Fix memory leaks in CertificateManager by improving certificate disposal patterns

[Copilot]

Fixed memory leaks in the CertificateManager class where X509Certificate2 objects were not being properly disposed in several code paths, as identified by static analysis.

Issues Fixed

ImportCertificate method:

• Certificate objects were not disposed when validation failed (subject mismatch or not a development certificate)
• Certificate objects were not disposed when SaveCertificate threw an exception
• Certificate objects were not disposed on successful completion
• Certificate objects were not disposed when certificate loading failed but a certificate object may have been partially created

EnsureAspNetCoreHttpsDevelopmentCertificate method:

• Certificate objects were not disposed before early returns in error cases during save, export, and trust operations
• The certificates collection containing all loaded certificates was not being disposed in early exit cases, causing memory leaks

Changes Made

1. Refactored ImportCertificate to use try-finally pattern: Replaced scattered disposal calls with a cleaner, more robust try-finally pattern that ensures the certificate is always disposed regardless of the exit path.

2. Fixed SaveCertificate usage pattern: Updated to assign the return value of SaveCertificate back to the certificate variable, matching the pattern used elsewhere in the codebase.

3. Added certificate disposal in EnsureAspNetCoreHttpsDevelopmentCertificate: Added proper certificate disposal before early returns in error cases for SaveCertificate, ExportCertificate, and TrustCertificate operations.

4. Fixed certificate collection disposal pattern: Updated the certificate loading and disposal pattern to follow the same approach as ListCertificates:

   • Materialize certificate collections early with .ToList() to prevent LINQ deferred execution issues
   • Dispose unused certificates immediately after filtering
   • Dispose remaining certificates in all early exit cases

5. Corrected certificate disposal logic: Fixed disposal logic to only dispose the certificate if it's a new certificate (isNewCertificate == true). If the certificate came from the existing certificates collection, it will be disposed as part of DisposeCertificates(certificates), following the original disposal pattern: DisposeCertificates(!isNewCertificate ? certificates : certificates.Append(certificate)).

Verification

• All certificate manager tests continue to pass (18/18)
• All shared library tests pass
• Reviewed other certificate creation sites in the codebase and confirmed they handle disposal correctly
• Fixed specific test failure caused by accessing disposed certificate properties during LINQ enumeration

The fix ensures proper resource cleanup in all code paths while maintaining existing functionality and following established patterns in the codebase.

Fixes #59538

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull Request Overview

This PR fixes a memory leak in the ImportCertificate method by adding proper disposal of X509Certificate2 objects in all code paths. The changes ensure that certificate resources are cleaned up whether the method succeeds, fails validation, or encounters exceptions.

Key Changes

• Added proper disposal on validation failure and save failure scenarios
• Added disposal after successful completion
• Added disposal in exception handling for certificate loading failures
• Updated SaveCertificate usage to match established patterns in the codebase

[BrennanConroy]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).