containers / ocicrypt Goto Github PK

Encryption libraries for Encrypted OCI Container images

License: Apache License 2.0

Makefile 0.43% Go 96.79% Shell 2.78%

ocicrypt's Introduction

OCIcrypt Library

The ocicrypt library is the OCI image spec implementation of container image encryption. More details of the spec can be seen in the OCI repository. The purpose of this library is to encode spec structures and consts in code, as well as provide a consistent implementation of image encryption across container runtimes and build tools.

Consumers of OCIcrypt:

Usage

There are various levels of usage for this library. The main consumers of these would be runtime/build tools, and a more specific use would be in the ability to extend cryptographic function.

Runtime/Build tool usage

The general exposed interface a runtime/build tool would use, would be to perform encryption or decryption of layers:

package "github.com/containers/ocicrypt"
func EncryptLayer(ec *config.EncryptConfig, encOrPlainLayerReader io.Reader, desc ocispec.Descriptor) (io.Reader, EncryptLayerFinalizer, error)
func DecryptLayer(dc *config.DecryptConfig, encLayerReader io.Reader, desc ocispec.Descriptor, unwrapOnly bool) (io.Reader, digest.Digest, error)

The settings/parameters to these functions can be specified via creation of an encryption config with the github.com/containers/ocicrypt/config package. We note that because setting of annotations and other fields of the layer descriptor is done through various means in different runtimes/build tools, it is the responsibility of the caller to still ensure that the layer descriptor follows the OCI specification (i.e. encoding, setting annotations, etc.).

Crypto Agility and Extensibility

The implementation for both symmetric and asymmetric encryption used in this library are behind 2 main interfaces, which users can extend if need be. These are in the following packages:

github.com/containers/ocicrypt/blockcipher - LayerBlockCipher interface for block ciphers
github.com/containers/ocicrypt/keywrap - KeyWrapper interface for key wrapping

We note that adding interfaces here is risky outside the OCI spec is not recommended, unless for very specialized and confined usecases. Please open an issue or PR if there is a general usecase that could be added to the OCI spec.

Keyprovider interface

As part of the keywrap interface, there is a keyprovider implementation that allows one to call out to a binary or service.

Security Issues

We consider security issues related to this library critical. Please report and security related issues by emailing maintainers in the MAINTAINERS file.

Ocicrypt Pkcs11 Support

Ocicrypt Pkcs11 support is currently experiemental. For more details, please refer to the this document.

ocicrypt's People

Contributors

Stargazers

Watchers

ocicrypt's Issues

Use Key Provider to provide encryption key

Would it be possible to give the key provider the option to specify the encryption key and protocols instead of just the KEK?

Concurrent calls of EncryptLayer seem to be racy

c/image can copy layers in parallel; that involves concurrent calls of EncryptLayer with the same EncryptConfig.

Looking at

ocicrypt/keywrap/pkcs11/keywrapper_pkcs11.go

Line 44 in ffc163c

 pkcs11Recipients, err := addPubKeys(&ec.DecryptConfig, append(ec.Parameters["pkcs11-pubkeys"], ec.Parameters["pkcs11-yamls"]...)) 

, it seems that that could concurrently write to the same array underlying the ec.Parameters["pkcs11-pubkeys"] array.

That seems to be possible in principle in Go, as demonstrated by

package main

import "fmt"

func main() {
	a := []int{1, 11, 12, 13}
	a = append(a, 14, 15) // Creates a backing array with extra capacity
	b := append(a, 2, 21) // Writes to the backing array of a
	c := append(a, 3, 31) // ALSO writes to the backing array of a

	fmt.Printf("%#v@%d %#v@%d %#v@%d\n", a, cap(a), b, cap(b), c, cap(c))

	a[0] = 10
	fmt.Printf("%#v@%d %#v@%d %#v@%d\n", a, cap(a), b, cap(b), c, cap(c)) // See that both b and c are updated - and b contains c’s data
}

Update github.com/go-jose/go-jose/v3

https://github.com/go-jose/go-jose/releases/tag/v3.0.1 reports a DoS in code that is called by ocicrypt.

Typically I wouldn’t expect users to want to DoS themselves, but updating would at least silence neurotic vulnerability scanners.

(c/image will update either way, in containers/image#2188 .)

ocicrypt 1.1.0 release checks

Ocicrypt Release 1.1.0

This new release of ocicrypt contains new usable interfaces and thus is a new minor number. This issue details the notable features added as well as a checklist before making a new release that will be used by consuming projects. Target date for completion is 24th January.

Changes

There are several significant changes in release 1.1.0, this includes:

Experimental PKCS11 support enabled via ENV variable
Custom keyprovider support enabled via ENV variable

Checks before release

For the features introduced, consumers of the new feature should test to see if the latest master branch is working and if there are any complications introduced through the interaction of the 2 new features.

PKCS#11 Support for Encrypted Container Images

This thread contains discussion and implementation/design direction for PKCS#11 support for ocicrypt. This was started from #18 created by @Gsealy, and initial discussions from @stefanberger @jejb @jamjoom @lumjjb

The overall plan is to have the feature be experimental, and be formed based on usecases and features requested through discussions of the community. Once it is reached a more stable state, it will become part of the spec. Until then, it is not an officially supported protocol.

Below are some points from discussions within the PRs + side conversations.

Initial experimental prototype

Based on #18 contribution
Marked as experimental org.opencontainers.image.enc.keys.experimental.pkcs11
Support EncryptWith and DecryptWith settings providing module path, PIN and socket number
Support EncryptWith that takes in a public key
Custom packet format for encrypted material attached to image annotations

Experimental prototype iteration

Allow EncryptWith and DecryptWith passing a PKCS11 URI, this will provide
- More universal resolution of keys
- Ability to specify parameters
- Ability to use remote HSMs
Define information passed in encrypted packet metadata vs taken as DecryptConfig and the role of consumers

More iterations including other features as asks/discussion create

Future:

The encrypted packet format should be secure and standardized backed by PKCS11
Upgrade to OCI general use

Please rename the master branch to the main branch.

Cut v1.4.0 release

Can you cut a new release? We're about to release a new version of Podman which needs some post-v1.3.0 commits (see https://github.com/containers/podman/pull/14127/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R18).

Cc: @lumjjb

Explore use of github actions for repo

Per recommendation on #49, worth exploring github actions for CI.

`go.mozilla.org/pkcs7` is unmaintained

The dependency got archived and is unmaintained since February: https://github.com/mozilla-services/pkcs7

We need to find a replacement or maintain the pkcs7 package here on our own.

RFE: Disable Travis CI on this repo

Is your feature request related to a problem? Please describe.
It doesn't appear Travis-CI is in use on this repo, yet it's explicitly enabled for this repo.

Describe the solution you'd like
I'd like to disable Travis-CI to reduce the overall number of containers-org. enabled apps, thereby reducing the maintenance burden.

Describe alternatives you've considered
Leave Travis-CI enabled

Additional context
Travis-CI has issued multiple security bulletins over the past years.

run ocicrypt keyprovider outside of container (or at least as the running user) on encrypt/decrypt

Hello!

When using ocicrypt, I believe at least, the key provider is executed inside of the container as root so $USER is root. Is there a way to disable this and run as the user making the request?

Thanks

ocicrypt for KMS and TPM

not an issue but thought i'd add it here incase anyone is interested.

a bit ago if fiddled with ocicrypt key providers and came up with basic (alpha quality, charitably) ways to support ocicrypt with KMS (GCP for now) and TPM

https://github.com/salrashid123/ocicrypt-kms-keyprovider

allows you to encrypt a layer with GCP KMS
https://github.com/salrashid123/ocicrypt-tpm-keyprovider

allows you to encrypt an image remotely with a TPM's endorsement publicc key (EKPub). image is encrypted in such a way that it can only get decrypted on that tpm that owns the EK. You can also encrypt it remotely such that the target machine is in a specific state (as described by PCR values)

Add PKCS#8 encrypted key support

Deprecation of PEM encrypted keys (https://go-review.googlesource.com/c/go/+/264159/) doesn't affect the workflow and security model built into the encryption/decryption process. However, it does bring about additional security work for operators that wish to leave their keys on the server password-protected.

This can be enhanced by supported the newer PKCS#8 encrypted key. However, this is not yet implemented upstreamed, but should be adopted when it is implemented.

Proposal: Non-intrusive Custom KeyWrap Protocols

OCICRYPT dynamic custom keywrap protocol support

This proposal is to add the ability to support custom keywrap protocols with minimal to no code changes to
downstream consumers of the ocicrypt library and to allow custom protocols to be implemented without
changes to ocicrypt.

Keywrap protocols such as "org.opencontainers.image.enc.keys.custom.*". Examples are:

"org.opencontainers.image.enc.keys.custom.isecl"
"org.opencontainers.image.enc.keys.custom.keyprotect"
"org.opencontainers.image.enc.keys.custom.azurekeyvault"

The end result should provide the ability to configure the library and all downstream users of it via
an environment variable that points to a configuration file. This config file will then provide the
information needed to perform call out to executables to perform the keywrapping/unwrapping

Example Usage/Configuration

The following are examples of downstream usage:

Example of config

The config file /etc/ocicrypt would look something like:

"custom-protocols": {
    "isecl": {
       "cmd": "/usr/lib/ocicrypt-isecl",   
       "args": []
    },
    "keyprotect": {
       "cmd": "/usr/lib/ocicrypt-keyprotect",   
       "args": []
    },
    "keyvault": {
       "grpc": "unix://run/myapp.sock"
    }
}

Env variable config reference

The config file would then be referenced via environment variable OCICRYPT_CUSTOM_CONFIG:

OCICRPYT_CUSTOM_CONFIG=/etc/ocicrypt_custom.json skopeo copy ...
OCICRPYT_CUSTOM_CONFIG=/etc/ocicrypt_custom.json buildah push ...
OCICRPYT_CUSTOM_CONFIG=/etc/ocicrypt_custom.json buildah pull ...
OCICRPYT_CUSTOM_CONFIG=/etc/ocicrypt_custom.json ctd-decoder ...
OCICRPYT_CUSTOM_CONFIG=/etc/ocicrypt_custom.json crio ...

Passing of encryption/decryption keys

Passing of encryption and decryption keys would be implemented via "custom:" prefix, followed by the
named prefix of the protocol, for example, the protocol "org.opencontainers.image.enc.keys.custom.isecl"
would appear like the following:

OCICRPYT_CUSTOM_CONFIG=/etc/ocicrypt_custom.json skopeo copy --encryption-key custom:isecl:some-params

The same would follow for decryption config

OCICRPYT_CUSTOM_CONFIG=/etc/ocicrypt_custom.json skopeo copy --decryption-key custom:some-params

Underworkings and interfaces

Implementation/Integration points

There are two main implementation points. These are passing of encryption/decryption parameters, as well
as the handling of the keywrap interface.

Passing of parameters

Most downstream implementations make use of the CreateCryptoConfig helper to parse encryption/decryption parameters. These would have to be moeified to translate the parameters provided for encryption/decryption to part of a CryptoConfig. No parsing or reading of files should be done at this stage.

This should be able to be handled by the custom keywrap implementation. The parameters will be stoed in the parameter maps with the keys of their prefix, i.e. parameters["custom:secl"] = "some-params".

Handling of keywrap interface

Implementing a "custom" KeyWrap implementation

A KeyWrap interface needs to be implemented called "custom". This implementation would need to be able to look up the environment variable for the config and parse it.

It should then take the inputs of the keywrap interface and call the associated variable, passing in the required arguemnts of the keywrap/unwrap interface as serialized JSON in STDIN.

The custom keywrap implementation will call into the executable passing in json.Marshal(CustomKeyWrapProtocolInput{...}), and parse the exit code of the call for error, if exit with non-zero, treat it as an error and take STDERR as the output err message. Else, parse STDIN as json.Unmarshal(..., &CustomKeyWrapProtocolOuput{}) and pass data base as according to the operation performed.

We will define the following structs as an interface:

type CustomKeyWrapProtocolOperation string

var (
   OpKeyWrap CustomKeyWrapProtocolOperation = "keywrap"
   OpKeyUnwrap CustomKeyWrapProtocolOperation = "keyunwrap"
)

type CustomKeyWrapProtocolInput struct {
    // Operation is either "keywrap" or "keyunwrap"
    Operation CustomKeyWrapProtocolOperation `json:"op"` 
    // KeyWrapParams encodes the arguments to key wrap if operation is set to wrap
    KeyWrapParams KeyWrapParams `json:"keywrapparams",omitempty`
    // KeyUnwrapParams encodes the arguments to key unwrap if operation is set to unwrap
    KeyUnwrapParams KeyUnwrapParams `json:"keyunwrapparams",omitempty`
}


type CustomKeyWrapProtocolOuput struct {
    // KeyWrapResult encodes the results to key wrap if operation is to wrap
    KeyWrapResults  KeyWrapResults `json:"keywrapresults",omitempty`
    // KeyUnwrapResult encodes the result to key unwrap if operation is to unwrap
    KeyUnwrapResults KeyUnwrapResults `json:"keyunwrapresults",omitempty`
}

type KeyWrapParams struct {
    Ec *config.EncryptConfig `json:"ec"`
    OptsData []byte `json:"optsdata"`
}
type KeyUnwrapParams struct {
    Dc *config.DecryptConfig `json:"dc"`
    Annotation []byte `json:"annotation"`
}

type KeyUnwrapResults struct {
    OptsData []byte `json:"optsdata"`
}
type KeyWrapResults struct {
    Annotation[]byte `json:"annotation"`
}

Cmd callouts vs gRPC

Generally cmd call outs are simpler to use, however, in managed kubernetes clusters, there is a high barrier to installing software on the host where the container runtime resides. The gRPC approach would allow a daemonset to be run to server gRPC calls with the same structs (converted to gRPC as regular JSON types would be).

Adding scheme lookup special case for custom protocols

The GetKeyWrapper function for resolving the keywrapper to use needs to handle the special case of custom protocols as we are routing to the custom keywrap implementation based on just the prefix "org.opencontainers.image.enc.keys.custom", instead of the fully qualified annotation string.

https://github.com/containers/ocicrypt/blob/master/encryption.go#L61

Likewise, any code that picks up annotation or wants to write to them should handle this new special case as well

ocicrypt/encryption.go

Line 135 in c835e1c

b64Annotations := desc.Annotations[annotationsID]

NOTE on implementation: This could be done as a golang init() function that reads the config file as well, implementation is subjective to whichever is cleaner. This means that any long-running processes will require reload if config file changes though.

Replacement plans for x/crypto/openpgp ?

I came across golang/go#44226 saying openpgp is marked frozen and deprecated, except for security fixes. Just curious if there are plans to replace it in this repo.

Please cut a new release, would like to get this properly merged into Podman

sha1 removal (entirely or at least as default) ?

Hello, I notice sha1 is used as the default in quite a few places in this repo. Are there are any plans to switch to sha2? I would be interested in doing a PR if you think it's worth it.

Update github.com/go-jose/go-jose/v3 again

go-jose version 3.0.3 has a fix for another security vulnerability, please upgrade.

Is containers/ocicrypt not set up for dependabot?

Better Error message for Key Provider execution

If the Key Provider errors in encryption or decryption, the error message is not very helpful.

On encryption:

Unable to finalize encryption: error while retrieving keyprovider protocol command output: Error while running $COMMAND: exit status 1

On decryption:

decrypting layer sha256:$SHA: missing private key needed for decryption

Can we append the stderr to the message here so we can give the user back some information on what happened?

Alternatively, maybe we can add this to the Protocol structs?

FYI: pkcs11 test crashes on Fedora (softhsm 2.6.1-5)

The pkcs11 test crash on Fedora with softhsm 2.6.1-5. Also miekg's test cases with softhsm crash on Fedora (test needs proper path adjustment for softhsm shared object).
The pkcs11 test runs stable on Ubuntu 21.10 for example with softhsm 2.6.1-2.

Example crash output:

=== RUN   TestPkcs11EncryptDecrypt
Inconsistency detected by ld.so: dl-close.c: 256: _dl_close_worker: Assertion `imap->l_type == lt_loaded && !imap->l_nodelete_active' failed!
FAIL    github.com/containers/ocicrypt/crypto/pkcs11    1.323s

=== RUN   TestKeyWrapPkcs11Success
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0x45 pc=0x7fa4e83ea4f5]

runtime stack:
runtime.throw({0x67995a?, 0xffffffffffffffb8?})
        /usr/lib/golang/src/runtime/panic.go:1047 +0x5d fp=0x7fa4bbffe8c0 sp=0x7fa4bbffe890 pc=0x43a61d
runtime.sigpanic()
        /usr/lib/golang/src/runtime/signal_unix.go:825 +0x3e9 fp=0x7fa4bbffe920 sp=0x7fa4bbffe8c0 pc=0x4516e9

goroutine 6 [syscall]:
runtime.cgocall(0x6124c0, 0xc0000d1ac8)
        /usr/lib/golang/src/runtime/cgocall.go:157 +0x5c fp=0xc0000d1aa0 sp=0xc0000d1a68 pc=0x4080bc
github.com/miekg/pkcs11._Cfunc_Destroy(0x7fa4b4001010)
        _cgo_gotypes.go:700 +0x45 fp=0xc0000d1ac8 sp=0xc0000d1aa0 pc=0x5852e5
github.com/miekg/pkcs11.(*Ctx).Destroy.func1(0x0?)
        /home/stefanb/go/pkg/mod/github.com/miekg/[email protected]/pkcs11.go:802 +0x3a fp=0xc0000d1b00 sp=0xc0000d1ac8 pc=0x58725a
github.com/miekg/pkcs11.(*Ctx).Destroy(0xc0000142f8)
        /home/stefanb/go/pkg/mod/github.com/miekg/[email protected]/pkcs11.go:802 +0x29 fp=0xc0000d1b18 sp=0xc0000d1b00 pc=0x5871c9
github.com/containers/ocicrypt/crypto/pkcs11.pkcs11Logout(0x1?, 0x2?)
        /home/stefanb/src/github/containers/ocicrypt/crypto/pkcs11/pkcs11helpers.go:214 +0x48 fp=0xc0000d1b48 sp=0xc0000d1b18 pc=0x58c168
github.com/containers/ocicrypt/crypto/pkcs11.publicEncryptOAEP.func2()
        /home/stefanb/src/github/containers/ocicrypt/crypto/pkcs11/pkcs11helpers.go:269 +0x2a fp=0xc0000d1b68 sp=0xc0000d1b48 pc=0x58d0ca
runtime.deferreturn()
        /usr/lib/golang/src/runtime/panic.go:476 +0x33 fp=0xc0000d1ba8 sp=0xc0000d1b68 pc=0x439073
github.com/containers/ocicrypt/crypto/pkcs11.publicEncryptOAEP(0xc0000142e8, {0xc00001a660, 0x18, 0x18})
        /home/stefanb/src/github/containers/ocicrypt/crypto/pkcs11/pkcs11helpers.go:306 +0x510 fp=0xc0000d1d70 sp=0xc0000d1ba8 pc=0x58ccb0
github.com/containers/ocicrypt/crypto/pkcs11.EncryptMultiple({0xc000071d10, 0x1, 0x1?}, {0xc00001a660, 0x18, 0x18})
        /home/stefanb/src/github/containers/ocicrypt/crypto/pkcs11/pkcs11helpers.go:404 +0x145 fp=0xc0000d1e30 sp=0xc0000d1d70 pc=0x58db45
github.com/containers/ocicrypt/keywrap/pkcs11.(*pkcs11KeyWrapper).WrapKeys(0x670e55?, 0xc000070d00, {0xc00001a660, 0x18, 0x18})
        /home/stefanb/src/github/containers/ocicrypt/keywrap/pkcs11/keywrapper_pkcs11.go:57 +0x1cb fp=0xc0000d1ea8 sp=0xc0000d1e30 pc=0x60ea0b
github.com/containers/ocicrypt/keywrap/pkcs11.TestKeyWrapPkcs11Success(0xc0000d8820)
        /home/stefanb/src/github/containers/ocicrypt/keywrap/pkcs11/keywrapper_pkcs11_test.go:171 +0x197 fp=0xc0000d1f70 sp=0xc0000d1ea8 pc=0x6106b7
testing.tRunner(0xc0000d8820, 0x6954d0)
        /usr/lib/golang/src/testing/testing.go:1576 +0x10b fp=0xc0000d1fc0 sp=0xc0000d1f70 pc=0x4e51ab
testing.(*T).Run.func1()
        /usr/lib/golang/src/testing/testing.go:1629 +0x2a fp=0xc0000d1fe0 sp=0xc0000d1fc0 pc=0x4e61ea
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000d1fe8 sp=0xc0000d1fe0 pc=0x46ee81
created by testing.(*T).Run
        /usr/lib/golang/src/testing/testing.go:1629 +0x3ea

goroutine 1 [chan receive]:
runtime.gopark(0x821fe0?, 0xc0000140d0?, 0x30?, 0xec?, 0xc0000d5a28?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc0000d59a8 sp=0xc0000d5988 pc=0x43d376
runtime.chanrecv(0xc00007c2a0, 0xc0000d5aa7, 0x1)
        /usr/lib/golang/src/runtime/chan.go:583 +0x49d fp=0xc0000d5a38 sp=0xc0000d59a8 pc=0x40ae3d
runtime.chanrecv1(0x8214a0?, 0x62c520?)
        /usr/lib/golang/src/runtime/chan.go:442 +0x18 fp=0xc0000d5a60 sp=0xc0000d5a38 pc=0x40a978
testing.(*T).Run(0xc0000d8680, {0x672115?, 0x4e4ec5?}, 0x6954d0)
        /usr/lib/golang/src/testing/testing.go:1630 +0x405 fp=0xc0000d5b20 sp=0xc0000d5a60 pc=0x4e6065
testing.runTests.func1(0x821fe0?)
        /usr/lib/golang/src/testing/testing.go:2036 +0x45 fp=0xc0000d5b70 sp=0xc0000d5b20 pc=0x4e81c5
testing.tRunner(0xc0000d8680, 0xc0000d5c88)
        /usr/lib/golang/src/testing/testing.go:1576 +0x10b fp=0xc0000d5bc0 sp=0xc0000d5b70 pc=0x4e51ab
testing.runTests(0xc0000aa640?, {0x7fcee0, 0x2, 0x2}, {0xc0000a2190?, 0x100c0000d5d10?, 0x821740?})
        /usr/lib/golang/src/testing/testing.go:2034 +0x489 fp=0xc0000d5cb8 sp=0xc0000d5bc0 pc=0x4e80a9
testing.(*M).Run(0xc0000aa640)
        /usr/lib/golang/src/testing/testing.go:1906 +0x63a fp=0xc0000d5f00 sp=0xc0000d5cb8 pc=0x4e6a1a
main.main()
        _testmain.go:49 +0x1aa fp=0xc0000d5f80 sp=0xc0000d5f00 pc=0x610e0a
runtime.main()
        /usr/lib/golang/src/runtime/proc.go:250 +0x207 fp=0xc0000d5fe0 sp=0xc0000d5f80 pc=0x43cf47
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000d5fe8 sp=0xc0000d5fe0 pc=0x46ee81

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00005afb0 sp=0xc00005af90 pc=0x43d376
runtime.goparkunlock(...)
        /usr/lib/golang/src/runtime/proc.go:387
runtime.forcegchelper()
        /usr/lib/golang/src/runtime/proc.go:305 +0xb0 fp=0xc00005afe0 sp=0xc00005afb0 pc=0x43d1b0
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00005afe8 sp=0xc00005afe0 pc=0x46ee81
created by runtime.init.6
        /usr/lib/golang/src/runtime/proc.go:293 +0x25

goroutine 3 [GC sweep wait]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00005b780 sp=0xc00005b760 pc=0x43d376
runtime.goparkunlock(...)
        /usr/lib/golang/src/runtime/proc.go:387
runtime.bgsweep(0x0?)
        /usr/lib/golang/src/runtime/mgcsweep.go:278 +0x8e fp=0xc00005b7c8 sp=0xc00005b780 pc=0x427e8e
runtime.gcenable.func1()
        /usr/lib/golang/src/runtime/mgc.go:178 +0x26 fp=0xc00005b7e0 sp=0xc00005b7c8 pc=0x41d146
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00005b7e8 sp=0xc00005b7e0 pc=0x46ee81
created by runtime.gcenable
        /usr/lib/golang/src/runtime/mgc.go:178 +0x6b

goroutine 4 [GC scavenge wait]:
runtime.gopark(0xc00007c000?, 0x6cee70?, 0x1?, 0x0?, 0x0?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00005bf70 sp=0xc00005bf50 pc=0x43d376
runtime.goparkunlock(...)
        /usr/lib/golang/src/runtime/proc.go:387
runtime.(*scavengerState).park(0x8217c0)
        /usr/lib/golang/src/runtime/mgcscavenge.go:400 +0x53 fp=0xc00005bfa0 sp=0xc00005bf70 pc=0x425db3
runtime.bgscavenge(0x0?)
        /usr/lib/golang/src/runtime/mgcscavenge.go:628 +0x45 fp=0xc00005bfc8 sp=0xc00005bfa0 pc=0x426385
runtime.gcenable.func2()
        /usr/lib/golang/src/runtime/mgc.go:179 +0x26 fp=0xc00005bfe0 sp=0xc00005bfc8 pc=0x41d0e6
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00005bfe8 sp=0xc00005bfe0 pc=0x46ee81
created by runtime.gcenable
        /usr/lib/golang/src/runtime/mgc.go:179 +0xaa

goroutine 5 [finalizer wait]:
runtime.gopark(0x1a0?, 0x821fe0?, 0x60?, 0x78?, 0xc00005a770?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00005a628 sp=0xc00005a608 pc=0x43d376
runtime.runfinq()
        /usr/lib/golang/src/runtime/mfinal.go:193 +0x107 fp=0xc00005a7e0 sp=0xc00005a628 pc=0x41c187
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00005a7e8 sp=0xc00005a7e0 pc=0x46ee81
created by runtime.createfing
        /usr/lib/golang/src/runtime/mfinal.go:163 +0x45
FAIL    github.com/containers/ocicrypt/keywrap/pkcs11   6.752s

The miekg's pkcs11 test cases crash in a similar way on ctxt.Destroy():

?       github.com/miekg/pkcs11/p11     [no test files]
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x7fa337116487]

runtime stack:
runtime.throw({0x5a4580?, 0x4?})
        /usr/lib/golang/src/runtime/panic.go:1047 +0x5d fp=0x7ffd249390d0 sp=0x7ffd249390a0 pc=0x43a0dd
runtime.sigpanic()
        /usr/lib/golang/src/runtime/signal_unix.go:825 +0x3e9 fp=0x7ffd24939130 sp=0x7ffd249390d0 pc=0x4511a9

goroutine 10 [syscall]:
runtime.cgocall(0x5564f0, 0xc00006eda8)
        /usr/lib/golang/src/runtime/cgocall.go:157 +0x5c fp=0xc00006ed80 sp=0xc00006ed48 pc=0x40807c
github.com/miekg/pkcs11._Cfunc_Destroy(0x1f4fa50)
        _cgo_gotypes.go:709 +0x45 fp=0xc00006eda8 sp=0xc00006ed80 pc=0x54a4a5
github.com/miekg/pkcs11.(*Ctx).Destroy.func1(0x100?)
        /home/stefanb/src/github/miekg/pkcs11/pkcs11.go:804 +0x3a fp=0xc00006ede0 sp=0xc00006eda8 pc=0x54d9da
github.com/miekg/pkcs11.(*Ctx).Destroy(0xc0000158c8)
        /home/stefanb/src/github/miekg/pkcs11/pkcs11.go:804 +0x29 fp=0xc00006edf8 sp=0xc00006ede0 pc=0x54d949
github.com/miekg/pkcs11.finishSession(0xc000197550?, 0xc000015928?)
        /home/stefanb/src/github/miekg/pkcs11/pkcs11_test.go:96 +0x48 fp=0xc00006ee28 sp=0xc00006edf8 pc=0x545208
github.com/miekg/pkcs11.TestOAEPParams.func1()
        /home/stefanb/src/github/miekg/pkcs11/params_test.go:89 +0x2a fp=0xc00006ee48 sp=0xc00006ee28 pc=0x54408a
github.com/miekg/pkcs11.TestOAEPParams(0xc0000c0d00)
        /home/stefanb/src/github/miekg/pkcs11/params_test.go:113 +0x4f7 fp=0xc00006ef70 sp=0xc00006ee48 pc=0x543ff7
testing.tRunner(0xc0000c0d00, 0x5a7a08)
        /usr/lib/golang/src/testing/testing.go:1576 +0x10b fp=0xc00006efc0 sp=0xc00006ef70 pc=0x4cb08b
testing.(*T).Run.func1()
        /usr/lib/golang/src/testing/testing.go:1629 +0x2a fp=0xc00006efe0 sp=0xc00006efc0 pc=0x4cc0ca
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00006efe8 sp=0xc00006efe0 pc=0x46e061
created by testing.(*T).Run
        /usr/lib/golang/src/testing/testing.go:1629 +0x3ea

goroutine 1 [chan receive]:
runtime.gopark(0x6c2d20?, 0xc0000158c0?, 0xf0?, 0x28?, 0xc00006da28?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00006d9a8 sp=0xc00006d988 pc=0x43ce36
runtime.chanrecv(0xc00007c1c0, 0xc00006daa7, 0x1)
        /usr/lib/golang/src/runtime/chan.go:583 +0x49d fp=0xc00006da38 sp=0xc00006d9a8 pc=0x40adfd
runtime.chanrecv1(0x6c22c0?, 0x56a3c0?)
        /usr/lib/golang/src/runtime/chan.go:442 +0x18 fp=0xc00006da60 sp=0xc00006da38 pc=0x40a938
testing.(*T).Run(0xc0000c01a0, {0x59c337?, 0x4cada5?}, 0x5a7a08)
        /usr/lib/golang/src/testing/testing.go:1630 +0x405 fp=0xc00006db20 sp=0xc00006da60 pc=0x4cbf45
testing.runTests.func1(0x6c2d20?)
        /usr/lib/golang/src/testing/testing.go:2036 +0x45 fp=0xc00006db70 sp=0xc00006db20 pc=0x4ce0a5
testing.tRunner(0xc0000c01a0, 0xc00006dc88)
        /usr/lib/golang/src/testing/testing.go:1576 +0x10b fp=0xc00006dbc0 sp=0xc00006db70 pc=0x4cb08b
testing.runTests(0xc0000ac0a0?, {0x6a8960, 0x10, 0x10}, {0xc0000a1a78?, 0x100c00006dd10?, 0x6c2480?})
        /usr/lib/golang/src/testing/testing.go:2034 +0x489 fp=0xc00006dcb8 sp=0xc00006dbc0 pc=0x4cdf89
testing.(*M).Run(0xc0000ac0a0)
        /usr/lib/golang/src/testing/testing.go:1906 +0x63a fp=0xc00006df00 sp=0xc00006dcb8 pc=0x4cc8fa
main.main()
        _testmain.go:79 +0x1aa fp=0xc00006df80 sp=0xc00006df00 pc=0x554e2a
runtime.main()
        /usr/lib/golang/src/runtime/proc.go:250 +0x207 fp=0xc00006dfe0 sp=0xc00006df80 pc=0x43ca07
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00006dfe8 sp=0xc00006dfe0 pc=0x46e061

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00005afb0 sp=0xc00005af90 pc=0x43ce36
runtime.goparkunlock(...)
        /usr/lib/golang/src/runtime/proc.go:387
runtime.forcegchelper()
        /usr/lib/golang/src/runtime/proc.go:305 +0xb0 fp=0xc00005afe0 sp=0xc00005afb0 pc=0x43cc70
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00005afe8 sp=0xc00005afe0 pc=0x46e061
created by runtime.init.6
        /usr/lib/golang/src/runtime/proc.go:293 +0x25

goroutine 3 [GC sweep wait]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00005b780 sp=0xc00005b760 pc=0x43ce36
runtime.goparkunlock(...)
        /usr/lib/golang/src/runtime/proc.go:387
runtime.bgsweep(0x0?)
        /usr/lib/golang/src/runtime/mgcsweep.go:278 +0x8e fp=0xc00005b7c8 sp=0xc00005b780 pc=0x42794e
runtime.gcenable.func1()
        /usr/lib/golang/src/runtime/mgc.go:178 +0x26 fp=0xc00005b7e0 sp=0xc00005b7c8 pc=0x41cc06
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00005b7e8 sp=0xc00005b7e0 pc=0x46e061
created by runtime.gcenable
        /usr/lib/golang/src/runtime/mgc.go:178 +0x6b

goroutine 4 [GC scavenge wait]:
runtime.gopark(0xc00007c000?, 0x5cdf90?, 0x1?, 0x0?, 0x0?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00005bf70 sp=0xc00005bf50 pc=0x43ce36
runtime.goparkunlock(...)
        /usr/lib/golang/src/runtime/proc.go:387
runtime.(*scavengerState).park(0x6c2500)
        /usr/lib/golang/src/runtime/mgcscavenge.go:400 +0x53 fp=0xc00005bfa0 sp=0xc00005bf70 pc=0x425873
runtime.bgscavenge(0x0?)
        /usr/lib/golang/src/runtime/mgcscavenge.go:628 +0x45 fp=0xc00005bfc8 sp=0xc00005bfa0 pc=0x425e45
runtime.gcenable.func2()
        /usr/lib/golang/src/runtime/mgc.go:179 +0x26 fp=0xc00005bfe0 sp=0xc00005bfc8 pc=0x41cba6
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00005bfe8 sp=0xc00005bfe0 pc=0x46e061
created by runtime.gcenable
        /usr/lib/golang/src/runtime/mgc.go:179 +0xaa

goroutine 5 [finalizer wait]:
runtime.gopark(0x1a0?, 0x6c2d20?, 0x60?, 0x78?, 0xc00005a770?)
        /usr/lib/golang/src/runtime/proc.go:381 +0xd6 fp=0xc00005a628 sp=0xc00005a608 pc=0x43ce36
runtime.runfinq()
        /usr/lib/golang/src/runtime/mfinal.go:193 +0x107 fp=0xc00005a7e0 sp=0xc00005a628 pc=0x41bc47
runtime.goexit()
        /usr/lib/golang/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc00005a7e8 sp=0xc00005a7e0 pc=0x46e061
created by runtime.createfing
        /usr/lib/golang/src/runtime/mfinal.go:163 +0x45
FAIL    github.com/miekg/pkcs11 1.148s
FAIL

No License Specified

Could you please add license information to the repo?