dotnet · PranavSenthilnathan · Jun 14, 2025 · Jun 15, 2025 · Jun 15, 2025 · Jun 15, 2025
diff --git a/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptExportKey.cs b/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptExportKey.cs
@@ -2,6 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System;
+using System.Diagnostics;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 
@@ -36,10 +37,78 @@ internal static ArraySegment<byte> BCryptExportKey(SafeBCryptKeyHandle key, stri
 
             if (ntStatus != NTSTATUS.STATUS_SUCCESS)
             {
+                CryptoPool.Return(rented);
                 throw CreateCryptographicException(ntStatus);
             }
 
             return new ArraySegment<byte>(rented, 0, numBytesNeeded);
         }
+
+        internal static T BCryptExportKey<T>(SafeBCryptKeyHandle key, string blobType, Func<byte[], T> callback)
+        {
+            int numBytesNeeded;
+            NTSTATUS ntStatus = BCryptExportKey(key, IntPtr.Zero, blobType, null, 0, out numBytesNeeded, 0);
+
+            if (ntStatus != NTSTATUS.STATUS_SUCCESS)
+            {
+                throw CreateCryptographicException(ntStatus);
+            }
+
+            // Array must be precisely-sized, so no renting.
+            byte[] destination = new byte[numBytesNeeded];
+
+            using (PinAndClear.Track(destination))
+            {
+                ntStatus = BCryptExportKey(key, IntPtr.Zero, blobType, destination, numBytesNeeded, out numBytesNeeded, 0);
+
+                if (ntStatus != NTSTATUS.STATUS_SUCCESS)
+                {
+                    throw CreateCryptographicException(ntStatus);
+                }
+
+                if (numBytesNeeded != destination.Length)
+                {
+                    Debug.Fail("Written byte count does not match required byte count.");
+                    throw new CryptographicException();
+                }
+
+                return callback(destination);
+            }
+        }
+
+        internal delegate T ExportKeyCallback<T>(ReadOnlySpan<byte> keyBytes);
+
+        internal static T BCryptExportKey<T>(SafeBCryptKeyHandle key, string blobType, ExportKeyCallback<T> callback)
+        {
+            int numBytesNeeded;
+            NTSTATUS ntStatus = BCryptExportKey(key, IntPtr.Zero, blobType, null, 0, out numBytesNeeded, 0);
+
+            if (ntStatus != NTSTATUS.STATUS_SUCCESS)
+            {
+                throw CreateCryptographicException(ntStatus);
+            }
+
+            byte[] rented = CryptoPool.Rent(numBytesNeeded);
+
+            try
+            {
+                using (PinAndClear.Track(rented))
+                {
+                    ntStatus = BCryptExportKey(key, IntPtr.Zero, blobType, rented, numBytesNeeded, out numBytesNeeded, 0);
+
+                    if (ntStatus != NTSTATUS.STATUS_SUCCESS)
+                    {
+                        throw CreateCryptographicException(ntStatus);
+                    }
+
+                    return callback(rented.AsSpan(0, numBytesNeeded));
+                }
+            }
+            finally
+            {
+                // PinAndClear will clear
+                CryptoPool.Return(rented, clearSize: 0);
+            }
+        }
     }
 }
diff --git a/src/libraries/Common/src/Interop/Windows/NCrypt/Interop.SignVerify.cs b/src/libraries/Common/src/Interop/Windows/NCrypt/Interop.SignVerify.cs
@@ -23,6 +23,15 @@ internal static unsafe ErrorCode NCryptSignHash(SafeNCryptKeyHandle hKey, void*
         }
 
         [LibraryImport(Libraries.NCrypt, StringMarshalling = StringMarshalling.Utf16)]
-        internal static unsafe partial ErrorCode NCryptVerifySignature(SafeNCryptKeyHandle hKey, void* pPaddingInfo, ReadOnlySpan<byte> pbHashValue, int cbHashValue, ReadOnlySpan<byte> pbSignature, int cbSignature, AsymmetricPaddingMode dwFlags);
+        private static unsafe partial ErrorCode NCryptVerifySignature(SafeNCryptKeyHandle hKey, void* pPaddingInfo, byte* pbHashValue, int cbHashValue, byte* pbSignature, int cbSignature, AsymmetricPaddingMode dwFlags);
+
+        internal static unsafe ErrorCode NCryptVerifySignature(SafeNCryptKeyHandle hKey, void* pPaddingInfo, ReadOnlySpan<byte> pbHashValue, int cbHashValue, ReadOnlySpan<byte> pbSignature, int cbSignature, AsymmetricPaddingMode dwFlags)
+        {
+            fixed (byte* pHash = &Helpers.GetNonNullPinnableReference(pbHashValue))
+            fixed (byte* pSignature = &Helpers.GetNonNullPinnableReference(pbSignature))
+            {
+                return NCryptVerifySignature(hKey, pPaddingInfo, pHash, cbHashValue, pSignature, cbSignature, dwFlags);
+            }
+        }
     }
 }
diff --git a/...rity/Cryptography/CngCommon.SignVerify.cs → ...ity/Cryptography/CngHelpers.SignVerify.cs b/...rity/Cryptography/CngCommon.SignVerify.cs → ...ity/Cryptography/CngHelpers.SignVerify.cs
@@ -1,16 +1,14 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
 using System.Diagnostics;
-using Internal.Cryptography;
 using Microsoft.Win32.SafeHandles;
 using AsymmetricPaddingMode = Interop.NCrypt.AsymmetricPaddingMode;
 using ErrorCode = Interop.NCrypt.ErrorCode;
 
 namespace System.Security.Cryptography
 {
-    internal static partial class CngCommon
+    internal static partial class CngHelpers
     {
         private const int StatusUnsuccessfulRetryCount = 1;