dotnet · stephentoub · Jul 18, 2021 · Jul 15, 2021 · Jul 16, 2021
diff --git a/src/libraries/Common/src/System/Security/Cryptography/CngPkcs8.cs b/src/libraries/Common/src/System/Security/Cryptography/CngPkcs8.cs
@@ -198,8 +198,7 @@ internal static unsafe Pkcs8Response ImportEncryptedPkcs8PrivateKey(
                         }
                         finally
                         {
-                            CryptographicOperations.ZeroMemory(decryptedSpan);
-                            CryptoPool.Return(decrypted.Array!);
+                            CryptoPool.Return(decrypted);
                         }
                     }
                     catch (AsnContentException e)
@@ -277,8 +276,7 @@ internal static unsafe Pkcs8Response ImportEncryptedPkcs8PrivateKey(
                         }
                         finally
                         {
-                            CryptographicOperations.ZeroMemory(decryptedSpan);
-                            CryptoPool.Return(decrypted.Array!, clearSize: 0);
+                            CryptoPool.Return(decrypted);
                         }
                     }
                 }

diff --git a/src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.Encrypted.cs b/src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.Encrypted.cs
@@ -189,20 +189,19 @@ private static AsnWriter WriteEncryptedPkcs8(
                 out string encryptionAlgorithmOid,
                 out bool isPkcs12);
 
-            byte[]? encryptedRent = null;
             Span<byte> encryptedSpan = default;
             AsnWriter? writer = null;
 
-            try
-            {
-                Debug.Assert(cipher.BlockSize <= 128, $"Encountered unexpected block size: {cipher.BlockSize}");
-                Span<byte> iv = stackalloc byte[cipher.BlockSize / 8];
-                Span<byte> salt = stackalloc byte[16];
+            Debug.Assert(cipher.BlockSize <= 128, $"Encountered unexpected block size: {cipher.BlockSize}");
+            Span<byte> iv = stackalloc byte[cipher.BlockSize / 8];
+            Span<byte> salt = stackalloc byte[16];
 
-                // We need at least one block size beyond the input data size.
-                encryptedRent = CryptoPool.Rent(
-                    checked(pkcs8Writer.GetEncodedLength() + (cipher.BlockSize / 8)));
+            // We need at least one block size beyond the input data size.
+            byte[] encryptedRent = CryptoPool.Rent(
+                checked(pkcs8Writer.GetEncodedLength() + (cipher.BlockSize / 8)));
 
+            try
+            {
                 RandomNumberGenerator.Fill(salt);
 
                 int written = PasswordBasedEncryption.Encrypt(
@@ -242,7 +241,7 @@ private static AsnWriter WriteEncryptedPkcs8(
             finally
             {
                 CryptographicOperations.ZeroMemory(encryptedSpan);
-                CryptoPool.Return(encryptedRent!, clearSize: 0);
+                CryptoPool.Return(encryptedRent, clearSize: 0);
 
                 cipher.Dispose();
             }
@@ -348,8 +347,7 @@ internal static AsnWriter ReencryptPkcs8(
             }
             finally
             {
-                CryptographicOperations.ZeroMemory(decrypted);
-                CryptoPool.Return(decrypted.Array!, clearSize: 0);
+                CryptoPool.Return(decrypted);
             }
         }
 
@@ -385,8 +383,7 @@ internal static AsnWriter ReencryptPkcs8(
             }
             finally
             {
-                CryptographicOperations.ZeroMemory(decrypted);
-                CryptoPool.Return(decrypted.Array!, clearSize: 0);
+                CryptoPool.Return(decrypted);
             }
         }
     }

diff --git a/src/libraries/Common/src/System/Security/Cryptography/RSAAndroid.cs b/src/libraries/Common/src/System/Security/Cryptography/RSAAndroid.cs
@@ -84,12 +84,11 @@ public override byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
                 SafeRsaHandle key = GetKey();
 
                 int rsaSize = Interop.AndroidCrypto.RsaSize(key);
-                byte[]? buf = null;
                 Span<byte> destination = default;
+                byte[] buf = CryptoPool.Rent(rsaSize);
 
                 try
                 {
-                    buf = CryptoPool.Rent(rsaSize);
                     destination = new Span<byte>(buf, 0, rsaSize);
 
                     if (!TryDecrypt(key, data, destination, rsaPadding, oaepProcessor, out int bytesWritten))
@@ -103,7 +102,7 @@ public override byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
                 finally
                 {
                     CryptographicOperations.ZeroMemory(destination);
-                    CryptoPool.Return(buf!, clearSize: 0);
+                    CryptoPool.Return(buf, clearSize: 0);
                 }
             }
 

diff --git a/src/libraries/Common/src/System/Security/Cryptography/RSAOpenSsl.cs b/src/libraries/Common/src/System/Security/Cryptography/RSAOpenSsl.cs
@@ -87,12 +87,11 @@ public override byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
             ValidatePadding(padding);
             SafeEvpPKeyHandle key = GetKey();
             int rsaSize = Interop.Crypto.EvpPKeySize(key);
-            byte[]? buf = null;
             Span<byte> destination = default;
+            byte[] buf = CryptoPool.Rent(rsaSize);
 
             try
             {
-                buf = CryptoPool.Rent(rsaSize);
                 destination = new Span<byte>(buf, 0, rsaSize);
 
                 int bytesWritten = Decrypt(key, data, destination, padding);
@@ -101,7 +100,7 @@ public override byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
             finally
             {
                 CryptographicOperations.ZeroMemory(destination);
-                CryptoPool.Return(buf!, clearSize: 0);
+                CryptoPool.Return(buf, clearSize: 0);
             }
         }
 

diff --git a/...m.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Pkcs8PrivateKeyInfo.cs b/...m.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Pkcs8PrivateKeyInfo.cs
@@ -197,8 +197,7 @@ public static Pkcs8PrivateKeyInfo DecryptAndDecode(
             }
             finally
             {
-                CryptographicOperations.ZeroMemory(decryptedMemory.Span);
-                CryptoPool.Return(decrypted.Array!, clearSize: 0);
+                CryptoPool.Return(decrypted);
             }
         }
 
@@ -229,8 +228,7 @@ public static Pkcs8PrivateKeyInfo DecryptAndDecode(
             }
             finally
             {
-                CryptographicOperations.ZeroMemory(decryptedMemory.Span);
-                CryptoPool.Return(decrypted.Array!, clearSize: 0);
+                CryptoPool.Return(decrypted);
             }
         }
 

diff --git a/...rity.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/UnixPkcs12Reader.cs b/...rity.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/UnixPkcs12Reader.cs
@@ -786,7 +786,7 @@ private AsymmetricAlgorithm LoadKey(SafeBagAsn safeBag, ReadOnlySpan<char> passw
                 }
                 finally
                 {
-                    CryptoPool.Return(decrypted.Array!, clearSize: decrypted.Count);
+                    CryptoPool.Return(decrypted);
                 }
             }
-Original file line number
+Diff line change
@@ Expand Up @@
                     }
                     finally
                     {
-                        CryptoPool.Return(decrypted.Array!, clearSize: decrypted.Count);
+                        CryptoPool.Return(decrypted);
                     }
                 }
@@ Expand Down @@