dotnet · vcsjones · Oct 3, 2025 · Oct 3, 2025
diff --git a/src/libraries/Common/src/System/Security/Cryptography/ECCng.ImportExport.NamedCurve.cs b/src/libraries/Common/src/System/Security/Cryptography/ECCng.ImportExport.NamedCurve.cs
@@ -152,40 +152,29 @@ internal static SafeNCryptKeyHandle ImportKeyBlob(
 
             using (SafeUnicodeStringHandle safeCurveName = new SafeUnicodeStringHandle(curveName))
             {
-                Interop.BCrypt.BCryptBufferDesc desc = default;
-                Interop.BCrypt.BCryptBuffer buff = default;
-
-                IntPtr descPtr = IntPtr.Zero;
-                IntPtr buffPtr = IntPtr.Zero;
-                try
+                unsafe
                 {
-                    descPtr = Marshal.AllocHGlobal(Marshal.SizeOf(desc));
-                    buffPtr = Marshal.AllocHGlobal(Marshal.SizeOf(buff));
+                    Interop.BCrypt.BCryptBufferDesc desc = default;
+                    Interop.BCrypt.BCryptBuffer buff = default;
+
                     buff.cbBuffer = (curveName.Length + 1) * 2; // Add 1 for null terminator
                     buff.BufferType = Interop.BCrypt.CngBufferDescriptors.NCRYPTBUFFER_ECC_CURVE_NAME;
                     buff.pvBuffer = safeCurveName.DangerousGetHandle();
-                    Marshal.StructureToPtr(buff, buffPtr, false);
 
                     desc.cBuffers = 1;
-                    desc.pBuffers = buffPtr;
+                    desc.pBuffers = (IntPtr)(&buff);
                     desc.ulVersion = Interop.BCrypt.BCRYPTBUFFER_VERSION;
-                    Marshal.StructureToPtr(desc, descPtr, false);
 
                     errorCode = Interop.NCrypt.NCryptImportKey(
                         provider,
                         IntPtr.Zero,
                         blobType,
-                        descPtr,
+                        (IntPtr)(&desc),
                         out keyHandle,
                         ref MemoryMarshal.GetReference(keyBlob),
                         keyBlob.Length,
                         0);
                 }
-                finally
-                {
-                    Marshal.FreeHGlobal(descPtr);
-                    Marshal.FreeHGlobal(buffPtr);
-                }
             }
 
             if (errorCode != ErrorCode.ERROR_SUCCESS)

diff --git a/src/libraries/Common/src/System/Security/Cryptography/MLKem.Windows.cs b/src/libraries/Common/src/System/Security/Cryptography/MLKem.Windows.cs
@@ -26,7 +26,7 @@ private protected unsafe void ReadCngMLKemBlob(
                     throw new CryptographicException();
                 }
 
-                int blobHeaderSize = Marshal.SizeOf<BCRYPT_MLKEM_KEY_BLOB>();
+                int blobHeaderSize = sizeof(BCRYPT_MLKEM_KEY_BLOB);
                 int keySize = checked((int)blob->cbKey);
 
                 if (keySize != destination.Length)

diff --git a/src/libraries/Common/src/System/Security/Cryptography/PqcBlobHelpers.cs b/src/libraries/Common/src/System/Security/Cryptography/PqcBlobHelpers.cs
@@ -216,7 +216,7 @@ internal delegate TReturn EncodeMLKemBlobCallback<TState, TReturn>(
             string blobKind,
             ReadOnlySpan<byte> blob);
 
-        internal static TReturn EncodeMLKemBlob<TState, TReturn>(
+        internal static unsafe TReturn EncodeMLKemBlob<TState, TReturn>(
             KeyBlobMagicNumber kind,
             MLKemAlgorithm algorithm,
             ReadOnlySpan<byte> key,
@@ -230,7 +230,7 @@ internal static TReturn EncodeMLKemBlob<TState, TReturn>(
                 // try to accommodate them.
                 const int MaxKeyStackSize = 128;
                 string parameterSet = GetMLKemParameterSet(algorithm);
-                int blobHeaderSize = Marshal.SizeOf<BCRYPT_MLKEM_KEY_BLOB>();
+                int blobHeaderSize = sizeof(BCRYPT_MLKEM_KEY_BLOB);
                 int parameterSetMarshalLength = (parameterSet.Length + 1) * 2;
                 int blobSize =
                     blobHeaderSize +
@@ -246,15 +246,12 @@ internal static TReturn EncodeMLKemBlob<TState, TReturn>(
                 {
                     buffer.Clear();
 
-                    unsafe
+                    fixed (byte* pBuffer = buffer)
                     {
-                        fixed (byte* pBuffer = buffer)
-                        {
-                            BCRYPT_MLKEM_KEY_BLOB* blob = (BCRYPT_MLKEM_KEY_BLOB*)pBuffer;
-                            blob->dwMagic = kind;
-                            blob->cbParameterSet = (uint)parameterSetMarshalLength;
-                            blob->cbKey = (uint)key.Length;
-                        }
+                        BCRYPT_MLKEM_KEY_BLOB* blob = (BCRYPT_MLKEM_KEY_BLOB*)pBuffer;
+                        blob->dwMagic = kind;
+                        blob->cbParameterSet = (uint)parameterSetMarshalLength;
+                        blob->cbKey = (uint)key.Length;
                     }
 
                     // This won't write the null byte, but we zeroed the whole buffer earlier.

diff --git a/...tography/src/System/Security/Cryptography/X509Certificates/ChainPal.Windows.BuildChain.cs b/...tography/src/System/Security/Cryptography/X509Certificates/ChainPal.Windows.BuildChain.cs
@@ -36,7 +36,7 @@ internal sealed partial class ChainPal : IDisposable, IChainPal
                 using (SafeCertStoreHandle extraStoreHandle = ConvertStoreToSafeHandle(extraStore))
                 {
                     Interop.Crypt32.CERT_CHAIN_PARA chainPara = default;
-                    chainPara.cbSize = Marshal.SizeOf<Interop.Crypt32.CERT_CHAIN_PARA>();
+                    chainPara.cbSize = sizeof(Interop.Crypt32.CERT_CHAIN_PARA);
 
                     int applicationPolicyCount;
                     using (SafeHandle applicationPolicyOids = applicationPolicy!.ToLpstrArray(out applicationPolicyCount))
@@ -88,12 +88,15 @@ private static SafeChainEngineHandle GetChainEngine(
             if (trustMode == X509ChainTrustMode.CustomRootTrust)
             {
                 // Need to get a valid SafeCertStoreHandle otherwise the default stores will be trusted
-                using (SafeCertStoreHandle customTrustStoreHandle = ConvertStoreToSafeHandle(customTrustStore, true))
+                unsafe
                 {
-                    Interop.Crypt32.CERT_CHAIN_ENGINE_CONFIG customChainEngine = default;
-                    customChainEngine.cbSize = Marshal.SizeOf<Interop.Crypt32.CERT_CHAIN_ENGINE_CONFIG>();
-                    customChainEngine.hExclusiveRoot = customTrustStoreHandle.DangerousGetHandle();
-                    chainEngineHandle = Interop.crypt32.CertCreateCertificateChainEngine(ref customChainEngine);
+                    using (SafeCertStoreHandle customTrustStoreHandle = ConvertStoreToSafeHandle(customTrustStore, true))
+                    {
+                        Interop.Crypt32.CERT_CHAIN_ENGINE_CONFIG customChainEngine = default;
+                        customChainEngine.cbSize = sizeof(Interop.Crypt32.CERT_CHAIN_ENGINE_CONFIG);
+                        customChainEngine.hExclusiveRoot = customTrustStoreHandle.DangerousGetHandle();
+                        chainEngineHandle = Interop.crypt32.CertCreateCertificateChainEngine(ref customChainEngine);
+                    }
                 }
             }
             else