Question: do I need to dispose the X509Certificate2 elements in an X509Chain myself?

[drauch]

I've experienced that the following code works just fine:

var x509Chain = new X509Chain();
x509Chain.Build(someCert);

var certs = x509Chain.ChainElements.Select(ce => ce.Certificate).ToList();
x509Chain.Dispose();

// make use of certs, even calling methods like GetRSAPublicKey() does not throw

It looks like the X509Certificate2 objects inside a chain are not disposed with the chain. Is that so? Do I need to dispose them myself when I dispose the chain to do proper cleanup?

Best regards,
D.R.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[vcsjones]

It looks like the X509Certificate2 objects inside a chain are not disposed with the chain. Is that so?

Correct.

You can see that in places we use X509Chain ourselves, we dispose of the chain elements, like here:

runtime/src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs

Lines 736 to 744 in bfc8814

	finally
	{
	for (int i = 0; i < chain.ChainElements.Count; i++)
	{
	chain.ChainElements[i].Certificate.Dispose();
	}
	chain.Dispose();
	}

Do I need to dispose them myself when I dispose the chain to do proper cleanup?

Calling Dispose on them will make the freeing of native resources deterministic, as well as keep down the amount of work the .NET Finalizer does during garbage collection. If you can dispose of them, you should.

Some possible follow up questions, answered.

Is it a memory leak if I don't dispose of the chain elements?

No, they will be cleaned up by a finalizer for the underlying certificate PAL.

Why not dispose of the chain elements when X509Chain is disposed?

This is how .NET Framework does it, so it has been this way for a long time. Changing it now would be a breaking change (because if we did dispose of the chain elements, then they would become unusable after the chain is disposed, which some people may, and likely, have a dependency on).

[drauch]

Thank you for your detailed answer!

As a small suggestion: this should probably be documented in the X509Chain class docs.

[Clockwork-Muse]

(sorry, fat fingered something on my phone)

Changing it now would be a breaking change (because if we did dispose of the chain elements, then they would become unusable after the chain is disposed, which some people may, and likely, have a dependency on).

In particular, with a certificate chain it's quite likely that multiple chains will be built with the same root certificate, and if disposing of the chain disposed of all certificates it would force reloading of the root (and intermediate) certificates.

[vcsjones]

As a small suggestion: this should probably be documented in the X509Chain class docs.

That's probably reasonable. Where would you generally expect to see this documented? There are a couple of places that are reasonable

• In "Remarks" on X509Chain class
• In "Remarks" on X509Chain.ChainElements property
• In "Remarks" on X509Chain.Dispose method

[drauch]

@vcsjones I looked at all those places, so it wouldn't have mattered much. Foremost I guess on the X509Chain class itself.