Merge pull request #142 from microsoft/dev/mclayton/update-addCleanup

qmuntal · web-flow · commit b3072ea93f16 · 2026-02-21T13:54:23.000+01:00
Dev/mclayton/update add cleanup
diff --git a/cng/aes.go b/cng/aes.go
@@ -30,14 +30,10 @@ func NewAESCipher(key []byte) (cipher.Block, error) {
 		return nil, err
 	}
 	c := &aesCipher{kh: kh, key: bytes.Clone(key)}
-	runtime.SetFinalizer(c, (*aesCipher).finalize)
+	addCleanupKey(c, kh)
 	return c, nil
 }
 
-func (c *aesCipher) finalize() {
-	bcrypt.DestroyKey(c.kh)
-}
-
 func (c *aesCipher) BlockSize() int { return aesBlockSize }
 
 // validateAndClipInputs checks that dst and src meet the [cipher.Block]
@@ -165,15 +161,11 @@ func newCBC(encrypt bool, alg string, key, iv []byte) *cbcCipher {
 		panic(err)
 	}
 	x := &cbcCipher{kh: kh, encrypt: encrypt, blockSize: blockSize}
-	runtime.SetFinalizer(x, (*cbcCipher).finalize)
+	addCleanupKey(x, kh)
 	x.SetIV(iv)
 	return x
 }
 
-func (x *cbcCipher) finalize() {
-	bcrypt.DestroyKey(x.kh)
-}
-
 func (x *cbcCipher) BlockSize() int { return x.blockSize }
 
 func (x *cbcCipher) CryptBlocks(dst, src []byte) {
@@ -247,17 +239,13 @@ type aesGCM struct {
 	maskInitialized bool
 }
 
-func (g *aesGCM) finalize() {
-	bcrypt.DestroyKey(g.kh)
-}
-
 func newGCM(key []byte, tls cipherGCMTLS) (*aesGCM, error) {
 	kh, err := newCipherHandle(bcrypt.AES_ALGORITHM, bcrypt.CHAIN_MODE_GCM, key)
 	if err != nil {
 		return nil, err
 	}
 	g := &aesGCM{kh: kh, tls: tls}
-	runtime.SetFinalizer(g, (*aesGCM).finalize)
+	addCleanupKey(g, kh)
 	return g, nil
 }
 
diff --git a/cng/chacha20poly1305.go b/cng/chacha20poly1305.go
@@ -40,16 +40,10 @@ func NewChaCha20Poly1305(key []byte) (cipher.AEAD, error) {
 		return nil, err
 	}
 	c := &chacha20poly1305{kh: kh}
-	runtime.SetFinalizer(c, (*chacha20poly1305).finalize)
+	addCleanupKey(c, kh)
 	return c, nil
 }
 
-func (c *chacha20poly1305) finalize() {
-	if c.kh != 0 {
-		bcrypt.DestroyKey(c.kh)
-	}
-}
-
 func (c *chacha20poly1305) NonceSize() int {
 	return chacha20Poly1305NonceSize
 }
diff --git a/cng/des.go b/cng/des.go
@@ -29,7 +29,7 @@ func NewDESCipher(key []byte) (cipher.Block, error) {
 		return nil, err
 	}
 	c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: bytes.Clone(key)}
-	runtime.SetFinalizer(c, (*desCipher).finalize)
+	addCleanupKey(c, kh)
 	return c, nil
 }
 
@@ -39,14 +39,10 @@ func NewTripleDESCipher(key []byte) (cipher.Block, error) {
 		return nil, err
 	}
 	c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: bytes.Clone(key)}
-	runtime.SetFinalizer(c, (*desCipher).finalize)
+	addCleanupKey(c, kh)
 	return c, nil
 }
 
-func (c *desCipher) finalize() {
-	bcrypt.DestroyKey(c.kh)
-}
-
 func (c *desCipher) BlockSize() int { return desBlockSize }
 
 func (c *desCipher) Encrypt(dst, src []byte) {
diff --git a/cng/dsa.go b/cng/dsa.go
@@ -96,10 +96,6 @@ type PrivateKeyDSA struct {
 	hkey bcrypt.KEY_HANDLE
 }
 
-func (k *PrivateKeyDSA) finalize() {
-	bcrypt.DestroyKey(k.hkey)
-}
-
 // PublicKeyDSA represents a DSA public key.
 type PublicKeyDSA struct {
 	DSAParameters
@@ -108,10 +104,6 @@ type PublicKeyDSA struct {
 	hkey bcrypt.KEY_HANDLE
 }
 
-func (k *PublicKeyDSA) finalize() {
-	bcrypt.DestroyKey(k.hkey)
-}
-
 // GenerateKeyDSA generates a new private DSA key using the given parameters.
 func GenerateKeyDSA(params DSAParameters) (x, y BigInt, err error) {
 	h, err := loadDSA()
@@ -155,7 +147,7 @@ func NewPrivateKeyDSA(params DSAParameters, X, Y BigInt) (*PrivateKeyDSA, error)
 		return nil, err
 	}
 	k := &PrivateKeyDSA{params, X, Y, hkey}
-	runtime.SetFinalizer(k, (*PrivateKeyDSA).finalize)
+	addCleanupKey(k, hkey)
 	return k, nil
 }
 
@@ -174,7 +166,7 @@ func NewPublicKeyDSA(params DSAParameters, Y BigInt) (*PublicKeyDSA, error) {
 		return nil, err
 	}
 	k := &PublicKeyDSA{params, Y, hkey}
-	runtime.SetFinalizer(k, (*PublicKeyDSA).finalize)
+	addCleanupKey(k, hkey)
 	return k, nil
 }
 
diff --git a/cng/ecdh.go b/cng/ecdh.go
@@ -58,21 +58,11 @@ type PublicKeyECDH struct {
 	priv *PrivateKeyECDH
 }
 
-func (k *PublicKeyECDH) finalize() {
-	if k.priv == nil {
-		bcrypt.DestroyKey(k.hkey)
-	}
-}
-
 type PrivateKeyECDH struct {
 	hkey   bcrypt.KEY_HANDLE
 	isNIST bool
 }
 
-func (k *PrivateKeyECDH) finalize() {
-	bcrypt.DestroyKey(k.hkey)
-}
-
 func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) {
 	// First establish the shared secret.
 	var secret bcrypt.SECRET_HANDLE
@@ -138,7 +128,7 @@ func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {
 	bytes = bytes[hdr.KeySize*2:]
 
 	k := &PrivateKeyECDH{hkey, isNIST(curve)}
-	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+	addCleanupKey(k, hkey)
 	return k, bytes, nil
 }
 
@@ -173,7 +163,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
 		return nil, err
 	}
 	k := &PublicKeyECDH{hkey, append([]byte(nil), bytes...), nil}
-	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
+	addCleanupKey(k, hkey)
 	return k, nil
 }
 
@@ -202,7 +192,7 @@ func NewPrivateKeyECDH(curve string, key []byte) (*PrivateKeyECDH, error) {
 		return nil, err
 	}
 	k := &PrivateKeyECDH{hkey, nist}
-	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+	addCleanupKey(k, hkey)
 	return k, nil
 }
 
@@ -220,8 +210,9 @@ func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
 		// Only include X.
 		bytes = data[:hdr.KeySize]
 	}
+	// No cleanup needed: pub.priv prevents k from being garbage collected,
+	// so k's cleanup will destroy the shared hkey when both are unreachable.
 	pub := &PublicKeyECDH{k.hkey, bytes, k}
-	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
 	return pub, nil
 }
 
diff --git a/cng/ecdh_test.go b/cng/ecdh_test.go
@@ -158,3 +158,107 @@ func hexDecode(t *testing.T, s string) []byte {
 	}
 	return b
 }
+
+func BenchmarkGenerateKeyECDH(b *testing.B) {
+	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
+		b.Run(curve, func(b *testing.B) {
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				_, _, err := cng.GenerateKeyECDH(curve)
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
+
+func BenchmarkECDH(b *testing.B) {
+	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
+		b.Run(curve, func(b *testing.B) {
+			aliceKey, _, err := cng.GenerateKeyECDH(curve)
+			if err != nil {
+				b.Fatal(err)
+			}
+			bobKey, _, err := cng.GenerateKeyECDH(curve)
+			if err != nil {
+				b.Fatal(err)
+			}
+			bobPub, err := bobKey.PublicKey()
+			if err != nil {
+				b.Fatal(err)
+			}
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				_, err := cng.ECDH(aliceKey, bobPub)
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
+
+func BenchmarkNewPrivateKeyECDH(b *testing.B) {
+	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
+		b.Run(curve, func(b *testing.B) {
+			_, privBytes, err := cng.GenerateKeyECDH(curve)
+			if err != nil {
+				b.Fatal(err)
+			}
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				_, err := cng.NewPrivateKeyECDH(curve, privBytes)
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
+
+func BenchmarkNewPublicKeyECDH(b *testing.B) {
+	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
+		b.Run(curve, func(b *testing.B) {
+			key, _, err := cng.GenerateKeyECDH(curve)
+			if err != nil {
+				b.Fatal(err)
+			}
+			pub, err := key.PublicKey()
+			if err != nil {
+				b.Fatal(err)
+			}
+			pubBytes := pub.Bytes()
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				_, err := cng.NewPublicKeyECDH(curve, pubBytes)
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
+
+func BenchmarkPublicKeyECDH(b *testing.B) {
+	for _, curve := range []string{"P-256", "P-384", "P-521", "X25519"} {
+		b.Run(curve, func(b *testing.B) {
+			key, _, err := cng.GenerateKeyECDH(curve)
+			if err != nil {
+				b.Fatal(err)
+			}
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				_, err := key.PublicKey()
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
diff --git a/cng/ecdsa.go b/cng/ecdsa.go
@@ -90,14 +90,10 @@ func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {
 		return nil, err
 	}
 	k := &PublicKeyECDSA{hkey}
-	runtime.SetFinalizer(k, (*PublicKeyECDSA).finalize)
+	addCleanupKey(k, hkey)
 	return k, nil
 }
 
-func (k *PublicKeyECDSA) finalize() {
-	bcrypt.DestroyKey(k.hkey)
-}
-
 type PrivateKeyECDSA struct {
 	hkey bcrypt.KEY_HANDLE
 }
@@ -112,14 +108,10 @@ func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error)
 		return nil, err
 	}
 	k := &PrivateKeyECDSA{hkey}
-	runtime.SetFinalizer(k, (*PrivateKeyECDSA).finalize)
+	addCleanupKey(k, hkey)
 	return k, nil
 }
 
-func (k *PrivateKeyECDSA) finalize() {
-	bcrypt.DestroyKey(k.hkey)
-}
-
 // SignECDSA signs a hash (which should be the result of hashing a larger message),
 // using the private key, priv.
 //
diff --git a/cng/hash.go b/cng/hash.go
@@ -20,6 +20,13 @@ import (
 // maxHashSize is the size of SHA512 and SHA3_512, the largest hashes we support.
 const maxHashSize = 64
 
+// addCleanupHash attaches a cleanup function to ptr that will destroy ctx.
+func addCleanupHash[T any](ptr *T, ctx bcrypt.HASH_HANDLE) {
+	runtime.AddCleanup(ptr, func(ctx bcrypt.HASH_HANDLE) {
+		bcrypt.DestroyHash(ctx)
+	}, ctx)
+}
+
 // SupportsHash returns true if a hash.Hash implementation is supported for h.
 func SupportsHash(h crypto.Hash) bool {
 	switch h {
@@ -188,10 +195,6 @@ func newHash(id string) *Hash {
 	return &Hash{alg: mustLoadHash(id, bcrypt.ALG_NONE_FLAG)}
 }
 
-func (h *Hash) finalize() {
-	bcrypt.DestroyHash(h.ctx)
-}
-
 func (h *Hash) init() {
 	defer runtime.KeepAlive(h)
 	if h.ctx != 0 {
@@ -201,15 +204,15 @@ func (h *Hash) init() {
 	if err != nil {
 		panic(err)
 	}
-	runtime.SetFinalizer(h, (*Hash).finalize)
+	addCleanupHash(h, h.ctx)
 }
 
 func (h *Hash) Clone() (HashCloner, error) {
 	defer runtime.KeepAlive(h)
 	h2 := &Hash{alg: h.alg, key: bytes.Clone(h.key)}
 	if h.ctx != 0 {
 		hashClone(h.ctx, &h2.ctx)
-		runtime.SetFinalizer(h2, (*Hash).finalize)
+		addCleanupHash(h2, h2.ctx)
 	}
 	return h2, nil
 }
diff --git a/cng/keys.go b/cng/keys.go
@@ -8,11 +8,19 @@ package cng
 
 import (
 	"errors"
+	"runtime"
 	"unsafe"
 
 	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
 )
 
+// addCleanupKey attaches a cleanup function to ptr that will destroy kh.
+func addCleanupKey[T any](ptr *T, kh bcrypt.KEY_HANDLE) {
+	runtime.AddCleanup(ptr, func(kh bcrypt.KEY_HANDLE) {
+		bcrypt.DestroyKey(kh)
+	}, kh)
+}
+
 const (
 	sizeOfECCBlobHeader     = uint32(unsafe.Sizeof(bcrypt.ECCKEY_BLOB{}))
 	sizeOfRSABlobHeader     = uint32(unsafe.Sizeof(bcrypt.RSAKEY_BLOB{}))
diff --git a/cng/rc4.go b/cng/rc4.go
diff --git a/cng/rsa.go b/cng/rsa.go
diff --git a/cng/sha3.go b/cng/sha3.go

Original file line number	Diff line number	Diff line change
`@@ -40,16 +40,10 @@ func NewChaCha20Poly1305(key []byte) (cipher.AEAD, error) {`
`40`	`40`	`return nil, err`
`41`	`41`	`}`
`42`	`42`	`c := &chacha20poly1305{kh: kh}`
`43`		`- runtime.SetFinalizer(c, (*chacha20poly1305).finalize)`
	`43`	`+ addCleanupKey(c, kh)`
`44`	`44`	`return c, nil`
`45`	`45`	`}`
`46`	`46`
`47`		`-func (c *chacha20poly1305) finalize() {`
`48`		`- if c.kh != 0 {`
`49`		`- bcrypt.DestroyKey(c.kh)`
`50`		`- }`
`51`		`-}`
`52`		`-`
`53`	`47`	`func (c *chacha20poly1305) NonceSize() int {`
`54`	`48`	`return chacha20Poly1305NonceSize`
`55`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func NewDESCipher(key []byte) (cipher.Block, error) {`
`29`	`29`	`return nil, err`
`30`	`30`	`}`
`31`	`31`	`c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: bytes.Clone(key)}`
`32`		`- runtime.SetFinalizer(c, (*desCipher).finalize)`
	`32`	`+ addCleanupKey(c, kh)`
`33`	`33`	`return c, nil`
`34`	`34`	`}`
`35`	`35`
`@@ -39,14 +39,10 @@ func NewTripleDESCipher(key []byte) (cipher.Block, error) {`
`39`	`39`	`return nil, err`
`40`	`40`	`}`
`41`	`41`	`c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: bytes.Clone(key)}`
`42`		`- runtime.SetFinalizer(c, (*desCipher).finalize)`
	`42`	`+ addCleanupKey(c, kh)`
`43`	`43`	`return c, nil`
`44`	`44`	`}`
`45`	`45`
`46`		`-func (c *desCipher) finalize() {`
`47`		`- bcrypt.DestroyKey(c.kh)`
`48`		`-}`
`49`		`-`
`50`	`46`	`func (c *desCipher) BlockSize() int { return desBlockSize }`
`51`	`47`
`52`	`48`	`func (c *desCipher) Encrypt(dst, src []byte) {`
Original file line number	Diff line number	Diff line change
`@@ -96,10 +96,6 @@ type PrivateKeyDSA struct {`
`96`	`96`	`hkey bcrypt.KEY_HANDLE`
`97`	`97`	`}`
`98`	`98`
`99`		`-func (k *PrivateKeyDSA) finalize() {`
`100`		`- bcrypt.DestroyKey(k.hkey)`
`101`		`-}`
`102`		`-`
`103`	`99`	`// PublicKeyDSA represents a DSA public key.`
`104`	`100`	`type PublicKeyDSA struct {`
`105`	`101`	`DSAParameters`
`@@ -108,10 +104,6 @@ type PublicKeyDSA struct {`
`108`	`104`	`hkey bcrypt.KEY_HANDLE`
`109`	`105`	`}`
`110`	`106`
`111`		`-func (k *PublicKeyDSA) finalize() {`
`112`		`- bcrypt.DestroyKey(k.hkey)`
`113`		`-}`
`114`		`-`
`115`	`107`	`// GenerateKeyDSA generates a new private DSA key using the given parameters.`
`116`	`108`	`func GenerateKeyDSA(params DSAParameters) (x, y BigInt, err error) {`
`117`	`109`	`h, err := loadDSA()`
`@@ -155,7 +147,7 @@ func NewPrivateKeyDSA(params DSAParameters, X, Y BigInt) (*PrivateKeyDSA, error)`
`155`	`147`	`return nil, err`
`156`	`148`	`}`
`157`	`149`	`k := &PrivateKeyDSA{params, X, Y, hkey}`
`158`		`- runtime.SetFinalizer(k, (*PrivateKeyDSA).finalize)`
	`150`	`+ addCleanupKey(k, hkey)`
`159`	`151`	`return k, nil`
`160`	`152`	`}`
`161`	`153`
`@@ -174,7 +166,7 @@ func NewPublicKeyDSA(params DSAParameters, Y BigInt) (*PublicKeyDSA, error) {`
`174`	`166`	`return nil, err`
`175`	`167`	`}`
`176`	`168`	`k := &PublicKeyDSA{params, Y, hkey}`
`177`		`- runtime.SetFinalizer(k, (*PublicKeyDSA).finalize)`
	`169`	`+ addCleanupKey(k, hkey)`
`178`	`170`	`return k, nil`
`179`	`171`	`}`
`180`	`172`
Original file line number	Diff line number	Diff line change
`@@ -58,21 +58,11 @@ type PublicKeyECDH struct {`
`58`	`58`	`priv *PrivateKeyECDH`
`59`	`59`	`}`
`60`	`60`
`61`		`-func (k *PublicKeyECDH) finalize() {`
`62`		`- if k.priv == nil {`
`63`		`- bcrypt.DestroyKey(k.hkey)`
`64`		`- }`
`65`		`-}`
`66`		`-`
`67`	`61`	`type PrivateKeyECDH struct {`
`68`	`62`	`hkey bcrypt.KEY_HANDLE`
`69`	`63`	`isNIST bool`
`70`	`64`	`}`
`71`	`65`
`72`		`-func (k *PrivateKeyECDH) finalize() {`
`73`		`- bcrypt.DestroyKey(k.hkey)`
`74`		`-}`
`75`		`-`
`76`	`66`	`func ECDH(priv PrivateKeyECDH, pub PublicKeyECDH) ([]byte, error) {`
`77`	`67`	`// First establish the shared secret.`
`78`	`68`	`var secret bcrypt.SECRET_HANDLE`
`@@ -138,7 +128,7 @@ func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {`
`138`	`128`	`bytes = bytes[hdr.KeySize*2:]`
`139`	`129`
`140`	`130`	`k := &PrivateKeyECDH{hkey, isNIST(curve)}`
`141`		`- runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)`
	`131`	`+ addCleanupKey(k, hkey)`
`142`	`132`	`return k, bytes, nil`
`143`	`133`	`}`
`144`	`134`
`@@ -173,7 +163,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {`
`173`	`163`	`return nil, err`
`174`	`164`	`}`
`175`	`165`	`k := &PublicKeyECDH{hkey, append([]byte(nil), bytes...), nil}`
`176`		`- runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)`
	`166`	`+ addCleanupKey(k, hkey)`
`177`	`167`	`return k, nil`
`178`	`168`	`}`
`179`	`169`
`@@ -202,7 +192,7 @@ func NewPrivateKeyECDH(curve string, key []byte) (*PrivateKeyECDH, error) {`
`202`	`192`	`return nil, err`
`203`	`193`	`}`
`204`	`194`	`k := &PrivateKeyECDH{hkey, nist}`
`205`		`- runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)`
	`195`	`+ addCleanupKey(k, hkey)`
`206`	`196`	`return k, nil`
`207`	`197`	`}`
`208`	`198`
`@@ -220,8 +210,9 @@ func (k PrivateKeyECDH) PublicKey() (PublicKeyECDH, error) {`
`220`	`210`	`// Only include X.`
`221`	`211`	`bytes = data[:hdr.KeySize]`
`222`	`212`	`}`
	`213`	`+ // No cleanup needed: pub.priv prevents k from being garbage collected,`
	`214`	`+ // so k's cleanup will destroy the shared hkey when both are unreachable.`
`223`	`215`	`pub := &PublicKeyECDH{k.hkey, bytes, k}`
`224`		`- runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)`
`225`	`216`	`return pub, nil`
`226`	`217`	`}`
`227`	`218`
Original file line number	Diff line number	Diff line change
`@@ -90,14 +90,10 @@ func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {`
`90`	`90`	`return nil, err`
`91`	`91`	`}`
`92`	`92`	`k := &PublicKeyECDSA{hkey}`
`93`		`- runtime.SetFinalizer(k, (*PublicKeyECDSA).finalize)`
	`93`	`+ addCleanupKey(k, hkey)`
`94`	`94`	`return k, nil`
`95`	`95`	`}`
`96`	`96`
`97`		`-func (k *PublicKeyECDSA) finalize() {`
`98`		`- bcrypt.DestroyKey(k.hkey)`
`99`		`-}`
`100`		`-`
`101`	`97`	`type PrivateKeyECDSA struct {`
`102`	`98`	`hkey bcrypt.KEY_HANDLE`
`103`	`99`	`}`
`@@ -112,14 +108,10 @@ func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error)`
`112`	`108`	`return nil, err`
`113`	`109`	`}`
`114`	`110`	`k := &PrivateKeyECDSA{hkey}`
`115`		`- runtime.SetFinalizer(k, (*PrivateKeyECDSA).finalize)`
	`111`	`+ addCleanupKey(k, hkey)`
`116`	`112`	`return k, nil`
`117`	`113`	`}`
`118`	`114`
`119`		`-func (k *PrivateKeyECDSA) finalize() {`
`120`		`- bcrypt.DestroyKey(k.hkey)`
`121`		`-}`
`122`		`-`
`123`	`115`	`// SignECDSA signs a hash (which should be the result of hashing a larger message),`
`124`	`116`	`// using the private key, priv.`
`125`	`117`	`//`