Skip to content

Tink Java 1.13.0

Compare
Choose a tag to compare
@juergw juergw released this 02 Apr 14:01
· 234 commits to main since this release

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.13.0

To get started using Tink, see the setup guide.

What's new?

Bugs fixed:

  • JwkSetConverter now encodes RSA public keys without leading zero, as
    required by RFC 7518.

Performance improvements:

  • Encrypted keysets produced with BinaryKeysetWriter or TinkProtoKeysetFormat
    are now smaller, because the unused keyset info metadata is not written
    anymore. JsonKeysetWriter and TinkJsonProtoKeysetFormat still output this
    metadata.
  • Tink now uses the JCE implementation of ChaCha20Poly1305 if available. This
    makes encryption with ChaCha20Poly1305 and XChaCha20Poly1305 about 2-3 times
    faster.
  • AES-GCM is now about 20% faster.

API changes:

  • For Android: Support for SDK 19 has been removed.
  • Removed PrimitiveSet and Registry.registerPrimitiveWrapper from the
    public API. While these were in the public API, they have changed semantics
    in the past and will change more in the future. Code using either
    PrimitiveSet or Registry.registerPrimitiveWrapper will not work after
    upcoming changes. Instead of breaking users silently, we prefer to break
    during compilation. If affected, please file an issue on
    github.com/tink-crypto/tink-java/.
  • For keyset that contain JWT keys, JwtSignatureConfig.register() or
    JwtMacConfig.register() now need to be called before the keyset is parsed.
    If not, calling keysetHandle.getPrimitive(...) will fail with an error
    message: "Unable to get primitive interface
    com.google.crypto.tink.jwt.JwtPublicKeySign for key of type ..." or "Unable
    to get primitive interface com.google.crypto.tink.jwt.JwtPublicKeyVerify for
    key of type ...".
  • Removed the constructors of HmacKeyManager and HmacPrfKeyManager from the
    public API. These were never intended to be public, and we expect that
    nobody used either of them.
  • Removed the constructors of
    com.google.crypto.tink.subtle.EciesAeadHkdfHybridDecrypt and
    com.google.crypto.tink.subtle.EciesAeadHkdfHybridEncrypt from the public
    API. These took as argument a EciesAeadHkdfDemHelper object whose only
    implementation was private to Tink. We are hence confident that this is
    unused.
  • Removed test-only AndroidKeystoreKmsClient.setKeyStore. This function didn't
    work as expected, as in some places, still the real KeyStore was used. If you
    need to test your code with a fake KeyStore instance, it is preferable to
    inject fake security provider using Security.addProvider, see
    FakeAndroidKeystoreProvider.java as an example for such a provider.
  • Added methods in the class LegacyKeysetSerialization. Users do not need to
    consider this. This will be used later for automatic migrations.
  • Introduced ConfigurationFips140v2. Users who do not want to restrict the
    whole binary to FIPS-only but still want to use FIPS-compliant primitives at
    specific call sites can use
    keysetHandle.GetPrimitive(ConfigurationFips140v2.get(), ExamplePrimitive.class).
  • Introduced ConfigurationV0 containing Tink's recommended primitives.
    Usage: keysetHandle.GetPrimitive(ConfigurationV0.get(), ExamplePrimitive.class).

Dependencies changes:

  • Upgraded:
    • com.google.protobuf:protobuf => 3.25.1.

Future work

To see what we're working towards, check our project roadmap.

Getting started

Maven:

<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.13.0</version>
</dependency>

Gradle:

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.13.0'
}

Bazel:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "5.3"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)

load("@rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.13.0",
        # ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.13.0.zip"],
    strip_prefix = "tink-java-1.13.0",
    sha256 = ...
)

load("@tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

# ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)