[WinHTTP] Certificate caching on WinHttpHandler to eliminate extra call to Custom Certificate Validation

src/libraries/Common/src/Interop/Windows/WinHttp/Interop.winhttp_types.cs

@@ -336,6 +336,14 @@ public struct WINHTTP_ASYNC_RESULT
             public uint dwError;
         }
 
+        [StructLayout(LayoutKind.Sequential)]
+        public unsafe struct WINHTTP_CONNECTION_INFO
+        {
+            public uint cbSize;
+            public uint __alignment;
+            public fixed byte LocalAddress[128];
+            public fixed byte RemoteAddress[128];
+        }
 
         [StructLayout(LayoutKind.Sequential)]
         public struct tcp_keepalive

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs

@@ -1644,7 +1644,8 @@ private void SetStatusCallback(
                 Interop.WinHttp.WINHTTP_CALLBACK_FLAG_ALL_COMPLETIONS |
                 Interop.WinHttp.WINHTTP_CALLBACK_FLAG_HANDLES |
                 Interop.WinHttp.WINHTTP_CALLBACK_FLAG_REDIRECT |
-                Interop.WinHttp.WINHTTP_CALLBACK_FLAG_SEND_REQUEST;
+                Interop.WinHttp.WINHTTP_CALLBACK_FLAG_SEND_REQUEST |
+                Interop.WinHttp.WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER;
 
             IntPtr oldCallback = Interop.WinHttp.WinHttpSetStatusCallback(
                 requestHandle,

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpRequestCallback.cs

@@ -2,9 +2,12 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System;
+using System.Buffers.Binary;
+using System.Collections.Concurrent;
 using System.Diagnostics;
 using System.IO;
 using System.Net.Security;
+using System.Net.Sockets;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography.X509Certificates;
 
@@ -20,6 +23,8 @@ internal static class WinHttpRequestCallback
         public static Interop.WinHttp.WINHTTP_STATUS_CALLBACK StaticCallbackDelegate =
             new Interop.WinHttp.WINHTTP_STATUS_CALLBACK(WinHttpCallback);
 
+        private static ConcurrentDictionary<IPAddress, string> s_cachedCertificates = new();
+
         public static void WinHttpCallback(
             IntPtr handle,
             IntPtr context,
@@ -56,6 +61,11 @@ private static void RequestCallback(
             {
                 switch (internetStatus)
                 {
+                    case Interop.WinHttp.WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER:
+                        IPAddress connectedToIPAddress = IPAddress.Parse(Marshal.PtrToStringUni(statusInformation)!);
+                        OnRequestConnectedToServer(connectedToIPAddress);
+                        return;
+
                     case Interop.WinHttp.WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING:
                         OnRequestHandleClosing(state);
                         return;
@@ -121,6 +131,18 @@ private static void RequestCallback(
             }
         }
 
+        private static void OnRequestConnectedToServer(IPAddress connectedIPAddress)
+        {
+            if (s_cachedCertificates.TryRemove(connectedIPAddress, out _))
+            {
+                if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(null, $"Removed cached certificate for {connectedIPAddress}");
+            }
+            else
+            {
+                if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(null, $"No cached certificate for {connectedIPAddress} to remove");
+            }
+        }
+
         private static void OnRequestHandleClosing(WinHttpRequestState state)
         {
             Debug.Assert(state != null, "OnRequestSendRequestComplete: state is null");
@@ -279,6 +301,48 @@ private static void OnRequestSendingRequest(WinHttpRequestState state)
                 var serverCertificate = new X509Certificate2(certHandle);
                 Interop.Crypt32.CertFreeCertificateContext(certHandle);
 
+                IPAddress? ipAddress = null;
+                unsafe
+                {
+                    Interop.WinHttp.WINHTTP_CONNECTION_INFO connectionInfo;
+                    Interop.WinHttp.WINHTTP_CONNECTION_INFO* pConnectionInfo = &connectionInfo;
+                    uint infoSize = (uint)sizeof(Interop.WinHttp.WINHTTP_CONNECTION_INFO);
+                    if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(state, $"sizeof(WINHTTP_CONNECTION_INFO)={infoSize}");
+                    if (Interop.WinHttp.WinHttpQueryOption(
+                        state.RequestHandle,
+                        Interop.WinHttp.WINHTTP_OPTION_CONNECTION_INFO,
+                        (IntPtr)pConnectionInfo,
+                        ref infoSize))
+                    {
+                        ReadOnlySpan<byte> RemoteAddressSpan = new ReadOnlySpan<byte>(connectionInfo.RemoteAddress, 128);
+                        AddressFamily addressFamily = (AddressFamily)BitConverter.ToInt16(RemoteAddressSpan.ToArray(), 0);
+                        ipAddress = addressFamily switch
+                        {
+                            AddressFamily.InterNetwork => new IPAddress(BinaryPrimitives.ReadUInt32LittleEndian(RemoteAddressSpan.Slice(4))),
+                            AddressFamily.InterNetworkV6 => new IPAddress(RemoteAddressSpan.Slice(8, 16).ToArray()),
+                            _ => null
+                        };
+                        if (ipAddress != null && NetEventSource.Log.IsEnabled()) NetEventSource.Info(state, $"ipAddress: {ipAddress}");
+
+                    }
+                    else
+                    {
+                        int lastError = Marshal.GetLastWin32Error();
+                        if (NetEventSource.Log.IsEnabled()) NetEventSource.Error(state, $"Error getting WINHTTP_OPTION_CONNECTION_INFO, {lastError}");
+                    }
+                }
+
+                if (ipAddress is not null && s_cachedCertificates.TryGetValue(ipAddress, out string? thumbprint) && thumbprint == serverCertificate.Thumbprint)
+                {
+                    if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(state, $"Skipping certificate validation. ipAddress: {ipAddress}, Thumbprint: {serverCertificate.Thumbprint}");
+                    serverCertificate.Dispose();
+                    return;
+                }
+                else
+                {
+                    if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(state, $"Certificate validation is required! IPAddress = {ipAddress}, Thumbprint: {serverCertificate.Thumbprint}");
+                }
+
                 X509Chain? chain = null;
                 SslPolicyErrors sslPolicyErrors;
                 bool result = false;
@@ -298,6 +362,10 @@ private static void OnRequestSendingRequest(WinHttpRequestState state)
                         serverCertificate,
                         chain,
                         sslPolicyErrors);
+                    if (result && ipAddress is not null)
+                    {
+                        s_cachedCertificates[ipAddress] = serverCertificate.Thumbprint;
+                    }
                 }
                 catch (Exception ex)
                 {

src/libraries/System.Net.Http.WinHttpHandler/tests/FunctionalTests/WinHttpHandlerTest.cs

@@ -9,7 +9,7 @@
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
-
+using TestUtilities;
 using Xunit;
 using Xunit.Abstractions;
 
@@ -46,6 +46,66 @@ public void SendAsync_SimpleGet_Success()
             }
         }
 
+        [OuterLoop]
+        [Fact]
+        public async Task SendAsync_ServerCertificateValidationCallback_CalledOnce()
+        {
+            using TestEventListener listener = new TestEventListener(_output, TestEventListener.NetworkingEvents);
+            int callbackCount = 0;
+            var handler = new WinHttpHandler()
+            {
+                ServerCertificateValidationCallback = (m, cert, chain, err) =>
+                {
+                    Interlocked.Increment(ref callbackCount);
+                    return true;
+                }
+            };
+            using (var client = new HttpClient(handler))
+            {
+                for (int i = 0; i < 5; i++)
+                {
+                    var response = await client.SendAsync(new HttpRequestMessage(HttpMethod.Get, Configuration.Http.SecureRemoteEchoServer)
+                    {
+                        Version = HttpVersion.Version11
+                    });
+                    Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+                    _ = await response.Content.ReadAsStringAsync();
+                }
+                Assert.Equal(1, callbackCount);
+            }
+        }
+
+        [OuterLoop]
+        [Fact]
+        public async Task SendAsync_ServerCertificateValidationCallbackHttp2_CalledOnce()
+        {
+            using TestEventListener testEventListener = new TestEventListener(_output, TestEventListener.NetworkingEvents);
+            int callbackCount = 0;
+
+
+            var handler = new WinHttpHandler()
+            {
+                ServerCertificateValidationCallback = (m, cert, chain, err) =>
+                {
+                    Interlocked.Increment(ref callbackCount);
+                    return true;
+                }
+            };
+            using (var client = new HttpClient(handler))
+            {
+                for (int i = 0; i < 5; i++)
+                {
+                    var response = await client.SendAsync(new HttpRequestMessage(HttpMethod.Get, System.Net.Test.Common.Configuration.Http.Http2RemoteEchoServer)
+                    {
+                        Version = HttpVersion20.Value
+                    });
+                    Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+                    _ = await response.Content.ReadAsStringAsync();
+                }
+                Assert.Equal(1, callbackCount);
+            }
+        }
+
         [OuterLoop]
         [Theory]
         [InlineData(CookieUsePolicy.UseInternalCookieStoreOnly, "cookieName1", "cookieValue1")]