Tink Java 1.13.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.13.0
To get started using Tink, see the setup guide.
What's new?
Bugs fixed:
JwkSetConverter
now encodes RSA public keys without leading zero, as
required by RFC 7518.
Performance improvements:
- Encrypted keysets produced with BinaryKeysetWriter or TinkProtoKeysetFormat
are now smaller, because the unused keyset info metadata is not written
anymore. JsonKeysetWriter and TinkJsonProtoKeysetFormat still output this
metadata. - Tink now uses the JCE implementation of ChaCha20Poly1305 if available. This
makes encryption with ChaCha20Poly1305 and XChaCha20Poly1305 about 2-3 times
faster. - AES-GCM is now about 20% faster.
API changes:
- For Android: Support for SDK 19 has been removed.
- Removed
PrimitiveSet
andRegistry.registerPrimitiveWrapper
from the
public API. While these were in the public API, they have changed semantics
in the past and will change more in the future. Code using either
PrimitiveSet
orRegistry.registerPrimitiveWrapper
will not work after
upcoming changes. Instead of breaking users silently, we prefer to break
during compilation. If affected, please file an issue on
github.com/tink-crypto/tink-java/. - For keyset that contain JWT keys,
JwtSignatureConfig.register()
or
JwtMacConfig.register()
now need to be called before the keyset is parsed.
If not, callingkeysetHandle.getPrimitive(...)
will fail with an error
message: "Unable to get primitive interface
com.google.crypto.tink.jwt.JwtPublicKeySign for key of type ..." or "Unable
to get primitive interface com.google.crypto.tink.jwt.JwtPublicKeyVerify for
key of type ...". - Removed the constructors of HmacKeyManager and HmacPrfKeyManager from the
public API. These were never intended to be public, and we expect that
nobody used either of them. - Removed the constructors of
com.google.crypto.tink.subtle.EciesAeadHkdfHybridDecrypt
and
com.google.crypto.tink.subtle.EciesAeadHkdfHybridEncrypt
from the public
API. These took as argument aEciesAeadHkdfDemHelper
object whose only
implementation was private to Tink. We are hence confident that this is
unused. - Removed test-only
AndroidKeystoreKmsClient.setKeyStore
. This function didn't
work as expected, as in some places, still the real KeyStore was used. If you
need to test your code with a fake KeyStore instance, it is preferable to
inject fake security provider usingSecurity.addProvider
, see
FakeAndroidKeystoreProvider.java as an example for such a provider. - Added methods in the class LegacyKeysetSerialization. Users do not need to
consider this. This will be used later for automatic migrations. - Introduced
ConfigurationFips140v2
. Users who do not want to restrict the
whole binary to FIPS-only but still want to use FIPS-compliant primitives at
specific call sites can use
keysetHandle.GetPrimitive(ConfigurationFips140v2.get(), ExamplePrimitive.class)
. - Introduced
ConfigurationV0
containing Tink's recommended primitives.
Usage:keysetHandle.GetPrimitive(ConfigurationV0.get(), ExamplePrimitive.class)
.
Dependencies changes:
- Upgraded:
com.google.protobuf:protobuf
=> 3.25.1.
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.13.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.13.0'
}
Bazel:
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "5.3"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)
load("@rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.13.0",
# ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)
Alternatively, one can build Tink from source, and include it with http_archive
:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.13.0.zip"],
strip_prefix = "tink-java-1.13.0",
sha256 = ...
)
load("@tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
# ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)