diff --git a/src/libraries/System.Security.Cryptography.Cose/ref/System.Security.Cryptography.Cose.cs b/src/libraries/System.Security.Cryptography.Cose/ref/System.Security.Cryptography.Cose.cs
index 4772bc005e51c..40d22f92d88dc 100644
--- a/src/libraries/System.Security.Cryptography.Cose/ref/System.Security.Cryptography.Cose.cs
+++ b/src/libraries/System.Security.Cryptography.Cose/ref/System.Security.Cryptography.Cose.cs
@@ -56,17 +56,22 @@ internal CoseMessage() { }
         public System.Security.Cryptography.Cose.CoseHeaderMap ProtectedHeaders { get { throw null; } }
         public System.Security.Cryptography.Cose.CoseHeaderMap UnprotectedHeaders { get { throw null; } }
         public static System.Security.Cryptography.Cose.CoseSign1Message DecodeSign1(byte[] cborPayload) { throw null; }
+        public static System.Security.Cryptography.Cose.CoseSign1Message DecodeSign1(ReadOnlySpan<byte> cborPayload) { throw null; }
     }
     public sealed partial class CoseSign1Message : System.Security.Cryptography.Cose.CoseMessage
     {
         internal CoseSign1Message() { }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
+        public static byte[] Sign(ReadOnlySpan<byte> content, System.Security.Cryptography.AsymmetricAlgorithm key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, System.Security.Cryptography.Cose.CoseHeaderMap? protectedHeaders = null, System.Security.Cryptography.Cose.CoseHeaderMap? unprotectedHeaders = null, bool isDetached = false) { throw null; }
+        [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public static byte[] Sign(byte[] content, System.Security.Cryptography.AsymmetricAlgorithm key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, System.Security.Cryptography.Cose.CoseHeaderMap? protectedHeaders = null, System.Security.Cryptography.Cose.CoseHeaderMap? unprotectedHeaders = null, bool isDetached = false) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public static byte[] Sign(byte[] content, System.Security.Cryptography.ECDsa key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, bool isDetached = false) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public static byte[] Sign(byte[] content, System.Security.Cryptography.RSA key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, bool isDetached = false) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
+        public static bool TrySign(ReadOnlySpan<byte> content, Span<byte> destination, System.Security.Cryptography.AsymmetricAlgorithm key!!, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, out int bytesWritten, System.Security.Cryptography.Cose.CoseHeaderMap? protectedHeaders = null, System.Security.Cryptography.Cose.CoseHeaderMap? unprotectedHeaders = null, bool isDetached = false) { throw null; }
+        [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public bool Verify(System.Security.Cryptography.ECDsa key) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public bool Verify(System.Security.Cryptography.ECDsa key, System.ReadOnlySpan<byte> content) { throw null; }
diff --git a/src/libraries/System.Security.Cryptography.Cose/src/System.Security.Cryptography.Cose.csproj b/src/libraries/System.Security.Cryptography.Cose/src/System.Security.Cryptography.Cose.csproj
index 13814baf6096a..3db497d878879 100644
--- a/src/libraries/System.Security.Cryptography.Cose/src/System.Security.Cryptography.Cose.csproj
+++ b/src/libraries/System.Security.Cryptography.Cose/src/System.Security.Cryptography.Cose.csproj
@@ -1,6 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFrameworks>$(NetCoreAppCurrent);$(NetCoreAppMinimum);netstandard2.0;$(NetFrameworkMinimum)</TargetFrameworks>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <Nullable>enable</Nullable>
     <IsPackable>true</IsPackable>
     <!-- Disabling baseline validation since this is a brand new package.
@@ -13,8 +14,10 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <Compile Include="$(CommonPath)System\Memory\PointerMemoryManager.cs" Link="Common\System\Memory\PointerMemoryManager.cs" />
     <Compile Include="System\Security\Cryptography\Cose\CoseHeaderLabel.cs" />
     <Compile Include="System\Security\Cryptography\Cose\CoseHeaderMap.cs" />
+    <Compile Include="System\Security\Cryptography\Cose\CoseHelpers.cs" />
     <Compile Include="System\Security\Cryptography\Cose\CoseMessage.cs" />
     <Compile Include="System\Security\Cryptography\Cose\CoseSign1Message.cs" />
     <Compile Include="System\Security\Cryptography\Cose\KnownCoseAlgorithms.cs" />
@@ -31,10 +34,12 @@
 
   <ItemGroup Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'">
     <Reference Include="System.Collections" />
+    <Reference Include="System.Memory" />
     <Reference Include="System.Security.Cryptography.Primitives" />
     <Reference Include="System.Security.Cryptography.Algorithms" />
     <Reference Include="System.Runtime" />
     <Reference Include="System.Runtime.Numerics" />
+    <Reference Include="System.Text.Encoding.Extensions" />
   </ItemGroup>
   
   <ItemGroup Condition="$([MSBuild]::IsTargetFrameworkCompatible('$(TargetFramework)', 'net7.0'))">
diff --git a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHeaderLabel.cs b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHeaderLabel.cs
index 7e78541511616..e3fd261674f31 100644
--- a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHeaderLabel.cs
+++ b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHeaderLabel.cs
@@ -24,11 +24,13 @@ namespace System.Security.Cryptography.Cose
 
         internal int LabelAsInt32 { get; }
         internal string? LabelAsString { get; }
+        internal int EncodedSize { get; }
 
         public CoseHeaderLabel(int label)
         {
             this = default;
             LabelAsInt32 = label;
+            EncodedSize = CoseHelpers.GetIntegerEncodedSize(label);
         }
 
         public CoseHeaderLabel(string label)
@@ -40,6 +42,7 @@ public CoseHeaderLabel(string label)
 
             this = default;
             LabelAsString = label;
+            EncodedSize = CoseHelpers.GetTextStringEncodedSize(label);
         }
 
         public bool Equals(CoseHeaderLabel other)
diff --git a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHeaderMap.cs b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHeaderMap.cs
index 798d62885910e..a3eb9c1e45c8d 100644
--- a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHeaderMap.cs
+++ b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHeaderMap.cs
@@ -192,14 +192,15 @@ static void ValidateKnownHeaderValue(int label, CborReaderState? initialState, C
             }
         }
 
-        internal static byte[] Encode(CoseHeaderMap? map, bool mustReturnEmptyBstrIfEmpty = false, int? algHeaderValueToSlip = null)
+        internal static int Encode(CoseHeaderMap? map, Span<byte> destination, bool mustReturnEmptyBstrIfEmpty = false, int? algHeaderValueToSlip = null)
         {
             map ??= s_emptyMap;
             bool shouldSlipAlgHeader = algHeaderValueToSlip.HasValue;
 
             if (map._headerParameters.Count == 0 && mustReturnEmptyBstrIfEmpty && !shouldSlipAlgHeader)
             {
-                return s_emptyBstrEncoded;
+                s_emptyBstrEncoded.CopyTo(destination);
+                return s_emptyBstrEncoded.Length;
             }
 
             int mapLength = map._headerParameters.Count;
@@ -231,7 +232,33 @@ internal static byte[] Encode(CoseHeaderMap? map, bool mustReturnEmptyBstrIfEmpt
                 writer.WriteEncodedValue(encodedValue.Span);
             }
             writer.WriteEndMap();
-            return writer.Encode();
+
+            return writer.Encode(destination);
+        }
+
+        internal static int ComputeEncodedSize(CoseHeaderMap? map, int? algHeaderValueToSlip = null)
+        {
+            map ??= s_emptyMap;
+
+            // encoded map length => map length + (label + value)*
+            int encodedSize = 0;
+            int mapLength = map._headerParameters.Count;
+
+            if (algHeaderValueToSlip != null)
+            {
+                mapLength += 1;
+                encodedSize += CoseHeaderLabel.Algorithm.EncodedSize;
+                encodedSize += CoseHelpers.GetIntegerEncodedSize(algHeaderValueToSlip.Value);
+            }
+
+            encodedSize += CoseHelpers.GetIntegerEncodedSize(mapLength);
+
+            foreach ((CoseHeaderLabel label, ReadOnlyMemory<byte> encodedValue) in map)
+            {
+                encodedSize += label.EncodedSize + encodedValue.Length;
+            }
+
+            return encodedSize;
         }
 
         public Enumerator GetEnumerator() => new Enumerator(_headerParameters.GetEnumerator());
diff --git a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHelpers.cs b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHelpers.cs
new file mode 100644
index 0000000000000..633fe621170ef
--- /dev/null
+++ b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseHelpers.cs
@@ -0,0 +1,60 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Text;
+
+namespace System.Security.Cryptography.Cose
+{
+    internal static class CoseHelpers
+    {
+        private static readonly UTF8Encoding s_utf8EncodingStrict = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
+
+        internal static int GetByteStringEncodedSize(int bstrLength)
+        {
+            return GetIntegerEncodedSize(bstrLength) + bstrLength;
+        }
+
+        internal static int GetTextStringEncodedSize(string value)
+        {
+            int strEncodedLength = s_utf8EncodingStrict.GetByteCount(value);
+            return GetIntegerEncodedSize(strEncodedLength) + strEncodedLength;
+        }
+
+        internal static int GetIntegerEncodedSize(long value)
+        {
+            if (value < 0)
+            {
+                ulong unsignedRepresentation = (value == long.MinValue) ? (ulong)long.MaxValue : (ulong)(-value) - 1;
+                return GetIntegerEncodedSize(unsignedRepresentation);
+            }
+            else
+            {
+                return GetIntegerEncodedSize((ulong)value);
+            }
+        }
+
+        internal static int GetIntegerEncodedSize(ulong value)
+        {
+            if (value < 24)
+            {
+                return 1;
+            }
+            else if (value <= byte.MaxValue)
+            {
+                return 1 + sizeof(byte);
+            }
+            else if (value <= ushort.MaxValue)
+            {
+                return 1 + sizeof(ushort);
+            }
+            else if (value <= uint.MaxValue)
+            {
+                return 1 + sizeof(uint);
+            }
+            else
+            {
+                return 1 + sizeof(ulong);
+            }
+        }
+    }
+}
diff --git a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseMessage.cs b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseMessage.cs
index e44c28d5baa57..ff2f8e586e25e 100644
--- a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseMessage.cs
+++ b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseMessage.cs
@@ -1,15 +1,19 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Buffers;
+using System.Diagnostics;
 using System.Formats.Cbor;
+using System.Runtime.InteropServices;
 using System.Runtime.Versioning;
 
 namespace System.Security.Cryptography.Cose
 {
     public abstract class CoseMessage
     {
-        internal const string PreviewFeatureMessage = "COSE is in preview.";
         private const byte EmptyStringByte = 0xa0;
+        internal const int SizeOfArrayOfFour = 1;
+
         // COSE tags https://datatracker.ietf.org/doc/html/rfc8152#page-8 Table 1.
         internal const CborTag Sign1Tag = (CborTag)18;
 
@@ -46,19 +50,58 @@ public ReadOnlyMemory<byte>? Content
             }
         }
 
-        public static CoseSign1Message DecodeSign1(byte[] cborPayload)
+        public static CoseSign1Message DecodeSign1(byte[] cborPayload!!)
+            => DecodeCoseSign1Core(new CborReader(cborPayload));
+
+        public static CoseSign1Message DecodeSign1(ReadOnlySpan<byte> cborPayload)
+        {
+            unsafe
+            {
+                fixed (byte* ptr = &MemoryMarshal.GetReference(cborPayload))
+                {
+                    using (MemoryManager<byte> manager = new PointerMemoryManager<byte>(ptr, cborPayload.Length))
+                    {
+                        return DecodeCoseSign1Core(new CborReader(manager.Memory));
+                    }
+                }
+            }
+        }
+
+        private static CoseSign1Message DecodeCoseSign1Core(CborReader reader)
         {
             try
             {
-                var reader = new CborReader(cborPayload);
                 CborTag? tag = DecodeTag(reader);
                 if (tag != null && tag != Sign1Tag)
                 {
                     throw new CryptographicException(SR.Format(SR.DecodeSign1IncorrectTag, tag));
                 }
 
-                CoseSign1Message message = DecodeCoseSign1Core(reader);
-                return reader.BytesRemaining == 0 ? message : throw new CryptographicException(SR.Format(SR.DecodeSign1ErrorWhileDecoding, SR.DecodeSign1MesageContainedTrailingData));
+                int? arrayLength = reader.ReadStartArray();
+                if (arrayLength != 4)
+                {
+                    throw new CryptographicException(SR.Format(SR.DecodeSign1ErrorWhileDecoding, SR.DecodeSign1ArrayLengthMustBeFour));
+                }
+
+                var protectedHeader = new CoseHeaderMap();
+                DecodeProtectedBucket(reader, protectedHeader, out byte[] protectedHeaderAsBstr);
+                protectedHeader.IsReadOnly = true;
+
+                var unprotectedHeader = new CoseHeaderMap();
+                DecodeUnprotectedBucket(reader, unprotectedHeader);
+
+                ThrowIfDuplicateLabels(protectedHeader, unprotectedHeader);
+
+                byte[]? payload = DecodePayload(reader);
+                byte[] signature = DecodeSignature(reader);
+                reader.ReadEndArray();
+
+                if (reader.BytesRemaining != 0)
+                {
+                    throw new CryptographicException(SR.Format(SR.DecodeSign1ErrorWhileDecoding, SR.DecodeSign1MesageContainedTrailingData));
+                }
+
+                return new CoseSign1Message(protectedHeader, unprotectedHeader, payload, signature, protectedHeaderAsBstr);
             }
             catch (Exception ex) when (ex is CborContentException or InvalidOperationException)
             {
@@ -75,30 +118,6 @@ public static CoseSign1Message DecodeSign1(byte[] cborPayload)
             };
         }
 
-        private static CoseSign1Message DecodeCoseSign1Core(CborReader reader)
-        {
-            int? arrayLength = reader.ReadStartArray();
-            if (arrayLength != 4)
-            {
-                throw new CryptographicException(SR.Format(SR.DecodeSign1ErrorWhileDecoding, SR.DecodeSign1ArrayLengthMustBeFour));
-            }
-
-            var protectedHeader = new CoseHeaderMap();
-            DecodeProtectedBucket(reader, protectedHeader, out byte[] protectedHeaderAsBstr);
-            protectedHeader.IsReadOnly = true;
-
-            var unprotectedHeader = new CoseHeaderMap();
-            DecodeUnprotectedBucket(reader, unprotectedHeader);
-
-            ThrowIfDuplicateLabels(protectedHeader, unprotectedHeader);
-
-            byte[]? payload = DecodePayload(reader);
-            byte[] signature = DecodeSignature(reader);
-            reader.ReadEndArray();
-
-            return new CoseSign1Message(protectedHeader, unprotectedHeader, payload, signature, protectedHeaderAsBstr);
-        }
-
         private static void DecodeProtectedBucket(CborReader reader, CoseHeaderMap headerParameters, out byte[] protectedHeaderAsBstr)
         {
             protectedHeaderAsBstr = reader.ReadByteString();
@@ -162,7 +181,7 @@ private static byte[] DecodeSignature(CborReader reader)
             return reader.ReadByteString();
         }
 
-        internal static byte[] CreateToBeSigned(string context, ReadOnlySpan<byte> encodedProtectedHeader, ReadOnlySpan<byte> content)
+        internal static int CreateToBeSigned(string context, ReadOnlySpan<byte> encodedProtectedHeader, ReadOnlySpan<byte> content, Span<byte> destination)
         {
             var writer = new CborWriter();
             writer.WriteStartArray(4);
@@ -171,9 +190,19 @@ internal static byte[] CreateToBeSigned(string context, ReadOnlySpan<byte> encod
             writer.WriteByteString(Span<byte>.Empty); // external_aad
             writer.WriteByteString(content); //payload or content
             writer.WriteEndArray();
-            return writer.Encode();
+            int bytesWritten = writer.Encode(destination);
+
+            Debug.Assert(bytesWritten == writer.BytesWritten && bytesWritten == ComputeToBeSignedEncodedSize(context, encodedProtectedHeader, content));
+            return bytesWritten;
         }
 
+        internal static int ComputeToBeSignedEncodedSize(string context, ReadOnlySpan<byte> encodedProtectedHeader, ReadOnlySpan<byte> content)
+            => SizeOfArrayOfFour +
+            CoseHelpers.GetTextStringEncodedSize(context) +
+            CoseHelpers.GetByteStringEncodedSize(encodedProtectedHeader.Length) +
+            CoseHelpers.GetByteStringEncodedSize(Span<byte>.Empty.Length) +
+            CoseHelpers.GetByteStringEncodedSize(content.Length);
+
         // Validate duplicate labels https://datatracker.ietf.org/doc/html/rfc8152#section-3.
         internal static void ThrowIfDuplicateLabels(CoseHeaderMap? protectedHeaders, CoseHeaderMap? unprotectedHeaders)
         {
diff --git a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseSign1Message.cs b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseSign1Message.cs
index 78a524e288cb4..849754ce144a9 100644
--- a/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseSign1Message.cs
+++ b/src/libraries/System.Security.Cryptography.Cose/src/System/Security/Cryptography/Cose/CoseSign1Message.cs
@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Buffers;
 using System.Diagnostics;
 using System.Formats.Cbor;
 using System.Runtime.Versioning;
@@ -11,70 +12,100 @@ public sealed class CoseSign1Message : CoseMessage
     {
         private const string SigStructureCoxtextSign1 = "Signature1";
         private const int Sign1ArrayLegth = 4;
+        private byte[]? _toBeSigned;
 
         internal CoseSign1Message(CoseHeaderMap protectedHeader, CoseHeaderMap unprotectedHeader, byte[]? content, byte[] signature, byte[] protectedHeaderAsBstr)
             : base(protectedHeader, unprotectedHeader, content, signature, protectedHeaderAsBstr) { }
 
         [UnsupportedOSPlatform("browser")]
         public static byte[] Sign(byte[] content!!, ECDsa key!!, HashAlgorithmName hashAlgorithm, bool isDetached = false)
-        {
-            byte[] encodedProtectedHeader = CreateEncodedProtectedHeader(KeyType.ECDsa, hashAlgorithm);
-            byte[] toBeSigned = CreateToBeSigned(SigStructureCoxtextSign1, encodedProtectedHeader, content);
-            byte[] signature = SignWithECDsa(key, toBeSigned, hashAlgorithm);
-            return SignCore(encodedProtectedHeader, GetEmptyCborMap(), signature, content, isDetached);
-        }
+            => SignCore(content.AsSpan(), key, hashAlgorithm, KeyType.ECDsa, null, null, isDetached);
 
         [UnsupportedOSPlatform("browser")]
         public static byte[] Sign(byte[] content!!, RSA key!!, HashAlgorithmName hashAlgorithm, bool isDetached = false)
-        {
-            byte[] encodedProtectedHeader = CreateEncodedProtectedHeader(KeyType.RSA, hashAlgorithm);
-            byte[] toBeSigned = CreateToBeSigned(SigStructureCoxtextSign1, encodedProtectedHeader, content);
-            byte[] signature = SignWithRSA(key, toBeSigned, hashAlgorithm);
-            return SignCore(encodedProtectedHeader, GetEmptyCborMap(), signature, content, isDetached);
-        }
+            => SignCore(content.AsSpan(), key, hashAlgorithm, KeyType.RSA, null, null, isDetached);
 
         [UnsupportedOSPlatform("browser")]
         public static byte[] Sign(byte[] content!!, AsymmetricAlgorithm key!!, HashAlgorithmName hashAlgorithm, CoseHeaderMap? protectedHeaders = null, CoseHeaderMap? unprotectedHeaders = null, bool isDetached = false)
+            => SignCore(content.AsSpan(), key, hashAlgorithm, GetKeyType(key), protectedHeaders, unprotectedHeaders, isDetached);
+
+        [UnsupportedOSPlatform("browser")]
+        public static byte[] Sign(ReadOnlySpan<byte> content, AsymmetricAlgorithm key!!, HashAlgorithmName hashAlgorithm, CoseHeaderMap? protectedHeaders = null, CoseHeaderMap? unprotectedHeaders = null, bool isDetached = false)
+            => SignCore(content, key, hashAlgorithm, GetKeyType(key), protectedHeaders, unprotectedHeaders, isDetached);
+
+        [UnsupportedOSPlatform("browser")]
+        internal static byte[] SignCore(ReadOnlySpan<byte> content, AsymmetricAlgorithm key, HashAlgorithmName hashAlgorithm, KeyType keyType, CoseHeaderMap? protectedHeaders, CoseHeaderMap? unprotectedHeaders, bool isDetached)
         {
-            KeyType keyType = key switch
-            {
-                ECDsa => KeyType.ECDsa,
-                RSA => KeyType.RSA,
-                _ => throw new CryptographicException(SR.Format(SR.Sign1SignUnsupportedKey, key.GetType()))
-            };
+            ValidateBeforeSign(protectedHeaders, unprotectedHeaders, keyType, hashAlgorithm, out int? algHeaderValueToSlip);
 
-            ThrowIfDuplicateLabels(protectedHeaders, unprotectedHeaders);
+            int expectedSize = ComputeEncodedSize(protectedHeaders, unprotectedHeaders, algHeaderValueToSlip, content.Length, isDetached, key.KeySize, keyType);
+            byte[] buffer = new byte[expectedSize];
 
-            int? algHeaderValueToSlip = ValidateOrSlipAlgorithmHeader(protectedHeaders, unprotectedHeaders, keyType, hashAlgorithm);
+            int bytesWritten = CreateCoseSign1Message(content, buffer, key, hashAlgorithm, protectedHeaders, unprotectedHeaders, isDetached, algHeaderValueToSlip, keyType);
+            Debug.Assert(expectedSize == bytesWritten);
 
-            byte[] encodedProtetedHeaders = CoseHeaderMap.Encode(protectedHeaders, mustReturnEmptyBstrIfEmpty: true, algHeaderValueToSlip);
-            byte[] toBeSigned = CreateToBeSigned(SigStructureCoxtextSign1, encodedProtetedHeaders, content);
+            return buffer;
+        }
 
-            byte[] signature;
-            if (keyType == KeyType.ECDsa)
+        [UnsupportedOSPlatform("browser")]
+        public static bool TrySign(
+            ReadOnlySpan<byte> content,
+            Span<byte> destination,
+            AsymmetricAlgorithm key!!,
+            HashAlgorithmName hashAlgorithm,
+            out int bytesWritten,
+            CoseHeaderMap? protectedHeaders = null,
+            CoseHeaderMap? unprotectedHeaders = null,
+            bool isDetached = false)
+        {
+            KeyType keyType = GetKeyType(key);
+            ValidateBeforeSign(protectedHeaders, unprotectedHeaders, keyType, hashAlgorithm, out int? algHeaderValueToSlip);
+
+            int expectedSize = ComputeEncodedSize(protectedHeaders, unprotectedHeaders, algHeaderValueToSlip, content.Length, isDetached, key.KeySize, keyType);
+            if (expectedSize > destination.Length)
             {
-                signature = SignWithECDsa((ECDsa)key, toBeSigned, hashAlgorithm);
+                bytesWritten = 0;
+                return false;
             }
-            else
+
+            bytesWritten = CreateCoseSign1Message(content, destination, key, hashAlgorithm, protectedHeaders, unprotectedHeaders, isDetached, algHeaderValueToSlip, keyType);
+            Debug.Assert(expectedSize == bytesWritten);
+
+            return true;
+        }
+
+        internal static KeyType GetKeyType(AsymmetricAlgorithm key)
+        {
+            return key switch
             {
-                signature = SignWithRSA((RSA)key, toBeSigned, hashAlgorithm);
-            }
+                ECDsa => KeyType.ECDsa,
+                RSA => KeyType.RSA,
+                _ => throw new CryptographicException(SR.Format(SR.Sign1SignUnsupportedKey, key.GetType()))
+            };
+        }
 
-            return SignCore(encodedProtetedHeaders, CoseHeaderMap.Encode(unprotectedHeaders), signature, content, isDetached);
+        internal static void ValidateBeforeSign(CoseHeaderMap? protectedHeaders, CoseHeaderMap? unprotectedHeaders, KeyType keyType, HashAlgorithmName hashAlgorithm, out int? algHeaderValueToSlip)
+        {
+            ThrowIfDuplicateLabels(protectedHeaders, unprotectedHeaders);
+            algHeaderValueToSlip = ValidateOrSlipAlgorithmHeader(protectedHeaders, unprotectedHeaders, keyType, hashAlgorithm);
         }
 
-        private static byte[] SignCore(
-            ReadOnlySpan<byte> encodedProtectedHeader,
-            ReadOnlySpan<byte> encodedUnprotectedHeader,
-            ReadOnlySpan<byte> signature,
-            ReadOnlySpan<byte> content,
-            bool isDetached)
+        [UnsupportedOSPlatform("browser")]
+        internal static int CreateCoseSign1Message(ReadOnlySpan<byte> content, Span<byte> buffer, AsymmetricAlgorithm key, HashAlgorithmName hashAlgorithm, CoseHeaderMap? protectedHeaders, CoseHeaderMap? unprotectedHeaders, bool isDetached, int? algHeaderValueToSlip, KeyType keyType)
         {
             var writer = new CborWriter();
             writer.WriteTag(Sign1Tag);
             writer.WriteStartArray(Sign1ArrayLegth);
-            writer.WriteByteString(encodedProtectedHeader);
-            writer.WriteEncodedValue(encodedUnprotectedHeader);
+
+            int protectedMapBytesWritten = CoseHeaderMap.Encode(protectedHeaders, buffer, true, algHeaderValueToSlip);
+            ReadOnlySpan<byte> encodedProtectedHeaders = buffer.Slice(0, protectedMapBytesWritten);
+            // We're going to use the encoded protected headers again after this step (for the toBeSigned construction),
+            // so don't overwrite them yet.
+            writer.WriteByteString(encodedProtectedHeaders);
+
+            int unprotectedMapBytesWritten = CoseHeaderMap.Encode(unprotectedHeaders, buffer.Slice(protectedMapBytesWritten));
+            ReadOnlySpan<byte> encodedUnprotectedHeaders = buffer.Slice(protectedMapBytesWritten, unprotectedMapBytesWritten);
+            writer.WriteEncodedValue(encodedUnprotectedHeaders);
 
             if (isDetached)
             {
@@ -85,36 +116,84 @@ private static byte[] SignCore(
                 writer.WriteByteString(content);
             }
 
-            writer.WriteByteString(signature);
+            int expectedToBeSignedSize = ComputeToBeSignedEncodedSize(SigStructureCoxtextSign1, encodedProtectedHeaders, content);
+
+            Span<byte> toBeSignedBuffer = buffer;
+            byte[]? rentedToBeSignedBuffer = null;
+            int signatureBytesWritten;
+
+            // It is possible for toBeSigned to be bigger than the COSE message length that we used to determine the size of our buffer.
+            // we rent a bigger buffer if that's the case.
+            if (buffer.Length < expectedToBeSignedSize)
+            {
+                rentedToBeSignedBuffer = ArrayPool<byte>.Shared.Rent(expectedToBeSignedSize);
+                toBeSignedBuffer = rentedToBeSignedBuffer;
+            }
+
+            try
+            {
+                int toBeSignedBytesWritten = CreateToBeSigned(SigStructureCoxtextSign1, encodedProtectedHeaders, content, toBeSignedBuffer);
+                ReadOnlySpan<byte> encodedToBeSigned = buffer.Slice(0, toBeSignedBytesWritten);
+
+                if (keyType == KeyType.ECDsa)
+                {
+                    signatureBytesWritten = SignWithECDsa((ECDsa)key, encodedToBeSigned, hashAlgorithm, buffer);
+                }
+                else
+                {
+                    Debug.Assert(keyType == KeyType.RSA);
+                    signatureBytesWritten = SignWithRSA((RSA)key, encodedToBeSigned, hashAlgorithm, buffer);
+                }
+            }
+            finally
+            {
+                if (rentedToBeSignedBuffer != null)
+                {
+                    ArrayPool<byte>.Shared.Return(rentedToBeSignedBuffer, clearArray: true);
+                }
+            }
+
+            writer.WriteByteString(buffer.Slice(0, signatureBytesWritten));
+
             writer.WriteEndArray();
 
-            return writer.Encode();
+            return writer.Encode(buffer);
         }
 
         [UnsupportedOSPlatform("browser")]
-        private static byte[] SignWithECDsa(ECDsa key, byte[] data, HashAlgorithmName hashAlgorithm)
-            => key.SignData(data, hashAlgorithm);
-
-        [UnsupportedOSPlatform("browser")]
-        private static byte[] SignWithRSA(RSA key, byte[] data, HashAlgorithmName hashAlgorithm)
-            => key.SignData(data, hashAlgorithm, RSASignaturePadding.Pss);
-
-        internal static byte[] CreateEncodedProtectedHeader(KeyType algType, HashAlgorithmName hashAlgorithm)
+        private static int SignWithECDsa(ECDsa key, ReadOnlySpan<byte> data, HashAlgorithmName hashAlgorithm, Span<byte> destination)
         {
-            var writer = new CborWriter();
-            writer.WriteStartMap(1);
-            writer.WriteInt32(KnownHeaders.Alg);
-            writer.WriteInt32(GetCoseAlgorithmHeaderFromKeyTypeAndHashAlgorithm(algType, hashAlgorithm));
-            writer.WriteEndMap();
-            return writer.Encode();
+#if NETSTANDARD2_0 || NETFRAMEWORK
+            byte[] signature = key.SignData(data.ToArray(), hashAlgorithm);
+            signature.CopyTo(destination);
+            return signature.Length;
+#else
+            if (!key.TrySignData(data, destination, hashAlgorithm, out int bytesWritten))
+            {
+                Debug.Fail("TrySignData failed with a pre-calculated destination");
+                throw new CryptographicException();
+            }
+
+            return bytesWritten;
+#endif
         }
 
-        private static byte[] GetEmptyCborMap()
+        [UnsupportedOSPlatform("browser")]
+        private static int SignWithRSA(RSA key, ReadOnlySpan<byte> data, HashAlgorithmName hashAlgorithm, Span<byte> destination)
         {
-            var writer = new CborWriter();
-            writer.WriteStartMap(0);
-            writer.WriteEndMap();
-            return writer.Encode();
+#if NETSTANDARD2_0 || NETFRAMEWORK
+            byte[] signature = key.SignData(data.ToArray(), hashAlgorithm, RSASignaturePadding.Pss);
+            signature.CopyTo(destination);
+            return signature.Length;
+#else
+            if (!key.TrySignData(data, destination, hashAlgorithm, RSASignaturePadding.Pss, out int bytesWritten))
+            {
+                Debug.Fail("TrySignData failed with a pre-calculated destination");
+                throw new CryptographicException();
+            }
+
+            return bytesWritten;
+#endif
         }
 
         [UnsupportedOSPlatform("browser")]
@@ -158,7 +237,35 @@ private void PrepareForVerify(ReadOnlySpan<byte> content, out int alg, out byte[
             }
 
             alg = nullableAlg.Value;
-            toBeSigned = CreateToBeSigned(SigStructureCoxtextSign1, _protectedHeaderAsBstr, content);
+
+            if (_content == null)
+            {
+                // Never cache toBeSigned if the message has detached content since the passed-in content can be different in each call.
+                toBeSigned = CreateToBeSignedForVerify(content);
+            }
+            else if (_toBeSigned == null)
+            {
+                toBeSigned = _toBeSigned = CreateToBeSignedForVerify(content);
+            }
+            else
+            {
+                toBeSigned = _toBeSigned;
+            }
+
+            byte[] CreateToBeSignedForVerify(ReadOnlySpan<byte> content)
+            {
+                byte[] rentedbuffer = ArrayPool<byte>.Shared.Rent(ComputeToBeSignedEncodedSize(SigStructureCoxtextSign1, _protectedHeaderAsBstr, content));
+                try
+                {
+                    Span<byte> buffer = rentedbuffer;
+                    int bytesWritten = CreateToBeSigned(SigStructureCoxtextSign1, _protectedHeaderAsBstr, content, buffer);
+                    return buffer.Slice(0, bytesWritten).ToArray();
+                }
+                finally
+                {
+                    ArrayPool<byte>.Shared.Return(rentedbuffer, clearArray: true);
+                }
+            }
         }
 
         private static ReadOnlyMemory<byte> GetCoseAlgorithmFromProtectedHeaders(CoseHeaderMap protectedHeaders)
@@ -311,5 +418,40 @@ private void ThrowIfUnsupportedHeaders()
                 throw new NotSupportedException(SR.Sign1VerifyCriticalAndCounterSignNotSupported);
             }
         }
+
+        private static int ComputeEncodedSize(CoseHeaderMap? protectedHeaders, CoseHeaderMap? unprotectedHeaders, int? algHeaderValueToSlip, int contentLength, bool isDetached, int keySize, KeyType keyType)
+        {
+            // tag + array(4) + encoded protected header map + unprotected header map + content + signature.
+            const int SizeOfTag = 1;
+            const int SizeOfNull = 1;
+
+            int encodedSize = SizeOfTag + SizeOfArrayOfFour +
+                CoseHelpers.GetByteStringEncodedSize(CoseHeaderMap.ComputeEncodedSize(protectedHeaders, algHeaderValueToSlip)) +
+                CoseHeaderMap.ComputeEncodedSize(unprotectedHeaders);
+
+            if (isDetached)
+            {
+                encodedSize += SizeOfNull;
+            }
+            else
+            {
+                encodedSize += CoseHelpers.GetByteStringEncodedSize(contentLength);
+            }
+
+            int signatureSize;
+            if (keyType == KeyType.ECDsa)
+            {
+                signatureSize = 2 * ((keySize + 7) / 8);
+            }
+            else // RSA
+            {
+                Debug.Assert(keyType == KeyType.RSA);
+                signatureSize = (keySize + 7) / 8;
+            }
+
+            encodedSize += CoseHelpers.GetByteStringEncodedSize(signatureSize);
+
+            return encodedSize;
+        }
     }
 }
diff --git a/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Sign.CustomHeaderMaps.cs b/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Sign.CustomHeaderMaps.cs
new file mode 100644
index 0000000000000..88e958c5ab203
--- /dev/null
+++ b/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Sign.CustomHeaderMaps.cs
@@ -0,0 +1,455 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Formats.Cbor;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Xunit;
+using static System.Security.Cryptography.Cose.Tests.CoseTestHelpers;
+
+namespace System.Security.Cryptography.Cose.Tests
+{
+    // Tests that apply only to custom header scenarios.
+    public abstract class CoseSign1MessageTests_Sign_CustomHeaderMaps : CoseSign1MessageTests_Sign<AsymmetricAlgorithm>
+    {
+        internal override List<CoseAlgorithm> CoseAlgorithms => Enum.GetValues(typeof(CoseAlgorithm)).Cast<CoseAlgorithm>().ToList();
+
+        internal override byte[] Sign(byte[] content, AsymmetricAlgorithm key, HashAlgorithmName hashAlgorithm, bool isDetached = false)
+            => Sign(content, key, hashAlgorithm, null, null, isDetached);
+        internal abstract byte[] Sign(
+            byte[] content,
+            AsymmetricAlgorithm key,
+            HashAlgorithmName hashAlgorithm,
+            CoseHeaderMap? protectedHeaders = null,
+            CoseHeaderMap? unprotectedHeaders = null,
+            bool isDetached = false);
+        internal override bool Verify(CoseSign1Message msg, AsymmetricAlgorithm key)
+            => key is ECDsa ecdsa ? msg.Verify(ecdsa) : msg.Verify((RSA)key);
+        internal override bool Verify(CoseSign1Message msg, AsymmetricAlgorithm key, ReadOnlySpan<byte> content)
+            => key is ECDsa ecdsa ? msg.Verify(ecdsa, content) : msg.Verify((RSA)key);
+
+        [Fact]
+        public void SignVerifyWithCustomCoseHeaderMaps()
+        {
+            foreach ((AsymmetricAlgorithm key, HashAlgorithmName hashAlgorithm, CoseAlgorithm algorithm) in GetKeyHashAlgorithmTriplet())
+            {
+                var protectedHeaders = new CoseHeaderMap();
+                protectedHeaders.SetValue(CoseHeaderLabel.Algorithm, (int)algorithm);
+
+                CoseHeaderMap unprotectedHeaders = new CoseHeaderMap();
+                unprotectedHeaders.SetValue(CoseHeaderLabel.ContentType, ContentTypeDummyValue);
+
+                ReadOnlySpan<byte> encodedMsg = Sign(s_sampleContent, key, hashAlgorithm, protectedHeaders, unprotectedHeaders);
+
+                List<(CoseHeaderLabel, ReadOnlyMemory<byte>)>? expectedProtectedHeaders = GetExpectedProtectedHeaders(algorithm);
+                List<(CoseHeaderLabel, ReadOnlyMemory<byte>)>? expectedUnprotectedHeaders = GetEmptyExpectedHeaders();
+                AddEncoded(expectedUnprotectedHeaders, CoseHeaderLabel.ContentType, ContentTypeDummyValue);
+
+                AssertSign1Message(encodedMsg, s_sampleContent, key, algorithm, expectedProtectedHeaders, expectedUnprotectedHeaders);
+
+                CoseSign1Message decodedMsg = CoseMessage.DecodeSign1(encodedMsg);
+                Assert.True(Verify(decodedMsg, key));
+            }
+        }
+
+        [Fact]
+        public void SignWithUnsupportedKey()
+        {
+            AsymmetricAlgorithm key = ECDiffieHellman.Create();
+            // Header still says that a supported combination of key-algorithm will be used.
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, key, DefaultHash, GetHeaderMapWithAlgorithm(DefaultAlgorithm)));
+        }
+
+        [Fact]
+        public void SignWithUnsupportedCoseAlgorithm()
+        {
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, GetHeaderMapWithAlgorithm((CoseAlgorithm)(-47) /*ES256K*/)));
+        }
+
+        [Fact]
+        public void SignWithEmptyHeaderMaps()
+        {
+            CoseHeaderMap protectedHeaders = GetEmptyHeaderMap();
+            CoseHeaderMap unprotectedHeaders = GetEmptyHeaderMap();
+
+            ReadOnlySpan<byte> encodedMsg = Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders);
+            AssertSign1Message(encodedMsg, s_sampleContent, DefaultKey, DefaultAlgorithm);
+
+            Assert.Equal(0, protectedHeaders.Count());
+            Assert.Equal(0, unprotectedHeaders.Count());
+        }
+
+        [Fact]
+        public void SignWith_EmptyProtectedHeaderMap_UnprotectedHeaderMapWithAlgorithm()
+        {
+            CoseHeaderMap protectedHeaders = GetEmptyHeaderMap();
+            CoseHeaderMap unprotectedHeaders = GetHeaderMapWithAlgorithm(DefaultAlgorithm);
+
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
+        }
+
+        [Fact]
+        public void SignWith_ProtectedHeaderMapWithAlgorithm_EmptyUnprotectedHeaderMap()
+        {
+            CoseHeaderMap protectedHeaders = GetHeaderMapWithAlgorithm(DefaultAlgorithm);
+            CoseHeaderMap unprotectedHeaders = GetEmptyHeaderMap();
+
+            ReadOnlySpan<byte> encodedMsg = Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders);
+            AssertSign1Message(encodedMsg, s_sampleContent, DefaultKey, DefaultAlgorithm);
+        }
+
+        [Fact]
+        public void SignWithNullHeaderMaps()
+        {
+            ReadOnlySpan<byte> encodedMsg = Sign(s_sampleContent, DefaultKey, DefaultHash, null, null);
+            AssertSign1Message(encodedMsg, s_sampleContent, DefaultKey, DefaultAlgorithm);
+        }
+
+        [Fact]
+        public void SignWithNullProtectedHeaderMap()
+        {
+            CoseHeaderMap unprotectedHeaders = GetEmptyHeaderMap();
+
+            ReadOnlySpan<byte> encodedMsg = Sign(s_sampleContent, DefaultKey, DefaultHash, null, unprotectedHeaders);
+            AssertSign1Message(encodedMsg, s_sampleContent, DefaultKey, DefaultAlgorithm);
+        }
+
+        [Fact]
+        public void SignWithNullUnprotectedHeaderMap()
+        {
+            CoseHeaderMap protectedHeaders = GetHeaderMapWithAlgorithm(DefaultAlgorithm);
+
+            ReadOnlySpan<byte> encodedMsg = Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, null);
+            AssertSign1Message(encodedMsg, s_sampleContent, DefaultKey, DefaultAlgorithm);
+        }
+
+        [Theory]
+        [InlineData(false)]
+        [InlineData(true)]
+        public void SignWithNotKnownHeader(bool useProtectedMap)
+        {
+            CoseHeaderMap protectedHeaders, unprotectedHeaders, mapForCustomHeader;
+            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> expectedProtectedHeaders, expectedUnprotectedHeaders, listForCustomHeader;
+
+            Initialize();
+            CoseHeaderLabel myLabel = new CoseHeaderLabel(42);
+            int myValue = 42;
+
+            mapForCustomHeader.SetValue(myLabel, myValue);
+            AddEncoded(listForCustomHeader, myLabel, myValue);
+
+            ReadOnlySpan<byte> encodedMsg = Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders);
+            AssertSign1Message(encodedMsg, s_sampleContent, DefaultKey, DefaultAlgorithm, expectedProtectedHeaders, expectedUnprotectedHeaders);
+
+            Initialize();
+            myLabel = new CoseHeaderLabel("42");
+
+            mapForCustomHeader.SetValue(myLabel, myValue);
+            AddEncoded(listForCustomHeader, myLabel, myValue);
+
+            encodedMsg = Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders);
+            AssertSign1Message(encodedMsg, s_sampleContent, DefaultKey, DefaultAlgorithm, expectedProtectedHeaders, expectedUnprotectedHeaders);
+
+            void Initialize()
+            {
+                protectedHeaders = GetHeaderMapWithAlgorithm(DefaultAlgorithm);
+                unprotectedHeaders = GetEmptyHeaderMap();
+                mapForCustomHeader = useProtectedMap ? protectedHeaders : unprotectedHeaders;
+
+                expectedProtectedHeaders = GetExpectedProtectedHeaders(DefaultAlgorithm);
+                expectedUnprotectedHeaders = new List<(CoseHeaderLabel, ReadOnlyMemory<byte>)>();
+                listForCustomHeader = useProtectedMap ? expectedProtectedHeaders : expectedUnprotectedHeaders;
+            }
+        }
+
+        [Fact]
+        public void SignWithDuplicateHeaderBetweenProtectedAndUnprotected()
+        {
+            CoseHeaderMap protectedHeaders, unprotectedHeaders;
+
+            // Algorithm header is duplicated. It is a special case because it is mandatory that the header exists in the protected map.
+            Initialize(DefaultAlgorithm);
+            unprotectedHeaders.SetValue(CoseHeaderLabel.Algorithm, (int)DefaultAlgorithm);
+
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
+
+            // other known header is duplicate.
+            Initialize(DefaultAlgorithm);
+            protectedHeaders.SetValue(CoseHeaderLabel.ContentType, ContentTypeDummyValue);
+            unprotectedHeaders.SetValue(CoseHeaderLabel.ContentType, ContentTypeDummyValue);
+
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
+
+            // not-known int header is duplicate.
+            Initialize(DefaultAlgorithm);
+            var myLabel = new CoseHeaderLabel(42);
+            protectedHeaders.SetValue(myLabel, 42);
+            unprotectedHeaders.SetValue(myLabel, 42);
+
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
+
+            // not-known tstr header is duplicate.
+            Initialize(DefaultAlgorithm);
+            myLabel = new CoseHeaderLabel("42");
+            protectedHeaders.SetValue(myLabel, 42);
+            unprotectedHeaders.SetValue(myLabel, 42);
+
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
+
+            void Initialize(CoseAlgorithm algorithm)
+            {
+                protectedHeaders = GetHeaderMapWithAlgorithm(algorithm);
+                unprotectedHeaders = GetEmptyHeaderMap();
+            }
+        }
+
+        [Theory]
+        [MemberData(nameof(AllCborTypes_TestData))]
+        public void SignWithAllCborTypesAsHeaderValue(bool useProtectedMap, byte[] encodedValue)
+        {
+            var myLabel = new CoseHeaderLabel(42);
+
+            CoseHeaderMap protectedHeaders = GetHeaderMapWithAlgorithm(DefaultAlgorithm);
+            CoseHeaderMap unprotectedHeaders = GetEmptyHeaderMap();
+            (useProtectedMap ? protectedHeaders : unprotectedHeaders).SetEncodedValue(myLabel, encodedValue);
+
+            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> expectedProtectedHeaders = GetExpectedProtectedHeaders(DefaultAlgorithm);
+            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> expectedUnprotectedHeaders = GetEmptyExpectedHeaders();
+            (useProtectedMap ? expectedProtectedHeaders : expectedUnprotectedHeaders).Add((myLabel, encodedValue));
+
+            ReadOnlySpan<byte> encodedMessage = Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders);
+            AssertSign1Message(encodedMessage, s_sampleContent, DefaultKey, DefaultAlgorithm, expectedProtectedHeaders, expectedUnprotectedHeaders);
+
+            // Verify it is transported correctly.
+            CoseSign1Message message = CoseMessage.DecodeSign1(encodedMessage);
+            ReadOnlyMemory<byte> roundtrippedValue = (useProtectedMap ? message.ProtectedHeaders : message.UnprotectedHeaders).GetEncodedValue(myLabel);
+            AssertExtensions.SequenceEqual(encodedValue, roundtrippedValue.Span);
+        }
+
+        public static IEnumerable<object[]> AllCborTypes_TestData()
+        {
+            foreach (bool useProtectedMap in new[] { false, true })
+            {
+                var w = new CborWriter();
+
+                w.WriteBigInteger(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteBoolean(true);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteByteString(s_sampleContent);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteCborNegativeIntegerRepresentation(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteDateTimeOffset(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteDecimal(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteDecimal(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteDouble(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+#if NETCOREAPP
+                w.WriteHalf(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+#endif
+                w.WriteInt32(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteInt64(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteNull();
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteSimpleValue(CborSimpleValue.Undefined);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteSingle(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteTag(CborTag.UnsignedBigNum);
+                w.WriteInt32(42);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteTextString(string.Empty);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteUInt32(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteUInt64(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                w.WriteUnixTimeSeconds(default);
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                // Array
+                w.WriteStartArray(2);
+                w.WriteInt32(42);
+                w.WriteTextString("foo");
+                w.WriteEndArray();
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                // Map
+                w.WriteStartMap(2);
+                // first label-value pair.
+                w.WriteInt32(42);
+                w.WriteTextString("4242");
+                // second label-value pair.
+                w.WriteTextString("42");
+                w.WriteInt32(4242);
+                w.WriteEndMap();
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                // Indefinite length array
+                w.WriteStartArray(null);
+                w.WriteInt32(42);
+                w.WriteTextString("foo");
+                w.WriteEndArray();
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                // Indefinite length map
+                w.WriteStartMap(null);
+                // first label-value pair.
+                w.WriteInt32(42);
+                w.WriteTextString("4242");
+                // second label-value pair.
+                w.WriteTextString("42");
+                w.WriteInt32(4242);
+                w.WriteEndMap();
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                // Indefinite length tstr
+                w.WriteStartIndefiniteLengthTextString();
+                w.WriteTextString("foo");
+                w.WriteEndIndefiniteLengthTextString();
+                yield return ReturnDataAndReset(useProtectedMap, w);
+
+                // Indefinite length bstr
+                w.WriteStartIndefiniteLengthByteString();
+                w.WriteByteString(s_sampleContent);
+                w.WriteEndIndefiniteLengthByteString();
+                yield return ReturnDataAndReset(useProtectedMap, w);
+            }
+
+            static object[] ReturnDataAndReset(bool useProtectedMap, CborWriter w)
+            {
+                byte[] encodedValue = w.Encode();
+                w.Reset();
+                return new object[] { useProtectedMap, encodedValue };
+            }
+        }
+
+        [Theory]
+        [InlineData(0L)]
+        [InlineData(long.MaxValue)]
+        [InlineData(long.MinValue)]
+        [InlineData(int.MinValue - 1L)]
+        [InlineData(int.MaxValue + 1L)]
+        public void SignWithInt64AlgorithmHeaderValue(long value)
+        {
+            var writer = new CborWriter();
+            writer.WriteInt64(value);
+            ReadOnlySpan<byte> encodedValue = writer.Encode();
+
+            CoseHeaderMap protectedHeaders = new CoseHeaderMap();
+            protectedHeaders.SetEncodedValue(CoseHeaderLabel.Algorithm, encodedValue);
+
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders));
+        }
+
+        [Theory]
+        [InlineData(0UL)]
+        [InlineData(ulong.MaxValue)]
+        [InlineData(long.MaxValue + 1UL)]
+        [InlineData(long.MaxValue - 1UL)]
+        public void SignWithUInt64AlgorithmHeaderValue(ulong value)
+        {
+            var writer = new CborWriter();
+            writer.WriteUInt64(value);
+            ReadOnlySpan<byte> encodedValue = writer.Encode();
+
+            CoseHeaderMap protectedHeaders = new CoseHeaderMap();
+            protectedHeaders.SetEncodedValue(CoseHeaderLabel.Algorithm, encodedValue);
+
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders));
+        }
+
+        [Theory]
+        [InlineData(0UL)]
+        [InlineData(ulong.MaxValue)]
+        [InlineData(long.MaxValue + 1UL)]
+        [InlineData(long.MaxValue - 1UL)]
+        public void SignWithCborNegativeIntegerRepresentationAlgorithmHeaderValue(ulong value)
+        {
+            var writer = new CborWriter();
+            writer.WriteCborNegativeIntegerRepresentation(value);
+            ReadOnlySpan<byte> encodedValue = writer.Encode();
+
+            CoseHeaderMap protectedHeaders = new CoseHeaderMap();
+            protectedHeaders.SetEncodedValue(CoseHeaderLabel.Algorithm, encodedValue);
+
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders));
+        }
+    }
+
+    public class CoseSign1MessageTests_Sign_ByteArray : CoseSign1MessageTests_Sign_CustomHeaderMaps
+    {
+        internal override byte[] Sign(
+            byte[] content,
+            AsymmetricAlgorithm key,
+            HashAlgorithmName hashAlgorithm,
+            CoseHeaderMap? protectedHeaders = null,
+            CoseHeaderMap? unprotectedHeaders = null,
+            bool isDetached = false)
+            => CoseSign1Message.Sign(content, key, hashAlgorithm, protectedHeaders, unprotectedHeaders, isDetached);
+    }
+
+    public class CoseSign1MessageTests_TrySign : CoseSign1MessageTests_Sign_CustomHeaderMaps
+    {
+        internal override byte[] Sign(
+            byte[] content!!,
+            AsymmetricAlgorithm key!!,
+            HashAlgorithmName hashAlgorithm,
+            CoseHeaderMap? protectedHeaders = null,
+            CoseHeaderMap? unprotectedHeaders = null,
+            bool isDetached = false)
+        {
+            Span<byte> destination;
+            int bytesWritten;
+
+            byte[] expectedEncodedMsg = CoseSign1Message.Sign(content, key, hashAlgorithm, protectedHeaders, unprotectedHeaders, isDetached);
+
+            // Assert TrySign returns false when destination buffer is smaller than what we need (size - i).
+            for (int i = 1; i < 10; i++)
+            {
+                destination = expectedEncodedMsg.AsSpan(0, expectedEncodedMsg.Length - i);
+                Assert.False(CoseSign1Message.TrySign(content, destination, key, hashAlgorithm, out bytesWritten, protectedHeaders, unprotectedHeaders, isDetached));
+                Assert.Equal(0, bytesWritten);
+            }
+
+            // Assert TrySign returns true when destination is double the required size (or at least 2k).
+            destination = new byte[Math.Max(expectedEncodedMsg.Length * 2, 2048)];
+            Assert.True(CoseSign1Message.TrySign(content, destination, key, hashAlgorithm, out bytesWritten, protectedHeaders, unprotectedHeaders, isDetached));
+            Assert.Equal(expectedEncodedMsg.Length, bytesWritten);
+
+            // Assert TrySign returns true when destination is the exact size required.
+            destination = destination.Slice(0, expectedEncodedMsg.Length);
+            destination.Clear();
+            Assert.True(CoseSign1Message.TrySign(content, destination, key, hashAlgorithm, out bytesWritten, protectedHeaders, unprotectedHeaders, isDetached));
+            Assert.Equal(destination.Length, bytesWritten);
+
+            return destination.ToArray();
+        }
+    }
+}
diff --git a/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Sign.cs b/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Sign.cs
index 8a0c6a5edd117..7a364eb2a6818 100644
--- a/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Sign.cs
+++ b/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Sign.cs
@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Collections;
 using System.Collections.Generic;
 using System.Formats.Cbor;
 using System.Linq;
@@ -9,60 +10,43 @@
 
 namespace System.Security.Cryptography.Cose.Tests
 {
-    public partial class CoseSign1MessageTests
+    // Tests that apply to all [Try]Sign overloads.
+    public abstract class CoseSign1MessageTests_Sign<T> where T : AsymmetricAlgorithm
     {
-        [Theory]
-        [InlineData(ECDsaAlgorithm.ES256)]
-        [InlineData(ECDsaAlgorithm.ES384)]
-        [InlineData(ECDsaAlgorithm.ES512)]
-        public void SignVerifyECDsa(ECDsaAlgorithm algorithm)
-        {
-            ECDsa ecdsa = ECDsaKeys[algorithm];
-            HashAlgorithmName hashAlgorithm = GetHashAlgorithmNameFromCoseAlgorithm((int)algorithm);
-
-            byte[] coseMessageBytes = CoseSign1Message.Sign(s_sampleContent, ecdsa, hashAlgorithm);
-            CoseSign1Message msg = CoseMessage.DecodeSign1(coseMessageBytes);
-            Assert.True(msg.Verify(ecdsa));
-        }
+        internal CoseAlgorithm DefaultAlgorithm => CoseAlgorithms[0];
+        internal T DefaultKey => GetKeyHashPair<T>(CoseAlgorithms[0]).Key;
+        internal HashAlgorithmName DefaultHash => GetKeyHashPair<T>(CoseAlgorithms[0]).Hash;
+        internal abstract List<CoseAlgorithm> CoseAlgorithms { get; }
+        internal abstract byte[] Sign(byte[] content, T key, HashAlgorithmName hashAlgorithm, bool isDetached = false);
+        internal abstract bool Verify(CoseSign1Message msg, T key);
+        internal abstract bool Verify(CoseSign1Message msg, T key, ReadOnlySpan<byte> content);
 
-        [Theory]
-        [InlineData(RSAAlgorithm.PS256)]
-        [InlineData(RSAAlgorithm.PS384)]
-        [InlineData(RSAAlgorithm.PS512)]
-        public void SignVerifyRSA(RSAAlgorithm algorithm)
+        internal IEnumerable<(T Key, HashAlgorithmName Hash, CoseAlgorithm Algorithm)> GetKeyHashAlgorithmTriplet(bool useNonPrivateKey = false)
         {
-            HashAlgorithmName hashAlgorithm = GetHashAlgorithmNameFromCoseAlgorithm((int)algorithm);
-
-            byte[] coseMessageBytes = CoseSign1Message.Sign(s_sampleContent, RSAKey, hashAlgorithm);
-            CoseSign1Message msg = CoseMessage.DecodeSign1(coseMessageBytes);
-            Assert.True(msg.Verify(RSAKey));
+            foreach (var algorithm in CoseAlgorithms)
+            {
+                var keyHashPair = GetKeyHashPair<T>(algorithm, useNonPrivateKey);
+                yield return (keyHashPair.Key, keyHashPair.Hash, algorithm);
+            }
         }
 
-        [Theory]
-        [InlineData(ECDsaAlgorithm.ES256)]
-        [InlineData(ECDsaAlgorithm.ES384)]
-        [InlineData(ECDsaAlgorithm.ES512)]
-        public void SignVerifyWithCustomHeaders(ECDsaAlgorithm algorithm)
+        [Fact]
+        public void SignVerify()
         {
-            var protectedHeaders = new CoseHeaderMap();
-            protectedHeaders.SetValue(CoseHeaderLabel.Algorithm, (int)algorithm);
-
-            CoseHeaderMap unprotectedHeaders = new CoseHeaderMap();
-            unprotectedHeaders.SetValue(CoseHeaderLabel.ContentType, ContentTypeDummyValue);
-
-            ECDsa key = ECDsaKeys[algorithm];
-            HashAlgorithmName hashAlgorithm = GetHashAlgorithmNameFromCoseAlgorithm((int)algorithm);
+            foreach ((T key, HashAlgorithmName hashAlgorithm, CoseAlgorithm algorithm) in GetKeyHashAlgorithmTriplet())
+            {
+                ReadOnlySpan<byte> encodedMsg = Sign(s_sampleContent, key, hashAlgorithm);
+                AssertSign1Message(encodedMsg, s_sampleContent, key, algorithm);
 
-            byte[] message = CoseSign1Message.Sign(s_sampleContent, key, hashAlgorithm, protectedHeaders, unprotectedHeaders);
-            Assert.True(CoseMessage.DecodeSign1(message).Verify(key));
+                CoseSign1Message msg = CoseMessage.DecodeSign1(encodedMsg);
+                Assert.True(Verify(msg, key));
+            }
         }
 
         [Fact]
         public void SignWithNullContent()
         {
-            Assert.Throws<ArgumentNullException>(() => CoseSign1Message.Sign(null!, DefaultKey, HashAlgorithmName.SHA256));
-            Assert.Throws<ArgumentNullException>(() => CoseSign1Message.Sign(null!, RSAKey, HashAlgorithmName.SHA256));
-            Assert.Throws<ArgumentNullException>(() => CoseSign1Message.Sign(null!, DefaultKey, DefaultHash, GetHeaderMapWithAlgorithm(), GetEmptyHeaderMap()));
+            Assert.Throws<ArgumentNullException>(() => Sign(null!, DefaultKey, DefaultHash));
         }
 
         [Theory]
@@ -72,59 +56,23 @@ public void SignWithNullContent()
         public void SignWithValidContent(ContentTestCase @case)
         {
             byte[] content = GetDummyContent(@case);
-
-            AssertSign1Message(CoseSign1Message.Sign(content, DefaultKey, DefaultHash), content, DefaultKey);
-
-            AssertSign1Message(CoseSign1Message.Sign(content, RSAKey, DefaultHash), content, RSAKey, GetExpectedProtectedHeaders((int)RSAAlgorithm.PS256));
-
-            AssertSign1Message(CoseSign1Message.Sign(content, DefaultKey, DefaultHash, GetHeaderMapWithAlgorithm(), GetEmptyHeaderMap()), content, DefaultKey);
-
-            AssertSign1Message(CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders: null, unprotectedHeaders: null), content, DefaultKey);
+            ReadOnlySpan<byte> encodedMsg = Sign(content, DefaultKey, DefaultHash);
+            AssertSign1Message(encodedMsg, content, DefaultKey, DefaultAlgorithm);
         }
 
         [Fact]
         public void SignWithNullKey()
         {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            Assert.Throws<ArgumentNullException>(() => CoseSign1Message.Sign(content, (ECDsa)null!, HashAlgorithmName.SHA256));
-            Assert.Throws<ArgumentNullException>(() => CoseSign1Message.Sign(content, (RSA)null!, HashAlgorithmName.SHA256));
-            Assert.Throws<ArgumentNullException>(() => CoseSign1Message.Sign(content, (AsymmetricAlgorithm)null!, GetHashAlgorithmNameFromCoseAlgorithm((int)ECDsaAlgorithm.ES256)));
+            Assert.Throws<ArgumentNullException>(() => Sign(s_sampleContent, null!, DefaultHash));
         }
 
-        [Theory]
-        [InlineData((int)ECDsaAlgorithm.ES256)]
-        [InlineData((int)ECDsaAlgorithm.ES384)]
-        [InlineData((int)ECDsaAlgorithm.ES512)]
-        [InlineData((int)RSAAlgorithm.PS256)]
-        [InlineData((int)RSAAlgorithm.PS384)]
-        [InlineData((int)RSAAlgorithm.PS512)]
-        public void SignWithNonPrivateKey(int algorithm)
+        [Fact]
+        public void SignWithNonPrivateKey()
         {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            HashAlgorithmName hashAlgorithm = GetHashAlgorithmNameFromCoseAlgorithm(algorithm);
-            AsymmetricAlgorithm key;
-
-            if (Enum.IsDefined(typeof(ECDsaAlgorithm), algorithm))
+            foreach ((T nonPrivateKey, HashAlgorithmName hashAlgorithm, _) in GetKeyHashAlgorithmTriplet(useNonPrivateKey: true))
             {
-                ECDsa ecdsa = ECDsaKeysWithoutPrivateKey[(ECDsaAlgorithm)algorithm];
-                Assert.ThrowsAny<CryptographicException>(() => CoseSign1Message.Sign(content, ecdsa, hashAlgorithm));
-                key = ecdsa;
+                Assert.ThrowsAny<CryptographicException>(() => Sign(s_sampleContent, nonPrivateKey, hashAlgorithm));
             }
-            else
-            {
-                Assert.ThrowsAny<CryptographicException>(() => CoseSign1Message.Sign(content, RSAKeyWithoutPrivateKey, hashAlgorithm));
-                key = RSAKeyWithoutPrivateKey;
-            }
-
-            Assert.ThrowsAny<CryptographicException>(() => CoseSign1Message.Sign(content, key, hashAlgorithm, GetHeaderMapWithAlgorithm(algorithm), GetEmptyHeaderMap()));
-        }
-
-        [Fact]
-        public void SignWithUnsupportedKey()
-        {
-            AsymmetricAlgorithm key = ECDiffieHellman.Create();
-            // Header still says that a supported combination of key-algorithm will be used.
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(GetDummyContent(ContentTestCase.Small), key, DefaultHash, GetHeaderMapWithAlgorithm(), GetEmptyHeaderMap()));
         }
 
         [Theory]
@@ -132,40 +80,7 @@ public void SignWithUnsupportedKey()
         [InlineData("FOO")]
         public void SignWithUnsupportedHashAlgorithm(string hashAlgorithm)
         {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(GetDummyContent(ContentTestCase.Small), DefaultKey, new HashAlgorithmName(hashAlgorithm)));
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(GetDummyContent(ContentTestCase.Small), RSAKey, new HashAlgorithmName(hashAlgorithm)));
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(GetDummyContent(ContentTestCase.Small), DefaultKey, DefaultHash, GetHeaderMapWithAlgorithm(-47 /*ES256K*/), GetEmptyHeaderMap()));
-        }
-
-        [Theory]
-        [InlineData((int)ECDsaAlgorithm.ES256)]
-        [InlineData((int)ECDsaAlgorithm.ES384)]
-        [InlineData((int)ECDsaAlgorithm.ES512)]
-        [InlineData((int)RSAAlgorithm.PS256)]
-        [InlineData((int)RSAAlgorithm.PS384)]
-        [InlineData((int)RSAAlgorithm.PS512)]
-        public void SignWithSupportedHashAlgorithm(int algorithm)
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            HashAlgorithmName hashAlgorithm = GetHashAlgorithmNameFromCoseAlgorithm(algorithm);
-            AsymmetricAlgorithm key;
-            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> expectedProtectedHeaders = GetExpectedProtectedHeaders(algorithm);
-
-            if (Enum.IsDefined(typeof(ECDsaAlgorithm), algorithm))
-            {
-                ECDsa ecdsa = ECDsaKeys[(ECDsaAlgorithm)algorithm];
-                key = ecdsa;
-                AssertSign1Message(CoseSign1Message.Sign(content, ecdsa, hashAlgorithm), content, key, expectedProtectedHeaders);
-            }
-            else
-            {
-                key = RSAKey;
-                AssertSign1Message(CoseSign1Message.Sign(content, RSAKey, hashAlgorithm), content, key, expectedProtectedHeaders);
-            }
-
-            AssertSign1Message(CoseSign1Message.Sign(content, key, hashAlgorithm, GetHeaderMapWithAlgorithm(algorithm), GetEmptyHeaderMap()), content, key, expectedProtectedHeaders);
+            Assert.Throws<CryptographicException>(() => Sign(s_sampleContent, DefaultKey, new HashAlgorithmName(hashAlgorithm)));
         }
 
         [Theory]
@@ -173,361 +88,35 @@ public void SignWithSupportedHashAlgorithm(int algorithm)
         [InlineData(true)]
         public void SignWithIsDetached(bool isDetached)
         {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-
-            byte[] messageEncoded = CoseSign1Message.Sign(content, DefaultKey, DefaultHash, isDetached);
-            VerifyContentDetached(messageEncoded, content, isDetached);
-
-            messageEncoded = CoseSign1Message.Sign(content, DefaultKey, DefaultHash, isDetached);
-            VerifyContentDetached(messageEncoded, content, isDetached);
+            ReadOnlySpan<byte> messageEncoded = CoseSign1Message.Sign(s_sampleContent, DefaultKey, DefaultHash, isDetached: isDetached);
+            AssertSign1Message(messageEncoded, s_sampleContent, DefaultKey, DefaultAlgorithm, expectedDetachedContent: isDetached);
 
-            static void VerifyContentDetached(byte[] messageEncoded, byte[] expectedContent, bool isDetached)
-            {
-                CoseMessage messageDecoded = CoseMessage.DecodeSign1(messageEncoded);
-                if (isDetached)
-                {
-                    Assert.Null(messageDecoded.Content);
-                }
-                else
-                {
-                    AssertExtensions.SequenceEqual(new ReadOnlySpan<byte>(expectedContent), messageDecoded.Content.GetValueOrDefault().Span);
-                }
-            }
-        }
-
-        [Fact]
-        public void SignWithEmptyHeaderMaps()
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            CoseHeaderMap protectedHeaders = GetEmptyHeaderMap();
-
-            AssertSign1Message(CoseSign1Message.Sign(GetDummyContent(ContentTestCase.Small), DefaultKey, DefaultHash, protectedHeaders, GetEmptyHeaderMap()), content, DefaultKey);
-            Assert.Equal(0, protectedHeaders.Count());
-        }
-
-        [Fact]
-        public void SignWithEmptyProtectedHeaderMap()
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            CoseHeaderMap protectedHeaders = GetEmptyHeaderMap();
-            CoseHeaderMap unprotectedHeaders = GetHeaderMapWithAlgorithm();
-
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
-        }
-
-        [Fact]
-        public void SignWithEmptyUnprotectedHeaderMap()
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            CoseHeaderMap protectedHeaders = GetHeaderMapWithAlgorithm(); 
-            CoseHeaderMap unprotectedHeaders = GetEmptyHeaderMap();
-
-            AssertSign1Message(CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders), content, DefaultKey);
-        }
-        [Fact]
-        public void SignWithNullHeaderMaps()
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            AssertSign1Message(CoseSign1Message.Sign(GetDummyContent(ContentTestCase.Small), DefaultKey, DefaultHash, null, null), content, DefaultKey);
+            messageEncoded = Sign(s_sampleContent, DefaultKey, DefaultHash, isDetached: isDetached);
+            AssertSign1Message(messageEncoded, s_sampleContent, DefaultKey, DefaultAlgorithm, expectedDetachedContent: isDetached);
         }
+    }
 
-        [Fact]
-        public void SignWithNullProtectedHeaderMap()
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            CoseHeaderMap unprotectedHeaders = GetHeaderMapWithAlgorithm();
-
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(content, DefaultKey, DefaultHash, null, unprotectedHeaders));
-        }
-
-        [Fact]
-        public void SignWithNullUnprotectedHeaderMap()
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            CoseHeaderMap protectedHeaders = GetHeaderMapWithAlgorithm();
-
-            AssertSign1Message(CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, null), content, DefaultKey);
-        }
-
-        [Theory]
-        [InlineData(false)]
-        [InlineData(true)]
-        public void SignWithCustomHeader(bool useProtectedMap)
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            CoseHeaderMap protectedHeaders, unprotectedHeaders, mapForCustomHeader;
-            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> expectedProtectedHeaders, expectedUnprotectedHeaders, listForCustomHeader;
-
-            Initialize();
-            CoseHeaderLabel myLabel = new CoseHeaderLabel(42);
-            int myValue = 42;
-
-            mapForCustomHeader.SetValue(myLabel, myValue);
-            AddEncoded(listForCustomHeader, myLabel, myValue);
-
-            AssertSign1Message(CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders),
-                content, DefaultKey, expectedProtectedHeaders, expectedUnprotectedHeaders);
-
-
-            Initialize();
-            myLabel = new CoseHeaderLabel("42");
-
-            mapForCustomHeader.SetValue(myLabel, myValue);
-            AddEncoded(listForCustomHeader, myLabel, myValue);
-
-            AssertSign1Message(CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders),
-                content, DefaultKey, expectedProtectedHeaders, expectedUnprotectedHeaders);
-
-            void Initialize()
-            {
-                protectedHeaders = GetHeaderMapWithAlgorithm();
-                unprotectedHeaders = GetEmptyHeaderMap();
-                mapForCustomHeader = useProtectedMap ? protectedHeaders : unprotectedHeaders;
-
-                expectedProtectedHeaders = GetExpectedProtectedHeaders();
-                expectedUnprotectedHeaders = new List<(CoseHeaderLabel, ReadOnlyMemory<byte>)>();
-                listForCustomHeader = useProtectedMap ? expectedProtectedHeaders : expectedUnprotectedHeaders;
-            }
-        }
-
-        [Fact]
-        public void SignWithDuplicateHeaderBetweenProtectedAndUnprotected()
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            AsymmetricAlgorithm key = DefaultKey;
-            CoseHeaderMap protectedHeaders, unprotectedHeaders;
-
-            // Algorithm header is duplicated. It is a special case because it is mandatory that the header exists in the protected map.
-            InitializeHeaders();
-            // @protected.SetValue(CoseHeaderLabel.Algorithm, (int)ECDsaAlgorithm.ES256); // We don't need to Set Algorithm header as InitHeader does it for us.
-            unprotectedHeaders.SetValue(CoseHeaderLabel.Algorithm, (int)ECDsaAlgorithm.ES256);
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
-
-            // other known header is duplicate.
-            InitializeHeaders();
-            protectedHeaders.SetValue(CoseHeaderLabel.ContentType, ContentTypeDummyValue);
-            unprotectedHeaders.SetValue(CoseHeaderLabel.ContentType, ContentTypeDummyValue);
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
-
-            // not-known int header is duplicate.
-            InitializeHeaders();
-            var myLabel = new CoseHeaderLabel(42);
-            protectedHeaders.SetValue(myLabel, 42);
-            unprotectedHeaders.SetValue(myLabel, 42);
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
-
-            // not-known tstr header is duplicate.
-            InitializeHeaders();
-            myLabel = new CoseHeaderLabel("42");
-            protectedHeaders.SetValue(myLabel, 42);
-            unprotectedHeaders.SetValue(myLabel, 42);
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders));
-
-            void InitializeHeaders()
-            {
-                protectedHeaders = GetHeaderMapWithAlgorithm();
-                unprotectedHeaders = GetEmptyHeaderMap();
-            }
-        }
-
-        [Theory]
-        [MemberData(nameof(AllCborTypes_TestData))]
-        public void SignWithAllCborTypesAsHeaderValue(bool useProtectedMap, byte[] encodedValue)
-        {
-            byte[] content = GetDummyContent(ContentTestCase.Small);
-            var myLabel = new CoseHeaderLabel(42);
-
-            CoseHeaderMap protectedHeaders = GetHeaderMapWithAlgorithm();
-            CoseHeaderMap unprotectedHeaders = GetEmptyHeaderMap();
-            (useProtectedMap ? protectedHeaders : unprotectedHeaders).SetEncodedValue(myLabel, encodedValue);
-
-            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> expectedProtectedHeaders = GetExpectedProtectedHeaders();
-            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> expectedUnprotectedHeaders = GetEmptyExpectedHeaders();
-            (useProtectedMap ? expectedProtectedHeaders : expectedUnprotectedHeaders).Add((myLabel, encodedValue)); 
-
-            byte[] encodedMessage = CoseSign1Message.Sign(content, DefaultKey, DefaultHash, protectedHeaders, unprotectedHeaders);
-            AssertSign1Message(encodedMessage, content, DefaultKey, expectedProtectedHeaders, expectedUnprotectedHeaders);
-
-            // Verify it is transported correctly.
-            CoseSign1Message message = CoseMessage.DecodeSign1(encodedMessage);
-            ReadOnlyMemory<byte> roundtrippedValue = (useProtectedMap ? message.ProtectedHeaders : message.UnprotectedHeaders).GetEncodedValue(myLabel);
-            AssertExtensions.SequenceEqual(encodedValue, roundtrippedValue.Span);
-        }
-
-        public static IEnumerable<object[]> AllCborTypes_TestData()
-        {
-            foreach (bool useProtectedMap in new[] { false, true })
-            {
-                var w = new CborWriter();
-
-                w.WriteBigInteger(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteBoolean(true);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteByteString(s_sampleContent);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteCborNegativeIntegerRepresentation(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteDateTimeOffset(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteDecimal(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteDecimal(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteDouble(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-#if NETCOREAPP
-                w.WriteHalf(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-#endif
-                w.WriteInt32(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteInt64(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteNull();
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteSimpleValue(CborSimpleValue.Undefined);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteSingle(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteTag(CborTag.UnsignedBigNum);
-                w.WriteInt32(42);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteTextString(string.Empty);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteUInt32(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteUInt64(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                w.WriteUnixTimeSeconds(default);
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                // Array
-                w.WriteStartArray(2);
-                w.WriteInt32(42);
-                w.WriteTextString("foo");
-                w.WriteEndArray();
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                // Map
-                w.WriteStartMap(2);
-                // first label-value pair.
-                w.WriteInt32(42);
-                w.WriteTextString("4242");
-                // second label-value pair.
-                w.WriteTextString("42");
-                w.WriteInt32(4242);
-                w.WriteEndMap();
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                // Indefinite length array
-                w.WriteStartArray(null);
-                w.WriteInt32(42);
-                w.WriteTextString("foo");
-                w.WriteEndArray();
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                // Indefinite length map
-                w.WriteStartMap(null);
-                // first label-value pair.
-                w.WriteInt32(42);
-                w.WriteTextString("4242");
-                // second label-value pair.
-                w.WriteTextString("42");
-                w.WriteInt32(4242);
-                w.WriteEndMap();
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                // Indefinite length tstr
-                w.WriteStartIndefiniteLengthTextString();
-                w.WriteTextString("foo");
-                w.WriteEndIndefiniteLengthTextString();
-                yield return ReturnDataAndReset(useProtectedMap, w);
-
-                // Indefinite length bstr
-                w.WriteStartIndefiniteLengthByteString();
-                w.WriteByteString(s_sampleContent);
-                w.WriteEndIndefiniteLengthByteString();
-                yield return ReturnDataAndReset(useProtectedMap, w);
-            }
-
-            static object[] ReturnDataAndReset(bool useProtectedMap, CborWriter w)
-            {
-                byte[] encodedValue = w.Encode();
-                w.Reset();
-                return new object[] { useProtectedMap, encodedValue };
-            }
-        }
-
-        [Theory]
-        [InlineData(0L)]
-        [InlineData(long.MaxValue)]
-        [InlineData(long.MinValue)]
-        [InlineData(int.MinValue - 1L)]
-        [InlineData(int.MaxValue + 1L)]
-        public void SignWithInt64AlgorithmHeaderValue(long value)
-        {
-            var writer = new CborWriter();
-            writer.WriteInt64(value);
-
-            byte[] encodedValue = writer.Encode();
-
-            CoseHeaderMap protectedHeaders = new CoseHeaderMap();
-            protectedHeaders.SetEncodedValue(CoseHeaderLabel.Algorithm, encodedValue);
-
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders));
-        }
-
-        [Theory]
-        [InlineData(0UL)]
-        [InlineData(ulong.MaxValue)]
-        [InlineData(long.MaxValue + 1UL)]
-        [InlineData(long.MaxValue - 1UL)]
-        public void SignWithUInt64AlgorithmHeaderValue(ulong value)
-        {
-            var writer = new CborWriter();
-            writer.WriteUInt64(value);
-
-            byte[] encodedValue = writer.Encode();
-
-            CoseHeaderMap protectedHeaders = new CoseHeaderMap();
-            protectedHeaders.SetEncodedValue(CoseHeaderLabel.Algorithm, encodedValue);
-
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders));
-        }
-
-        [Theory]
-        [InlineData(0UL)]
-        [InlineData(ulong.MaxValue)]
-        [InlineData(long.MaxValue + 1UL)]
-        [InlineData(long.MaxValue - 1UL)]
-        public void SignWithCborNegativeIntegerRepresentationAlgorithmHeaderValue(ulong value)
-        {
-            var writer = new CborWriter();
-            writer.WriteCborNegativeIntegerRepresentation(value);
-
-            byte[] encodedValue = writer.Encode();
-
-            CoseHeaderMap protectedHeaders = new CoseHeaderMap();
-            protectedHeaders.SetEncodedValue(CoseHeaderLabel.Algorithm, encodedValue);
+    public class CoseSign1MessageTests_Sign_ECDsa : CoseSign1MessageTests_Sign<ECDsa>
+    {
+        internal override List<CoseAlgorithm> CoseAlgorithms => new() { CoseAlgorithm.ES256, CoseAlgorithm.ES384, CoseAlgorithm.ES512 };
+
+        internal override byte[] Sign(byte[] content, ECDsa key, HashAlgorithmName hashAlgorithm, bool isDetached = false)
+            => CoseSign1Message.Sign(content, key, hashAlgorithm, isDetached);
+        internal override bool Verify(CoseSign1Message msg, ECDsa key)
+            => msg.Verify(key);
+        internal override bool Verify(CoseSign1Message msg, ECDsa key, ReadOnlySpan<byte> content)
+            => msg.Verify(key, content);
+    }
 
-            Assert.Throws<CryptographicException>(() => CoseSign1Message.Sign(s_sampleContent, DefaultKey, DefaultHash, protectedHeaders));
-        }
+    public class CoseSign1MessageTests_Sign_RSA : CoseSign1MessageTests_Sign<RSA>
+    {
+        internal override List<CoseAlgorithm> CoseAlgorithms => new() { CoseAlgorithm.PS256, CoseAlgorithm.PS384, CoseAlgorithm.PS512 };
+
+        internal override byte[] Sign(byte[] content, RSA key, HashAlgorithmName hashAlgorithm, bool isDetached = false)
+            => CoseSign1Message.Sign(content, key, hashAlgorithm, isDetached);
+        internal override bool Verify(CoseSign1Message msg, RSA key)
+            => msg.Verify(key);
+        internal override bool Verify(CoseSign1Message msg, RSA key, ReadOnlySpan<byte> content)
+            => msg.Verify(key, content);
     }
 }
diff --git a/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Verify.cs b/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Verify.cs
index de3e4a6400131..37de7df2d6f71 100644
--- a/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Verify.cs
+++ b/src/libraries/System.Security.Cryptography.Cose/tests/CoseSign1MessageTests.Verify.cs
@@ -5,7 +5,7 @@
 
 namespace System.Security.Cryptography.Cose.Tests
 {
-    public partial class CoseSign1MessageTests
+    public class CoseSign1MessageTests_Verify
     {
         [Theory]
         // https://github.com/cose-wg/Examples/blob/master/RFC8152/Appendix_C_2_1.json
@@ -27,20 +27,19 @@ public partial class CoseSign1MessageTests
         [InlineData((int)ECDsaAlgorithm.ES256, "8443A10126A10442313154546869732069732074686520636F6E74656E742E58408EB33E4CA31D1C465AB05AAC34CC6B23D58FEF5C083106C4D25A91AEF0B0117E2AF9A291AA32E14AB834DC56ED2A223444547E01F11D3B0916E5A4C345CACB36")]
         public void Verify(int algorithm, string hexCborMessage)
         {
-            foreach (bool usePublicOnlyKey in new[] { false, true })
+            foreach (bool useNonPrivateKey in new[] { false, true })
             {
                 CoseSign1Message msg = CoseMessage.DecodeSign1(ByteUtils.HexToByteArray(hexCborMessage));
 
                 bool verified;
                 if (Enum.IsDefined(typeof(ECDsaAlgorithm), algorithm))
                 {
-                    var ecdsaAlgorithm = (ECDsaAlgorithm)algorithm;
-                    ECDsa key = usePublicOnlyKey ? ECDsaKeysWithoutPrivateKey[ecdsaAlgorithm] : ECDsaKeys[ecdsaAlgorithm];
+                    ECDsa key = GetKeyHashPair<ECDsa>((CoseAlgorithm)algorithm, useNonPrivateKey).Key;
                     verified = msg.Verify(key);
                 }
                 else
                 {
-                    RSA key = usePublicOnlyKey ? RSAKeyWithoutPrivateKey : RSAKey;
+                    RSA key = GetKeyHashPair<RSA>((CoseAlgorithm)algorithm, useNonPrivateKey).Key;
                     verified = msg.Verify(key);
                 }
 
@@ -89,6 +88,34 @@ static string ReplaceFirst(string text, string search, string replace)
             }
         }
 
+        [Fact]
+        public void VerifyReturnsTrueAfterAttemptWithWrongContent()
+        {
+            ReadOnlySpan<byte> correctContent = s_sampleContent;
+            Span<byte> wrongContent = new byte[s_sampleContent.Length];
+            wrongContent.Fill(42);
+
+            ReadOnlySpan<byte> encodedMsg = CoseSign1Message.Sign(correctContent, DefaultKey, DefaultHash, isDetached: true);
+            CoseSign1Message msg = CoseMessage.DecodeSign1(encodedMsg);
+
+            Assert.False(msg.Verify(DefaultKey, wrongContent), "Calling Verify with the wrong content");
+            Assert.True(msg.Verify(DefaultKey, s_sampleContent), "Calling Verify with the correct content");
+        }
+
+        [Fact]
+        public void VerifyReturnsFalseAfterAttemptWithCorrectContent()
+        {
+            ReadOnlySpan<byte> correctContent = s_sampleContent;
+            Span<byte> wrongContent = new byte[s_sampleContent.Length];
+            wrongContent.Fill(42);
+
+            ReadOnlySpan<byte> encodedMsg = CoseSign1Message.Sign(correctContent, DefaultKey, DefaultHash, isDetached: true);
+            CoseSign1Message msg = CoseMessage.DecodeSign1(encodedMsg);
+
+            Assert.True(msg.Verify(DefaultKey, s_sampleContent), "Calling Verify with the correct content");
+            Assert.False(msg.Verify(DefaultKey, wrongContent), "Calling Verify with the wrong content");
+        }
+
         [Theory]
         // https://github.com/cose-wg/Examples/blob/master/sign1-tests/sign-fail-03.json
         [InlineData("D28445A1013903E6A10442313154546869732069732074686520636F6E74656E742E58408EB33E4CA31D1C465AB05AAC34CC6B23D58FEF5C083106C4D25A91AEF0B0117E2AF9A291AA32E14AB834DC56ED2A223444547E01F11D3B0916E5A4C345CACB36")]
diff --git a/src/libraries/System.Security.Cryptography.Cose/tests/CoseTestHelpers.cs b/src/libraries/System.Security.Cryptography.Cose/tests/CoseTestHelpers.cs
index 239c37cea831a..df30c12ca34b2 100644
--- a/src/libraries/System.Security.Cryptography.Cose/tests/CoseTestHelpers.cs
+++ b/src/libraries/System.Security.Cryptography.Cose/tests/CoseTestHelpers.cs
@@ -37,6 +37,16 @@ public enum RSAAlgorithm
             PS512 = -39
         }
 
+        public enum CoseAlgorithm
+        {
+            ES256 = -7,
+            ES384 = -35,
+            ES512 = -36,
+            PS256 = -37,
+            PS384 = -38,
+            PS512 = -39
+        }
+
         public enum ContentTestCase
         {
             Empty,
@@ -53,19 +63,19 @@ internal static HashAlgorithmName GetHashAlgorithmNameFromCoseAlgorithm(int algo
                 _ => throw new InvalidOperationException()
             };
 
-        internal static CoseHeaderMap GetHeaderMapWithAlgorithm(int algorithm = (int)ECDsaAlgorithm.ES256)
+        internal static CoseHeaderMap GetHeaderMapWithAlgorithm(CoseAlgorithm algorithm = CoseAlgorithm.ES256)
         {
             var protectedHeaders = new CoseHeaderMap();
-            protectedHeaders.SetValue(CoseHeaderLabel.Algorithm, algorithm);
+            protectedHeaders.SetValue(CoseHeaderLabel.Algorithm, (int)algorithm);
             return protectedHeaders;
         }
 
         internal static CoseHeaderMap GetEmptyHeaderMap() => new CoseHeaderMap();
 
-        internal static List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> GetExpectedProtectedHeaders(int algorithm = (int)ECDsaAlgorithm.ES256)
+        internal static List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> GetExpectedProtectedHeaders(CoseAlgorithm algorithm)
         {
             var l = new List<(CoseHeaderLabel, ReadOnlyMemory<byte>)>();
-            AddEncoded(l, CoseHeaderLabel.Algorithm, algorithm);
+            AddEncoded(l, CoseHeaderLabel.Algorithm, (int)algorithm);
 
             return l;
         }
@@ -79,6 +89,13 @@ internal static void AddEncoded(List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> li
             list.Add((label, writer.Encode()));
         }
 
+        internal static void AddEncoded(List<(CoseHeaderLabel, ReadOnlyMemory<byte>)> list, CoseHeaderLabel label, string value)
+        {
+            var writer = new CborWriter();
+            writer.WriteTextString(value);
+            list.Add((label, writer.Encode()));
+        }
+
         internal static byte[] GetDummyContent(ContentTestCase @case)
         {
             return @case switch
@@ -91,33 +108,34 @@ internal static byte[] GetDummyContent(ContentTestCase @case)
         }
 
         internal static void AssertSign1Message(
-            byte[] encodedMsg,
-            byte[]? expectedContent,
+            ReadOnlySpan<byte> encodedMsg,
+            ReadOnlySpan<byte> expectedContent,
             AsymmetricAlgorithm signingKey,
+            CoseAlgorithm algorithm,
             List<(CoseHeaderLabel, ReadOnlyMemory<byte>)>? expectedProtectedHeaders = null,
-            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)>? expectedUnprotectedHeaders = null)
+            List<(CoseHeaderLabel, ReadOnlyMemory<byte>)>? expectedUnprotectedHeaders = null,
+            bool expectedDetachedContent = false)
         {
-            Assert.NotNull(encodedMsg);
-            var reader = new CborReader(encodedMsg);
+            var reader = new CborReader(encodedMsg.ToArray());
 
             // Start
             Assert.Equal((CborTag)18, reader.ReadTag());
             Assert.Equal(4, reader.ReadStartArray());
 
             // Protected headers
-            AssertSign1ProtectedHeaders(reader.ReadByteString(), expectedProtectedHeaders ?? GetExpectedProtectedHeaders());
+            AssertSign1ProtectedHeaders(reader.ReadByteString(), expectedProtectedHeaders ?? GetExpectedProtectedHeaders(algorithm));
 
             // Unprotected headers
             AssertSign1Headers(reader, expectedUnprotectedHeaders ?? GetEmptyExpectedHeaders());
 
             // Content
-            if (expectedContent != null)
+            if (expectedDetachedContent)
             {
-                AssertExtensions.SequenceEqual(expectedContent, reader.ReadByteString());
+                reader.ReadNull();
             }
             else
             {
-                reader.ReadNull();
+                AssertExtensions.SequenceEqual(expectedContent, reader.ReadByteString());
             }
 
             // Signature
@@ -132,11 +150,25 @@ internal static void AssertSign1Message(
             CoseSign1Message msg = CoseMessage.DecodeSign1(encodedMsg);
             if (signingKey is ECDsa ecdsa)
             {
-                Assert.True(msg.Verify(ecdsa), "msg.Verify(ecdsa)");
+                if (expectedDetachedContent)
+                {
+                    Assert.True(msg.Verify(ecdsa, expectedContent), "msg.Verify(ecdsa, content)");
+                }
+                else
+                {
+                    Assert.True(msg.Verify(ecdsa), "msg.Verify(ecdsa)");
+                }
             }
             else if (signingKey is RSA rsa)
             {
-                Assert.True(msg.Verify(rsa), "msg.Verify(rsa)");
+                if (expectedDetachedContent)
+                {
+                    Assert.True(msg.Verify(rsa, expectedContent), "msg.Verify(rsa, content)");
+                }
+                else
+                {
+                    Assert.True(msg.Verify(rsa), "msg.Verify(rsa)");
+                }
             }
             else
             {
@@ -222,9 +254,6 @@ private static void AssertSign1Headers(CborReader reader, List<(CoseHeaderLabel,
         internal static ECDsa DefaultKey => ES256;
         internal static HashAlgorithmName DefaultHash { get; } = GetHashAlgorithmNameFromCoseAlgorithm((int)ECDsaAlgorithm.ES256);
 
-        internal static readonly ThreadStaticECDsaDictionary ECDsaKeys = new(true);
-        internal static readonly ThreadStaticECDsaDictionary ECDsaKeysWithoutPrivateKey = new(false);
-
         [ThreadStatic]
         internal static RSA? t_rsaKey;
         [ThreadStatic]
@@ -280,22 +309,28 @@ private static RSA CreateRSA(bool includePrivateKey)
             return RSA.Create(rsaParameters);
         }
 
-        internal class ThreadStaticECDsaDictionary: Dictionary<ECDsaAlgorithm, ECDsa>
+        internal static (T Key, HashAlgorithmName Hash) GetKeyHashPair<T>(CoseAlgorithm algorithm, bool useNonPrivateKey = false)
         {
-            private bool _includePrivateKeys;
-            public ThreadStaticECDsaDictionary(bool includePrivateKeys)
+            return algorithm switch
             {
-                _includePrivateKeys = includePrivateKeys;
-            }
-            public new ECDsa this[ECDsaAlgorithm key]
+                CoseAlgorithm.ES256 => (GetKey(ES256, ES256WithoutPrivateKey, useNonPrivateKey), HashAlgorithmName.SHA256),
+                CoseAlgorithm.ES384 => (GetKey(ES384, ES384WithoutPrivateKey, useNonPrivateKey), HashAlgorithmName.SHA384),
+                CoseAlgorithm.ES512 => (GetKey(ES512, ES512WithoutPrivateKey, useNonPrivateKey), HashAlgorithmName.SHA512),
+                CoseAlgorithm.PS256 => (GetKey(RSAKey, RSAKeyWithoutPrivateKey, useNonPrivateKey), HashAlgorithmName.SHA256),
+                CoseAlgorithm.PS384 => (GetKey(RSAKey, RSAKeyWithoutPrivateKey, useNonPrivateKey), HashAlgorithmName.SHA384),
+                CoseAlgorithm.PS512 => (GetKey(RSAKey, RSAKeyWithoutPrivateKey, useNonPrivateKey), HashAlgorithmName.SHA512),
+                _ => throw new InvalidOperationException()
+            };
+
+
+            T GetKey(AsymmetricAlgorithm privateKey, AsymmetricAlgorithm nonPrivateKey, bool useNonPrivateKey)
             {
-                get => key switch
+                if (privateKey is T privateKeyAsT && nonPrivateKey is T nonPrivateKeyAsT)
                 {
-                    ECDsaAlgorithm.ES256 => _includePrivateKeys ? ES256 : ES256WithoutPrivateKey,
-                    ECDsaAlgorithm.ES384 => _includePrivateKeys ? ES384 : ES384WithoutPrivateKey,
-                    ECDsaAlgorithm.ES512 => _includePrivateKeys ? ES512 : ES512WithoutPrivateKey,
-                    _ => throw new InvalidOperationException()
-                };
+                    return useNonPrivateKey ? nonPrivateKeyAsT : privateKeyAsT;
+                }
+
+                throw new InvalidOperationException($"Specified algorithm {algorithm} doesn't match the type {typeof(T)}");
             }
         }
     }
diff --git a/src/libraries/System.Security.Cryptography.Cose/tests/System.Security.Cryptography.Cose.Tests.csproj b/src/libraries/System.Security.Cryptography.Cose/tests/System.Security.Cryptography.Cose.Tests.csproj
index a427e73c20226..060a72cc76477 100644
--- a/src/libraries/System.Security.Cryptography.Cose/tests/System.Security.Cryptography.Cose.Tests.csproj
+++ b/src/libraries/System.Security.Cryptography.Cose/tests/System.Security.Cryptography.Cose.Tests.csproj
@@ -14,6 +14,7 @@
     <Compile Include="CoseHeaderLabelTests.cs" />
     <Compile Include="CoseHeaderMapTests.cs" />
     <Compile Include="CoseMessageTests.DecoseSign1.cs" />
+    <Compile Include="CoseSign1MessageTests.Sign.CustomHeaderMaps.cs" />
     <Compile Include="CoseSign1MessageTests.Verify.cs" />
     <Compile Include="CoseSign1MessageTests.Sign.cs" />
     <Compile Include="CoseTestHelpers.cs" />