Only call IsSelfSigned() once (#39877)

martincostello · web-flow · commit 4515ffa19ee2 · 2022-01-31T10:15:31.000-08:00
diff --git a/src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs b/src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs
@@ -118,9 +118,11 @@ private async Task<CertificateAuthenticationFailedContext> HandleFailureAsync(Ex
 
     private async Task<AuthenticateResult> ValidateCertificateAsync(X509Certificate2 clientCertificate)
     {
+        var isCertificateSelfSigned = clientCertificate.IsSelfSigned();
+
         // If we have a self signed cert, and they're not allowed, exit early and not bother with
         // any other validations.
-        if (clientCertificate.IsSelfSigned() &&
+        if (isCertificateSelfSigned &&
             !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.SelfSigned))
         {
             Logger.CertificateRejected("Self signed", clientCertificate.Subject);
@@ -129,14 +131,14 @@ private async Task<AuthenticateResult> ValidateCertificateAsync(X509Certificate2
 
         // If we have a chained cert, and they're not allowed, exit early and not bother with
         // any other validations.
-        if (!clientCertificate.IsSelfSigned() &&
+        if (!isCertificateSelfSigned &&
             !Options.AllowedCertificateTypes.HasFlag(CertificateTypes.Chained))
         {
             Logger.CertificateRejected("Chained", clientCertificate.Subject);
             return AuthenticateResult.Fail("Options do not allow chained certificates.");
         }
 
-        var chainPolicy = BuildChainPolicy(clientCertificate);
+        var chainPolicy = BuildChainPolicy(clientCertificate, isCertificateSelfSigned);
         using var chain = new X509Chain
         {
             ChainPolicy = chainPolicy
@@ -186,13 +188,13 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
         await HandleForbiddenAsync(properties);
     }
 
-    private X509ChainPolicy BuildChainPolicy(X509Certificate2 certificate)
+    private X509ChainPolicy BuildChainPolicy(X509Certificate2 certificate, bool isCertificateSelfSigned)
     {
         // Now build the chain validation options.
         X509RevocationFlag revocationFlag = Options.RevocationFlag;
         X509RevocationMode revocationMode = Options.RevocationMode;
 
-        if (certificate.IsSelfSigned())
+        if (isCertificateSelfSigned)
         {
             // Turn off chain validation, because we have a self signed certificate.
             revocationFlag = X509RevocationFlag.EntireChain;
@@ -210,7 +212,7 @@ private X509ChainPolicy BuildChainPolicy(X509Certificate2 certificate)
             chainPolicy.ApplicationPolicy.Add(ClientCertificateOid);
         }
 
-        if (certificate.IsSelfSigned())
+        if (isCertificateSelfSigned)
         {
             chainPolicy.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority;
             chainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown;

Original file line number	Diff line number	Diff line change
`@@ -118,9 +118,11 @@ private async Task<CertificateAuthenticationFailedContext> HandleFailureAsync(Ex`
`118`	`118`
`119`	`119`	`private async Task<AuthenticateResult> ValidateCertificateAsync(X509Certificate2 clientCertificate)`
`120`	`120`	`{`
	`121`	`+ var isCertificateSelfSigned = clientCertificate.IsSelfSigned();`
	`122`	`+`
`121`	`123`	`// If we have a self signed cert, and they're not allowed, exit early and not bother with`
`122`	`124`	`// any other validations.`
`123`		`- if (clientCertificate.IsSelfSigned() &&`
	`125`	`+ if (isCertificateSelfSigned &&`
`124`	`126`	`!Options.AllowedCertificateTypes.HasFlag(CertificateTypes.SelfSigned))`
`125`	`127`	`{`
`126`	`128`	`Logger.CertificateRejected("Self signed", clientCertificate.Subject);`
`@@ -129,14 +131,14 @@ private async Task<AuthenticateResult> ValidateCertificateAsync(X509Certificate2`
`129`	`131`
`130`	`132`	`// If we have a chained cert, and they're not allowed, exit early and not bother with`
`131`	`133`	`// any other validations.`
`132`		`- if (!clientCertificate.IsSelfSigned() &&`
	`134`	`+ if (!isCertificateSelfSigned &&`
`133`	`135`	`!Options.AllowedCertificateTypes.HasFlag(CertificateTypes.Chained))`
`134`	`136`	`{`
`135`	`137`	`Logger.CertificateRejected("Chained", clientCertificate.Subject);`
`136`	`138`	`return AuthenticateResult.Fail("Options do not allow chained certificates.");`
`137`	`139`	`}`
`138`	`140`
`139`		`- var chainPolicy = BuildChainPolicy(clientCertificate);`
	`141`	`+ var chainPolicy = BuildChainPolicy(clientCertificate, isCertificateSelfSigned);`
`140`	`142`	`using var chain = new X509Chain`
`141`	`143`	`{`
`142`	`144`	`ChainPolicy = chainPolicy`
`@@ -186,13 +188,13 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop`
`186`	`188`	`await HandleForbiddenAsync(properties);`
`187`	`189`	`}`
`188`	`190`
`189`		`- private X509ChainPolicy BuildChainPolicy(X509Certificate2 certificate)`
	`191`	`+ private X509ChainPolicy BuildChainPolicy(X509Certificate2 certificate, bool isCertificateSelfSigned)`
`190`	`192`	`{`
`191`	`193`	`// Now build the chain validation options.`
`192`	`194`	`X509RevocationFlag revocationFlag = Options.RevocationFlag;`
`193`	`195`	`X509RevocationMode revocationMode = Options.RevocationMode;`
`194`	`196`
`195`		`- if (certificate.IsSelfSigned())`
	`197`	`+ if (isCertificateSelfSigned)`
`196`	`198`	`{`
`197`	`199`	`// Turn off chain validation, because we have a self signed certificate.`
`198`	`200`	`revocationFlag = X509RevocationFlag.EntireChain;`
`@@ -210,7 +212,7 @@ private X509ChainPolicy BuildChainPolicy(X509Certificate2 certificate)`
`210`	`212`	`chainPolicy.ApplicationPolicy.Add(ClientCertificateOid);`
`211`	`213`	`}`
`212`	`214`
`213`		`- if (certificate.IsSelfSigned())`
	`215`	`+ if (isCertificateSelfSigned)`
`214`	`216`	`{`
`215`	`217`	`chainPolicy.VerificationFlags \|= X509VerificationFlags.AllowUnknownCertificateAuthority;`
`216`	`218`	`chainPolicy.VerificationFlags \|= X509VerificationFlags.IgnoreEndRevocationUnknown;`