diff --git a/src/hx/libs/ssl/windows/Cng.h b/src/hx/libs/ssl/windows/Cng.h
new file mode 100644
index 000000000..cf3dc993b
--- /dev/null
+++ b/src/hx/libs/ssl/windows/Cng.h
@@ -0,0 +1,168 @@
+#pragma once
+
+#include <memory>
+#include "Utils.h"
+#include "bcrypt.h"
+
+namespace hx
+{
+	namespace ssl
+	{
+		namespace windows
+		{
+			template<class T>
+			T getProperty(BCRYPT_HANDLE handle, const wchar_t* prop)
+			{
+				hx::EnterGCFreeZone();
+
+				auto result = DWORD{ 0 };
+				auto size   = ULONG{ 0 };
+				if (!BCRYPT_SUCCESS(result = BCryptGetProperty(handle, prop, nullptr, 0, &size, 0)))
+				{
+					hx::ExitGCFreeZone();
+					hx::Throw(HX_CSTRING("Failed to get property size : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
+				}
+
+				auto buffer = std::vector<UCHAR>(size);
+				if (!BCRYPT_SUCCESS(result = BCryptGetProperty(handle, prop, buffer.data(), buffer.size(), &size, 0)))
+				{
+					hx::ExitGCFreeZone();
+					hx::Throw(HX_CSTRING("Failed to get property : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
+				}
+
+				hx::ExitGCFreeZone();
+
+				return static_cast<T>(buffer[0]);
+			}
+
+			struct CngHash
+			{
+				BCRYPT_HASH_HANDLE handle;
+				std::unique_ptr<std::vector<uint8_t>> object;
+
+				CngHash(BCRYPT_HASH_HANDLE inHandle, std::unique_ptr<std::vector<uint8_t>> inObject)
+					: handle(inHandle)
+					, object(std::move(inObject))
+				{
+					//
+				}
+
+				~CngHash()
+				{
+					BCryptDestroyHash(handle);
+				}
+
+				void hash(const Array<uint8_t>& input) const
+				{
+					hx::EnterGCFreeZone();
+
+					auto result = DWORD{ 0 };
+					if (!BCRYPT_SUCCESS(result = BCryptHashData(handle, reinterpret_cast<PUCHAR>(input->getBase()), input->length, 0)))
+					{
+						hx::ExitGCFreeZone();
+						hx::Throw(HX_CSTRING("Failed to hash data : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
+					}
+
+					hx::ExitGCFreeZone();
+				}
+
+				void hash(const PUCHAR input, const ULONG length) const
+				{
+					hx::EnterGCFreeZone();
+
+					auto result = DWORD{ 0 };
+					if (!BCRYPT_SUCCESS(result = BCryptHashData(handle, input, length, 0)))
+					{
+						hx::ExitGCFreeZone();
+						hx::Throw(HX_CSTRING("Failed to hash data : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
+					}
+
+					hx::ExitGCFreeZone();
+				}
+
+				void finish(PUCHAR output, const ULONG length) const
+				{
+					hx::EnterGCFreeZone();
+
+					auto result = DWORD{ 0 };
+					if (!BCRYPT_SUCCESS(result = BCryptFinishHash(handle, output, length, 0)))
+					{
+						hx::ExitGCFreeZone();
+						hx::Throw(HX_CSTRING("Failed to finish hash : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
+					}
+
+					hx::ExitGCFreeZone();
+				}
+
+				Array<uint8_t> finish() const
+				{
+					auto result = DWORD{ 0 };
+					auto length = getProperty<DWORD>(handle, BCRYPT_HASH_LENGTH);
+					auto output = Array<uint8_t>(length, length);
+
+					hx::EnterGCFreeZone();
+
+					if (!BCRYPT_SUCCESS(result = BCryptFinishHash(handle, reinterpret_cast<PUCHAR>(output->getBase()), output->length, 0)))
+					{
+						hx::ExitGCFreeZone();
+						hx::Throw(HX_CSTRING("Failed to finish hash : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
+					}
+
+					hx::ExitGCFreeZone();
+
+					return output;
+				}
+			};
+
+			struct CngAlgorithm
+			{
+				CngAlgorithm(BCRYPT_ALG_HANDLE inHandle) : handle(inHandle) {}
+
+			public:
+				BCRYPT_ALG_HANDLE handle;
+
+				~CngAlgorithm()
+				{
+					BCryptCloseAlgorithmProvider(handle, 0);
+				}
+
+				std::unique_ptr<CngHash> hash()
+				{
+					hx::EnterGCFreeZone();
+
+					auto result = DWORD{ 0 };
+					auto hHash  = BCRYPT_HASH_HANDLE();
+					auto object = std::make_unique<std::vector<uint8_t>>(getProperty<DWORD>(handle, BCRYPT_OBJECT_LENGTH));
+
+					if (!BCRYPT_SUCCESS(result = BCryptCreateHash(handle, &hHash, object->data(), object->size(), nullptr, 0, BCRYPT_HASH_REUSABLE_FLAG)))
+					{
+						hx::ExitGCFreeZone();
+						hx::Throw(HX_CSTRING("Failed to create hash object : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
+					}
+
+					hx::ExitGCFreeZone();
+
+					return std::make_unique<CngHash>(hHash, std::move(object));
+				}
+
+				static std::unique_ptr<CngAlgorithm> create(const wchar_t* algId)
+				{
+					hx::EnterGCFreeZone();
+
+					auto result = DWORD{ 0 };
+					auto handle = BCRYPT_ALG_HANDLE();
+
+					if (!BCRYPT_SUCCESS(result = BCryptOpenAlgorithmProvider(&handle, algId, nullptr, BCRYPT_HASH_REUSABLE_FLAG)))
+					{
+						hx::ExitGCFreeZone();
+						hx::Throw(HX_CSTRING("Failed to open algorithm provider : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
+					}
+
+					hx::ExitGCFreeZone();
+
+					return std::make_unique<CngAlgorithm>(handle);
+				}
+			};
+		}
+	}
+}
diff --git a/src/hx/libs/ssl/windows/Digest.cpp b/src/hx/libs/ssl/windows/Digest.cpp
index ce9cfe28f..8842c4993 100644
--- a/src/hx/libs/ssl/windows/Digest.cpp
+++ b/src/hx/libs/ssl/windows/Digest.cpp
@@ -2,156 +2,40 @@
 #include <Windows.h>
 
 #include "SSL.h"
-#include "Utils.h"
+#include "Cng.h"
 
-Array<unsigned char> _hx_ssl_dgst_make(Array<unsigned char> buffer, String alg)
+Array<unsigned char> _hx_ssl_dgst_make(Array<unsigned char> buffer, String algId)
 {
-	auto handle    = BCRYPT_ALG_HANDLE();
-	auto result    = 0;
-	auto cb        = DWORD{ 0 };
-
 	hx::strbuf buf;
-	auto algorithm = alg.wchar_str(&buf);
-
-	hx::EnterGCFreeZone();
-
-	if (!BCRYPT_SUCCESS(result = BCryptOpenAlgorithmProvider(&handle, algorithm, nullptr, 0)))
-	{
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to open algorithm provider : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	auto objectLength = DWORD{ 0 };
-	if (!BCRYPT_SUCCESS(result = BCryptGetProperty(handle, BCRYPT_OBJECT_LENGTH, reinterpret_cast<PUCHAR>(&objectLength), sizeof(DWORD), &cb, 0)))
-	{
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to get object length : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	auto object = std::vector<uint8_t>(objectLength);
-	auto hash   = BCRYPT_HASH_HANDLE();
-	if (!BCRYPT_SUCCESS(result = BCryptCreateHash(handle, &hash, object.data(), object.size(), nullptr, 0, 0)))
-	{
-		BCryptCloseAlgorithmProvider(handle, 0);
 
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to create hash object : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
+	auto algorithm = hx::ssl::windows::CngAlgorithm::create(algId.wchar_str(&buf));
+	auto hash     = algorithm->hash();
 
-	auto hashLength = DWORD{ 0 };
-	if (!BCRYPT_SUCCESS(result = BCryptGetProperty(handle, BCRYPT_HASH_LENGTH, reinterpret_cast<PUCHAR>(&hashLength), sizeof(DWORD), &cb, 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to get object length : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
+	hash->hash(buffer);
 
-	if (!BCRYPT_SUCCESS(result = BCryptHashData(hash, reinterpret_cast<PUCHAR>(buffer->GetBase()), buffer->length, 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to hash data : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	hx::ExitGCFreeZone();
-	auto output = Array<uint8_t>(hashLength, hashLength);
-	hx::EnterGCFreeZone();
-
-	if (!BCRYPT_SUCCESS(result = BCryptFinishHash(hash, reinterpret_cast<PUCHAR>(output->GetBase()), output->length, 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to finish hash : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	BCryptDestroyHash(hash);
-	BCryptCloseAlgorithmProvider(handle, 0);
-
-	hx::ExitGCFreeZone();
-
-	return output;
+	return hash->finish();
 }
 
-Array<unsigned char> _hx_ssl_dgst_sign(Array<unsigned char> buffer, Dynamic hpkey, String alg)
+Array<unsigned char> _hx_ssl_dgst_sign(Array<unsigned char> buffer, Dynamic hpkey, String algId)
 {
-	auto key       = hpkey.Cast<hx::ssl::windows::Key>();
-	auto result    = 0;
-	auto dummy     = DWORD{ 0 };
 	hx::strbuf buf;
-	auto algorithm = alg.wchar_str(&buf);
-	auto padding   = BCRYPT_PKCS1_PADDING_INFO{ algorithm };
-
-	hx::EnterGCFreeZone();
 
-	auto handle = BCRYPT_ALG_HANDLE();
-	if (!BCRYPT_SUCCESS(result = BCryptOpenAlgorithmProvider(&handle, algorithm, nullptr, 0)))
-	{
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to open algorithm provider : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	auto objectLength = DWORD{ 0 };
-	if (!BCRYPT_SUCCESS(result = BCryptGetProperty(handle, BCRYPT_OBJECT_LENGTH, reinterpret_cast<PUCHAR>(&objectLength), sizeof(DWORD), &dummy, 0)))
-	{
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to get object length : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	auto object = std::vector<uint8_t>(objectLength);
-	auto hash   = BCRYPT_HASH_HANDLE();
-	if (!BCRYPT_SUCCESS(result = BCryptCreateHash(handle, &hash, object.data(), object.size(), nullptr, 0, 0)))
-	{
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to create hash object : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	auto hashLength = DWORD{ 0 };
-	if (!BCRYPT_SUCCESS(result = BCryptGetProperty(handle, BCRYPT_HASH_LENGTH, reinterpret_cast<PUCHAR>(&hashLength), sizeof(DWORD), &dummy, 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to get object length : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	if (!BCRYPT_SUCCESS(result = BCryptHashData(hash, reinterpret_cast<PUCHAR>(buffer->GetBase()), buffer->length, 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to hash data : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
+	auto key       = hpkey.Cast<hx::ssl::windows::Key>();
+	auto algorithm = algId.wchar_str(&buf);
+	auto alg       = hx::ssl::windows::CngAlgorithm::create(algorithm);
+	auto hash      = alg->hash();
+	auto hashed    = std::vector<uint8_t>(hx::ssl::windows::getProperty<DWORD>(hash->handle, BCRYPT_HASH_LENGTH));
 
-	auto hashed = std::vector<uint8_t>(hashLength);
-	if (!BCRYPT_SUCCESS(result = BCryptFinishHash(hash, reinterpret_cast<PUCHAR>(hashed.data()), hashed.size(), 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
+	hash->hash(buffer);
+	hash->finish(hashed.data(), hashed.size());
 
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to finish hash : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
+	hx::EnterGCFreeZone();
 
+	auto result          = DWORD{ 0 };
+	auto padding         = BCRYPT_PKCS1_PADDING_INFO{ algorithm };
 	auto signatureLength = DWORD{ 0 };
 	if (ERROR_SUCCESS != (result = NCryptSignHash(key->ctx, &padding, reinterpret_cast<PUCHAR>(hashed.data()), hashed.size(), nullptr, 0, &signatureLength, BCRYPT_PAD_PKCS1)))
 	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
-
 		hx::ExitGCFreeZone();
 		hx::Throw(HX_CSTRING("Failed to signature length : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
 	}
@@ -162,88 +46,32 @@ Array<unsigned char> _hx_ssl_dgst_sign(Array<unsigned char> buffer, Dynamic hpke
 
 	if (ERROR_SUCCESS != (result = NCryptSignHash(key->ctx, &padding, reinterpret_cast<PUCHAR>(hashed.data()), hashed.size(), reinterpret_cast<PUCHAR>(signature->GetBase()), signature->length, &signatureLength, BCRYPT_PAD_PKCS1)))
 	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
-
 		hx::ExitGCFreeZone();
 		hx::Throw(HX_CSTRING("Failed to sign hash : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
 	}
 
-	BCryptDestroyHash(hash);
-	BCryptCloseAlgorithmProvider(handle, 0);
-
 	hx::ExitGCFreeZone();
 
 	return signature;
 }
 
-bool _hx_ssl_dgst_verify(Array<unsigned char> buffer, Array<unsigned char> sign, Dynamic hpkey, String alg)
+bool _hx_ssl_dgst_verify(Array<unsigned char> buffer, Array<unsigned char> sign, Dynamic hpkey, String algId)
 {
-	auto key       = hpkey.Cast<hx::ssl::windows::Key>();
-	auto handle    = BCRYPT_ALG_HANDLE();
-	auto result    = 0;
-	auto cb        = DWORD{ 0 };
 	hx::strbuf buf;
-	auto algorithm = alg.wchar_str(&buf);
-	auto padding   = BCRYPT_PKCS1_PADDING_INFO{ algorithm };
-
-	hx::EnterGCFreeZone();
-
-	if (!BCRYPT_SUCCESS(result = BCryptOpenAlgorithmProvider(&handle, algorithm, nullptr, 0)))
-	{
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to open algorithm provider : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	auto objectLength = DWORD{ 0 };
-	if (!BCRYPT_SUCCESS(result = BCryptGetProperty(handle, BCRYPT_OBJECT_LENGTH, reinterpret_cast<PUCHAR>(&objectLength), sizeof(DWORD), &cb, 0)))
-	{
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to get object length : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	auto object = std::vector<uint8_t>(objectLength);
-	auto hash   = BCRYPT_HASH_HANDLE();
-	if (!BCRYPT_SUCCESS(result = BCryptCreateHash(handle, &hash, object.data(), object.size(), nullptr, 0, 0)))
-	{
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to create hash object : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	auto hashLength = DWORD{ 0 };
-	if (!BCRYPT_SUCCESS(result = BCryptGetProperty(handle, BCRYPT_HASH_LENGTH, reinterpret_cast<PUCHAR>(&hashLength), sizeof(DWORD), &cb, 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
 
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to get object length : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
-
-	if (!BCRYPT_SUCCESS(result = BCryptHashData(hash, reinterpret_cast<PUCHAR>(buffer->GetBase()), buffer->length, 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
-
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to hash data : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
+	auto key       = hpkey.Cast<hx::ssl::windows::Key>();
+	auto algorithm = algId.wchar_str(&buf);
+	auto alg       = hx::ssl::windows::CngAlgorithm::create(algorithm);
+	auto hash      = alg->hash();
+	auto hashed    = std::vector<uint8_t>(hx::ssl::windows::getProperty<DWORD>(hash->handle, BCRYPT_HASH_LENGTH));
 
-	auto output = std::vector<UCHAR>(hashLength);
-	if (!BCRYPT_SUCCESS(result = BCryptFinishHash(hash, reinterpret_cast<PUCHAR>(output.data()), output.size(), 0)))
-	{
-		BCryptDestroyHash(hash);
-		BCryptCloseAlgorithmProvider(handle, 0);
+	hash->hash(buffer);
+	hash->finish(hashed.data(), hashed.size());
 
-		hx::ExitGCFreeZone();
-		hx::Throw(HX_CSTRING("Failed to finish hash : ") + hx::ssl::windows::utils::NTStatusErrorToString(result));
-	}
+	hx::EnterGCFreeZone();
 
-	auto success = ERROR_SUCCESS == NCryptVerifySignature(key->ctx, &padding, output.data(), output.size(), reinterpret_cast<PUCHAR>(sign->GetBase()), sign->length, BCRYPT_PAD_PKCS1);
+	auto padding = BCRYPT_PKCS1_PADDING_INFO{ algorithm };
+	auto success = ERROR_SUCCESS == NCryptVerifySignature(key->ctx, &padding, hashed.data(), hashed.size(), reinterpret_cast<PUCHAR>(sign->GetBase()), sign->length, BCRYPT_PAD_PKCS1);
 
 	hx::ExitGCFreeZone();