Revert "Merge pull request #142 from microsoft/dev/mclayton/update-addCleanup" (#146)

michelle-clayton-work · Michelle Clayton · web-flow · commit 505937f01aa7 · 2026-02-23T21:24:10.000Z
This reverts commit b3072ea, reversing changes made to 7f762f5. Co-authored-by: Michelle Clayton <mclayton@microsoft.com>
diff --git a/cng/aes.go b/cng/aes.go
@@ -30,10 +30,14 @@ func NewAESCipher(key []byte) (cipher.Block, error) {
 		return nil, err
 	}
 	c := &aesCipher{kh: kh, key: bytes.Clone(key)}
-	addCleanupKey(c, kh)
+	runtime.SetFinalizer(c, (*aesCipher).finalize)
 	return c, nil
 }
 
+func (c *aesCipher) finalize() {
+	bcrypt.DestroyKey(c.kh)
+}
+
 func (c *aesCipher) BlockSize() int { return aesBlockSize }
 
 // validateAndClipInputs checks that dst and src meet the [cipher.Block]
@@ -161,11 +165,15 @@ func newCBC(encrypt bool, alg string, key, iv []byte) *cbcCipher {
 		panic(err)
 	}
 	x := &cbcCipher{kh: kh, encrypt: encrypt, blockSize: blockSize}
-	addCleanupKey(x, kh)
+	runtime.SetFinalizer(x, (*cbcCipher).finalize)
 	x.SetIV(iv)
 	return x
 }
 
+func (x *cbcCipher) finalize() {
+	bcrypt.DestroyKey(x.kh)
+}
+
 func (x *cbcCipher) BlockSize() int { return x.blockSize }
 
 func (x *cbcCipher) CryptBlocks(dst, src []byte) {
@@ -239,13 +247,17 @@ type aesGCM struct {
 	maskInitialized bool
 }
 
+func (g *aesGCM) finalize() {
+	bcrypt.DestroyKey(g.kh)
+}
+
 func newGCM(key []byte, tls cipherGCMTLS) (*aesGCM, error) {
 	kh, err := newCipherHandle(bcrypt.AES_ALGORITHM, bcrypt.CHAIN_MODE_GCM, key)
 	if err != nil {
 		return nil, err
 	}
 	g := &aesGCM{kh: kh, tls: tls}
-	addCleanupKey(g, kh)
+	runtime.SetFinalizer(g, (*aesGCM).finalize)
 	return g, nil
 }
 
diff --git a/cng/chacha20poly1305.go b/cng/chacha20poly1305.go
@@ -40,10 +40,16 @@ func NewChaCha20Poly1305(key []byte) (cipher.AEAD, error) {
 		return nil, err
 	}
 	c := &chacha20poly1305{kh: kh}
-	addCleanupKey(c, kh)
+	runtime.SetFinalizer(c, (*chacha20poly1305).finalize)
 	return c, nil
 }
 
+func (c *chacha20poly1305) finalize() {
+	if c.kh != 0 {
+		bcrypt.DestroyKey(c.kh)
+	}
+}
+
 func (c *chacha20poly1305) NonceSize() int {
 	return chacha20Poly1305NonceSize
 }
diff --git a/cng/des.go b/cng/des.go
@@ -29,7 +29,7 @@ func NewDESCipher(key []byte) (cipher.Block, error) {
 		return nil, err
 	}
 	c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: bytes.Clone(key)}
-	addCleanupKey(c, kh)
+	runtime.SetFinalizer(c, (*desCipher).finalize)
 	return c, nil
 }
 
@@ -39,10 +39,14 @@ func NewTripleDESCipher(key []byte) (cipher.Block, error) {
 		return nil, err
 	}
 	c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: bytes.Clone(key)}
-	addCleanupKey(c, kh)
+	runtime.SetFinalizer(c, (*desCipher).finalize)
 	return c, nil
 }
 
+func (c *desCipher) finalize() {
+	bcrypt.DestroyKey(c.kh)
+}
+
 func (c *desCipher) BlockSize() int { return desBlockSize }
 
 func (c *desCipher) Encrypt(dst, src []byte) {
diff --git a/cng/dsa.go b/cng/dsa.go
@@ -96,6 +96,10 @@ type PrivateKeyDSA struct {
 	hkey bcrypt.KEY_HANDLE
 }
 
+func (k *PrivateKeyDSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
 // PublicKeyDSA represents a DSA public key.
 type PublicKeyDSA struct {
 	DSAParameters
@@ -104,6 +108,10 @@ type PublicKeyDSA struct {
 	hkey bcrypt.KEY_HANDLE
 }
 
+func (k *PublicKeyDSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
 // GenerateKeyDSA generates a new private DSA key using the given parameters.
 func GenerateKeyDSA(params DSAParameters) (x, y BigInt, err error) {
 	h, err := loadDSA()
@@ -147,7 +155,7 @@ func NewPrivateKeyDSA(params DSAParameters, X, Y BigInt) (*PrivateKeyDSA, error)
 		return nil, err
 	}
 	k := &PrivateKeyDSA{params, X, Y, hkey}
-	addCleanupKey(k, hkey)
+	runtime.SetFinalizer(k, (*PrivateKeyDSA).finalize)
 	return k, nil
 }
 
@@ -166,7 +174,7 @@ func NewPublicKeyDSA(params DSAParameters, Y BigInt) (*PublicKeyDSA, error) {
 		return nil, err
 	}
 	k := &PublicKeyDSA{params, Y, hkey}
-	addCleanupKey(k, hkey)
+	runtime.SetFinalizer(k, (*PublicKeyDSA).finalize)
 	return k, nil
 }
 
diff --git a/cng/ecdh.go b/cng/ecdh.go
@@ -58,11 +58,21 @@ type PublicKeyECDH struct {
 	priv *PrivateKeyECDH
 }
 
+func (k *PublicKeyECDH) finalize() {
+	if k.priv == nil {
+		bcrypt.DestroyKey(k.hkey)
+	}
+}
+
 type PrivateKeyECDH struct {
 	hkey   bcrypt.KEY_HANDLE
 	isNIST bool
 }
 
+func (k *PrivateKeyECDH) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
 func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) {
 	// First establish the shared secret.
 	var secret bcrypt.SECRET_HANDLE
@@ -128,7 +138,7 @@ func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {
 	bytes = bytes[hdr.KeySize*2:]
 
 	k := &PrivateKeyECDH{hkey, isNIST(curve)}
-	addCleanupKey(k, hkey)
+	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
 	return k, bytes, nil
 }
 
@@ -163,7 +173,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
 		return nil, err
 	}
 	k := &PublicKeyECDH{hkey, append([]byte(nil), bytes...), nil}
-	addCleanupKey(k, hkey)
+	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
 	return k, nil
 }
 
@@ -192,7 +202,7 @@ func NewPrivateKeyECDH(curve string, key []byte) (*PrivateKeyECDH, error) {
 		return nil, err
 	}
 	k := &PrivateKeyECDH{hkey, nist}
-	addCleanupKey(k, hkey)
+	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
 	return k, nil
 }
 
@@ -210,9 +220,8 @@ func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
 		// Only include X.
 		bytes = data[:hdr.KeySize]
 	}
-	// No cleanup needed: pub.priv prevents k from being garbage collected,
-	// so k's cleanup will destroy the shared hkey when both are unreachable.
 	pub := &PublicKeyECDH{k.hkey, bytes, k}
+	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
 	return pub, nil
 }
 
diff --git a/cng/ecdh_test.go b/cng/ecdh_test.go
@@ -158,107 +158,3 @@ func hexDecode(t *testing.T, s string) []byte {
 	}
 	return b
 }
-
-func BenchmarkGenerateKeyECDH(b *testing.B) {
-	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
-		b.Run(curve, func(b *testing.B) {
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				_, _, err := cng.GenerateKeyECDH(curve)
-				if err != nil {
-					b.Fatal(err)
-				}
-			}
-		})
-	}
-}
-
-func BenchmarkECDH(b *testing.B) {
-	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
-		b.Run(curve, func(b *testing.B) {
-			aliceKey, _, err := cng.GenerateKeyECDH(curve)
-			if err != nil {
-				b.Fatal(err)
-			}
-			bobKey, _, err := cng.GenerateKeyECDH(curve)
-			if err != nil {
-				b.Fatal(err)
-			}
-			bobPub, err := bobKey.PublicKey()
-			if err != nil {
-				b.Fatal(err)
-			}
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				_, err := cng.ECDH(aliceKey, bobPub)
-				if err != nil {
-					b.Fatal(err)
-				}
-			}
-		})
-	}
-}
-
-func BenchmarkNewPrivateKeyECDH(b *testing.B) {
-	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
-		b.Run(curve, func(b *testing.B) {
-			_, privBytes, err := cng.GenerateKeyECDH(curve)
-			if err != nil {
-				b.Fatal(err)
-			}
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				_, err := cng.NewPrivateKeyECDH(curve, privBytes)
-				if err != nil {
-					b.Fatal(err)
-				}
-			}
-		})
-	}
-}
-
-func BenchmarkNewPublicKeyECDH(b *testing.B) {
-	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
-		b.Run(curve, func(b *testing.B) {
-			key, _, err := cng.GenerateKeyECDH(curve)
-			if err != nil {
-				b.Fatal(err)
-			}
-			pub, err := key.PublicKey()
-			if err != nil {
-				b.Fatal(err)
-			}
-			pubBytes := pub.Bytes()
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				_, err := cng.NewPublicKeyECDH(curve, pubBytes)
-				if err != nil {
-					b.Fatal(err)
-				}
-			}
-		})
-	}
-}
-
-func BenchmarkPublicKeyECDH(b *testing.B) {
-	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
-		b.Run(curve, func(b *testing.B) {
-			key, _, err := cng.GenerateKeyECDH(curve)
-			if err != nil {
-				b.Fatal(err)
-			}
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				_, err := key.PublicKey()
-				if err != nil {
-					b.Fatal(err)
-				}
-			}
-		})
-	}
-}
diff --git a/cng/ecdsa.go b/cng/ecdsa.go
@@ -90,10 +90,14 @@ func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {
 		return nil, err
 	}
 	k := &PublicKeyECDSA{hkey}
-	addCleanupKey(k, hkey)
+	runtime.SetFinalizer(k, (*PublicKeyECDSA).finalize)
 	return k, nil
 }
 
+func (k *PublicKeyECDSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
 type PrivateKeyECDSA struct {
 	hkey bcrypt.KEY_HANDLE
 }
@@ -108,10 +112,14 @@ func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error)
 		return nil, err
 	}
 	k := &PrivateKeyECDSA{hkey}
-	addCleanupKey(k, hkey)
+	runtime.SetFinalizer(k, (*PrivateKeyECDSA).finalize)
 	return k, nil
 }
 
+func (k *PrivateKeyECDSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
 // SignECDSA signs a hash (which should be the result of hashing a larger message),
 // using the private key, priv.
 //
diff --git a/cng/hash.go b/cng/hash.go
@@ -20,13 +20,6 @@ import (
 // maxHashSize is the size of SHA512 and SHA3_512, the largest hashes we support.
 const maxHashSize = 64
 
-// addCleanupHash attaches a cleanup function to ptr that will destroy ctx.
-func addCleanupHash[T any](ptr *T, ctx bcrypt.HASH_HANDLE) {
-	runtime.AddCleanup(ptr, func(ctx bcrypt.HASH_HANDLE) {
-		bcrypt.DestroyHash(ctx)
-	}, ctx)
-}
-
 // SupportsHash returns true if a hash.Hash implementation is supported for h.
 func SupportsHash(h crypto.Hash) bool {
 	switch h {
@@ -195,6 +188,10 @@ func newHash(id string) *Hash {
 	return &Hash{alg: mustLoadHash(id, bcrypt.ALG_NONE_FLAG)}
 }
 
+func (h *Hash) finalize() {
+	bcrypt.DestroyHash(h.ctx)
+}
+
 func (h *Hash) init() {
 	defer runtime.KeepAlive(h)
 	if h.ctx != 0 {
@@ -204,15 +201,15 @@ func (h *Hash) init() {
 	if err != nil {
 		panic(err)
 	}
-	addCleanupHash(h, h.ctx)
+	runtime.SetFinalizer(h, (*Hash).finalize)
 }
 
 func (h *Hash) Clone() (HashCloner, error) {
 	defer runtime.KeepAlive(h)
 	h2 := &Hash{alg: h.alg, key: bytes.Clone(h.key)}
 	if h.ctx != 0 {
 		hashClone(h.ctx, &h2.ctx)
-		addCleanupHash(h2, h2.ctx)
+		runtime.SetFinalizer(h2, (*Hash).finalize)
 	}
 	return h2, nil
 }
diff --git a/cng/keys.go b/cng/keys.go
@@ -8,19 +8,11 @@ package cng
 
 import (
 	"errors"
-	"runtime"
 	"unsafe"
 
 	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
 )
 
-// addCleanupKey attaches a cleanup function to ptr that will destroy kh.
-func addCleanupKey[T any](ptr *T, kh bcrypt.KEY_HANDLE) {
-	runtime.AddCleanup(ptr, func(kh bcrypt.KEY_HANDLE) {
-		bcrypt.DestroyKey(kh)
-	}, kh)
-}
-
 const (
 	sizeOfECCBlobHeader     = uint32(unsafe.Sizeof(bcrypt.ECCKEY_BLOB{}))
 	sizeOfRSABlobHeader     = uint32(unsafe.Sizeof(bcrypt.RSAKEY_BLOB{}))
diff --git a/cng/rc4.go b/cng/rc4.go
diff --git a/cng/rsa.go b/cng/rsa.go
diff --git a/cng/sha3.go b/cng/sha3.go

Original file line number	Diff line number	Diff line change
`@@ -40,10 +40,16 @@ func NewChaCha20Poly1305(key []byte) (cipher.AEAD, error) {`
`40`	`40`	`return nil, err`
`41`	`41`	`}`
`42`	`42`	`c := &chacha20poly1305{kh: kh}`
`43`		`- addCleanupKey(c, kh)`
	`43`	`+ runtime.SetFinalizer(c, (*chacha20poly1305).finalize)`
`44`	`44`	`return c, nil`
`45`	`45`	`}`
`46`	`46`
	`47`	`+func (c *chacha20poly1305) finalize() {`
	`48`	`+ if c.kh != 0 {`
	`49`	`+ bcrypt.DestroyKey(c.kh)`
	`50`	`+ }`
	`51`	`+}`
	`52`	`+`
`47`	`53`	`func (c *chacha20poly1305) NonceSize() int {`
`48`	`54`	`return chacha20Poly1305NonceSize`
`49`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func NewDESCipher(key []byte) (cipher.Block, error) {`
`29`	`29`	`return nil, err`
`30`	`30`	`}`
`31`	`31`	`c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: bytes.Clone(key)}`
`32`		`- addCleanupKey(c, kh)`
	`32`	`+ runtime.SetFinalizer(c, (*desCipher).finalize)`
`33`	`33`	`return c, nil`
`34`	`34`	`}`
`35`	`35`
`@@ -39,10 +39,14 @@ func NewTripleDESCipher(key []byte) (cipher.Block, error) {`
`39`	`39`	`return nil, err`
`40`	`40`	`}`
`41`	`41`	`c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: bytes.Clone(key)}`
`42`		`- addCleanupKey(c, kh)`
	`42`	`+ runtime.SetFinalizer(c, (*desCipher).finalize)`
`43`	`43`	`return c, nil`
`44`	`44`	`}`
`45`	`45`
	`46`	`+func (c *desCipher) finalize() {`
	`47`	`+ bcrypt.DestroyKey(c.kh)`
	`48`	`+}`
	`49`	`+`
`46`	`50`	`func (c *desCipher) BlockSize() int { return desBlockSize }`
`47`	`51`
`48`	`52`	`func (c *desCipher) Encrypt(dst, src []byte) {`
Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,10 @@ type PrivateKeyDSA struct {`
`96`	`96`	`hkey bcrypt.KEY_HANDLE`
`97`	`97`	`}`
`98`	`98`
	`99`	`+func (k *PrivateKeyDSA) finalize() {`
	`100`	`+ bcrypt.DestroyKey(k.hkey)`
	`101`	`+}`
	`102`	`+`
`99`	`103`	`// PublicKeyDSA represents a DSA public key.`
`100`	`104`	`type PublicKeyDSA struct {`
`101`	`105`	`DSAParameters`
`@@ -104,6 +108,10 @@ type PublicKeyDSA struct {`
`104`	`108`	`hkey bcrypt.KEY_HANDLE`
`105`	`109`	`}`
`106`	`110`
	`111`	`+func (k *PublicKeyDSA) finalize() {`
	`112`	`+ bcrypt.DestroyKey(k.hkey)`
	`113`	`+}`
	`114`	`+`
`107`	`115`	`// GenerateKeyDSA generates a new private DSA key using the given parameters.`
`108`	`116`	`func GenerateKeyDSA(params DSAParameters) (x, y BigInt, err error) {`
`109`	`117`	`h, err := loadDSA()`
`@@ -147,7 +155,7 @@ func NewPrivateKeyDSA(params DSAParameters, X, Y BigInt) (*PrivateKeyDSA, error)`
`147`	`155`	`return nil, err`
`148`	`156`	`}`
`149`	`157`	`k := &PrivateKeyDSA{params, X, Y, hkey}`
`150`		`- addCleanupKey(k, hkey)`
	`158`	`+ runtime.SetFinalizer(k, (*PrivateKeyDSA).finalize)`
`151`	`159`	`return k, nil`
`152`	`160`	`}`
`153`	`161`
`@@ -166,7 +174,7 @@ func NewPublicKeyDSA(params DSAParameters, Y BigInt) (*PublicKeyDSA, error) {`
`166`	`174`	`return nil, err`
`167`	`175`	`}`
`168`	`176`	`k := &PublicKeyDSA{params, Y, hkey}`
`169`		`- addCleanupKey(k, hkey)`
	`177`	`+ runtime.SetFinalizer(k, (*PublicKeyDSA).finalize)`
`170`	`178`	`return k, nil`
`171`	`179`	`}`
`172`	`180`
Original file line number	Diff line number	Diff line change
`@@ -58,11 +58,21 @@ type PublicKeyECDH struct {`
`58`	`58`	`priv *PrivateKeyECDH`
`59`	`59`	`}`
`60`	`60`
	`61`	`+func (k *PublicKeyECDH) finalize() {`
	`62`	`+ if k.priv == nil {`
	`63`	`+ bcrypt.DestroyKey(k.hkey)`
	`64`	`+ }`
	`65`	`+}`
	`66`	`+`
`61`	`67`	`type PrivateKeyECDH struct {`
`62`	`68`	`hkey bcrypt.KEY_HANDLE`
`63`	`69`	`isNIST bool`
`64`	`70`	`}`
`65`	`71`
	`72`	`+func (k *PrivateKeyECDH) finalize() {`
	`73`	`+ bcrypt.DestroyKey(k.hkey)`
	`74`	`+}`
	`75`	`+`
`66`	`76`	`func ECDH(priv PrivateKeyECDH, pub PublicKeyECDH) ([]byte, error) {`
`67`	`77`	`// First establish the shared secret.`
`68`	`78`	`var secret bcrypt.SECRET_HANDLE`
`@@ -128,7 +138,7 @@ func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {`
`128`	`138`	`bytes = bytes[hdr.KeySize*2:]`
`129`	`139`
`130`	`140`	`k := &PrivateKeyECDH{hkey, isNIST(curve)}`
`131`		`- addCleanupKey(k, hkey)`
	`141`	`+ runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)`
`132`	`142`	`return k, bytes, nil`
`133`	`143`	`}`
`134`	`144`
`@@ -163,7 +173,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {`
`163`	`173`	`return nil, err`
`164`	`174`	`}`
`165`	`175`	`k := &PublicKeyECDH{hkey, append([]byte(nil), bytes...), nil}`
`166`		`- addCleanupKey(k, hkey)`
	`176`	`+ runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)`
`167`	`177`	`return k, nil`
`168`	`178`	`}`
`169`	`179`
`@@ -192,7 +202,7 @@ func NewPrivateKeyECDH(curve string, key []byte) (*PrivateKeyECDH, error) {`
`192`	`202`	`return nil, err`
`193`	`203`	`}`
`194`	`204`	`k := &PrivateKeyECDH{hkey, nist}`
`195`		`- addCleanupKey(k, hkey)`
	`205`	`+ runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)`
`196`	`206`	`return k, nil`
`197`	`207`	`}`
`198`	`208`
`@@ -210,9 +220,8 @@ func (k PrivateKeyECDH) PublicKey() (PublicKeyECDH, error) {`
`210`	`220`	`// Only include X.`
`211`	`221`	`bytes = data[:hdr.KeySize]`
`212`	`222`	`}`
`213`		`- // No cleanup needed: pub.priv prevents k from being garbage collected,`
`214`		`- // so k's cleanup will destroy the shared hkey when both are unreachable.`
`215`	`223`	`pub := &PublicKeyECDH{k.hkey, bytes, k}`
	`224`	`+ runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)`
`216`	`225`	`return pub, nil`
`217`	`226`	`}`
`218`	`227`
Original file line number	Diff line number	Diff line change
`@@ -90,10 +90,14 @@ func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {`
`90`	`90`	`return nil, err`
`91`	`91`	`}`
`92`	`92`	`k := &PublicKeyECDSA{hkey}`
`93`		`- addCleanupKey(k, hkey)`
	`93`	`+ runtime.SetFinalizer(k, (*PublicKeyECDSA).finalize)`
`94`	`94`	`return k, nil`
`95`	`95`	`}`
`96`	`96`
	`97`	`+func (k *PublicKeyECDSA) finalize() {`
	`98`	`+ bcrypt.DestroyKey(k.hkey)`
	`99`	`+}`
	`100`	`+`
`97`	`101`	`type PrivateKeyECDSA struct {`
`98`	`102`	`hkey bcrypt.KEY_HANDLE`
`99`	`103`	`}`
`@@ -108,10 +112,14 @@ func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error)`
`108`	`112`	`return nil, err`
`109`	`113`	`}`
`110`	`114`	`k := &PrivateKeyECDSA{hkey}`
`111`		`- addCleanupKey(k, hkey)`
	`115`	`+ runtime.SetFinalizer(k, (*PrivateKeyECDSA).finalize)`
`112`	`116`	`return k, nil`
`113`	`117`	`}`
`114`	`118`
	`119`	`+func (k *PrivateKeyECDSA) finalize() {`
	`120`	`+ bcrypt.DestroyKey(k.hkey)`
	`121`	`+}`
	`122`	`+`
`115`	`123`	`// SignECDSA signs a hash (which should be the result of hashing a larger message),`
`116`	`124`	`// using the private key, priv.`
`117`	`125`	`//`