitTests/WinHttpHandlerTest.cs

@@ -45,7 +45,7 @@ public void Ctor_ExpectedDefaultPropertyValues()
             Assert.Equal(CookieUsePolicy.UseInternalCookieStoreOnly, handler.CookieUsePolicy);
             Assert.Null(handler.CookieContainer);
             Assert.Null(handler.ServerCertificateValidationCallback);
-            Assert.False(handler.CheckCertificateRevocationList);
+            Assert.True(handler.CheckCertificateRevocationList);
             Assert.Equal(ClientCertificateOption.Manual, handler.ClientCertificateOption);
             X509Certificate2Collection certs = handler.ClientCertificates;
             Assert.True(certs.Count == 0);