tink-crypto/tink-java (com.google.crypto.tink:tink-android)
v1.19.0: Tink Java v1.19.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.19
The complete list of changes since 1.18.0 can be found here.
Build changes
- For Bazel builds, we now use Bazel 7.6.1. in our tests.
- For Bazel builds, Tink now supports bzlmod.
- Tink no longer supports Java 8. The minimum version starting from 1.19.0 is Java 11.
Dependencies
- Protobuf 4.28.2 was upgraded to Protobuf 4.32.1. (Note: we plan to shade protobuf in the next minor version of Tink which should resolve compatibility issues)
Obscure behaviour changes
-
Tink will reject custom key types where the Type-Url has non-ASCII characters.
-
Tink may serialize keysets slightly differently in certain cases. For
example, in the serialization of a ECDSA keyset, the points might be padded
differently than before. Users should not depend on the exact format of
Tink's serialization.
-
Use Conscrypt's AES-CMAC implementation when available and when the input is larger than 64 byte. This may improves the performance of AES-CMAC, AES-SIV and AES-EAX for large inputs.
-
Removed usage of thread-local Ciphers for ChaCha20Poly1305.
Added APIs
Future work
To see what we're working towards, check our project roadmap.
Getting started
To get started using Tink, see the setup guide.
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.19.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.19.0'
}
Bazel:
Using bzlmod
bazel_dep(name = "tink_java", version = "1.19.0")
git_override(
module_name = "tink_java",
remote = "https://github.com/tink-crypto/tink-java",
tag = "v1.19.0",
)
Using WORKSPACE
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
load("@​rules_jvm_external//:defs.bzl", "maven_install")
maven_install(
artifacts = [
"com.google.crypto.tink:tink:NEXT_VERSION",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with
http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/NEXT_VERSION.zip"],
strip_prefix = "tink-java-NEXT_VERSION",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.18.0: Tink Java v1.18.0
Tink is a multi-language, cross-platform library that provides simple and
misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.18.0
The complete list of changes since 1.17.0 can be found here.
Dropped support
-
Tink Android no longer supports API level 21 and 22. From Tink 1.18.0, the
minimum API level is 23.
-
Removed Registry.wrap. This API cannot have been used by users: the
PrimitiveSet needed for it was already moved to internal in Tink 1.13.0.
New Features
-
Use Conscrypt's implementation of Ed25519 when available.
-
Improved performance of AES-GCM-SIV.
-
Tink now provides a flag GlobalTinkFlags.validateKeysetsOnParsing(). If
set to true, Tink will run certain validations on a keyset before it creates
a KeysetHandle. We plan to flip the default of this flag to true in Tink
2.0.
Bug fixes
-
AeadConfig.register() now always registers AES-GCM-SIV. If it's not
supported by the registered JCE Providers, it will fail when the primitive
is created.
-
The Aead implementation returned by
com.google.crypto.tink.integration.android.AndroidKeystore.getAead()
created invalid ciphertexts on Android API version 28 and older when
the input was larger than 128kB. Now, it throws an exception instead.
-
JwtHmacKey, LegacyKmsAeadKey, and LegacyKmsEnvelopeAeadKey are now
final. These cannot be properly subclassed as this would break equalsKey.
Obscure behaviour changes
- Primitive creation of AES-GCM-SIV now will fail if the algorithm is not
available. Previously, this used to work with some Configurations succeeding
and the primitive then failed when encrypt or decrypt was called.
Future work
To see what we're working towards, check our
project roadmap.
Getting started
To get started using Tink, see
the setup guide.
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.18.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.18.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
load("@​rules_jvm_external//:defs.bzl", "maven_install")
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.18.0",
##### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with
http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/1.18.0.zip"],
strip_prefix = "tink-java-1.18.0",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
##### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.17.0: Tink Java v1.17.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.17.0
What's new
The complete list of changes since 1.16.0 can be found here.
New APIs
This release does not add new functionality.
Bugfixes
Tink Java 1.17.0 fixes the following bugs:
- Memory leak in Prf. See #53. When computing Hkdf, Tink used
allocateDirect to get a buffer which is only cleaned up asynchronously. This could lead to excessive memory consumption. Thanks to behrooz-stripe@ for reporting and fixing the issue!
Future work
To see what we're working towards, check our
project roadmap.
Getting started
To get started using Tink, see
the setup guide.
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.17.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.17.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
load("@​rules_jvm_external//:defs.bzl", "maven_install")
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.17.0",
##### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.17.0.zip"],
strip_prefix = "tink-java-1.17.0",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
##### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.16.0: Tink Java v1.16.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.16.0
What's new
The complete list of changes since 1.15.0 can be found here.
- Added new API
AndroidKeystore, which is now the preferred way to interact with the Android Keystore.
- Before this release, the decision whether to use Conscrypt was done at time of class loading of some specific internal classes. If Conscrypt was not installed before the specific class for a primitive was loaded, Conscrypt was never used. Now, the decision is made whenever a new primitive is instantiated.
- In HPKE, use Conscrypt implementation of
X25519 when available. On Android, it is available since API version 31. This makes HPKE both faster and uses less memory.
- Updated deps:
- Allow
@AccessesPartialKey to be applied to fields and local variables, as well as methods and classes.
- Added support for
X-AES-GCM, which is an AEAD algorithm with extended nonce. It uses AES-CMAC for key derivation and AES-GCM for encryption. It is a generalization of the specification in https://c2sp.org/XAES-256-GCM.
- Added configurations that allow specifying what key types are when using Tink in your application. Tink provides defaults (
ConfigurationV0) that are backwards compatible with behavior before configs were introduced.
Future work
To see what we're working towards, check our project roadmap.
Getting started
To get started using Tink, see the setup guide.
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.16.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.16.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
load("@​rules_jvm_external//:defs.bzl", "maven_install")
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.16.0",
##### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.16.0.zip"],
strip_prefix = "tink-java-1.16.0",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
##### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.15.0: Tink Java v1.15.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.15.0
To get started using Tink, see the setup guide.
What's new?
- Use Conscrypt to verify RSA SSA PKCS1 signatures if it is available. This fixes a bug when Tink is used in FIPS-only mode and when using
ConfigurationFips140v2.
- Use Conscrypt for RSA SSA PSS signatures if it is available. RSA SSA PSS is now available when Tink is used in FIPS-only mode and when using
ConfigurationFips140v2.
RsaSsaPssSignJce and RsaSsaPssVerifyJce now throw an exception if sigHash and mgf1Hash are not equal. This makes these functions consistent with the non-subtle API and with other languages.- Removed
AeadOrDaead and EciesAeadHkdfDemHelper from subtle API. These were internal helper classes for hybrid encryption that are not needed anymore.
- Upgraded
tink-android's androidx.annotation dependency to v1.8.2.
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.15.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.15.0'
}
Bazel:
The recommended way to use tink-java is as a Maven dependency through rules_jvm_external.
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "6.1"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.15.0",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source and include it with http_archive:
http_archive(
name = "tink_java",
urls = ["https://github.com/tink-crypto/tink-java/releases/download/v1.15.0/tink-java-1.15.0.zip"],
strip_prefix = "tink-java-1.15.0",
sha256 = "e246f848f7749e37f558955ecb50345b04d79ddb9d8d1e8ae19f61e8de530582"
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.14.1
To get started using Tink, see the setup guide.
What's new?
- Downgraded protobuf to 25.3; Protobuf 26.x introduced a breaking change for <= 25.x users.
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.14.1</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.14.1'
}
Bazel:
The recommended way to use tink-java is as a Maven dependency through rules_jvm_external.
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "6.1"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.14.1",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source and include it with http_archive:
http_archive(
name = "tink_java",
urls = ["https://github.com/tink-crypto/tink-java/releases/download/v1.14.1/tink-java-1.14.1.zip"],
strip_prefix = "tink-java-1.14.1",
sha256 = "1f8a2df8fcbfc9b19fba0d5f58cdcc12021cb33cdc307d22d840b437fd17347c"
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.14.0: Tink Java 1.14.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.14.0
To get started using Tink, see the setup guide.
What's new?
API changes
- Removed
PrimitiveWrapper. We anticipate no impact on users, as this class was already rendered unavailable after Registry.registerPrimitiveWrapper was removed in Tink Java 1.13.0.
Performance improvements
- Improved performance of AES-EAX AEAD.
- Improved performance of AES-SIV Deterministic AEAD.
- Improved performance of AES-CMAC PRF.
- Improved performance of ECIES Hybrid Encryption.
Bug fixes
- Fixed bug in binary keyset parsing that resulted in a
TinkBugException when parsing invalid input.
- Fixed bug in JSON keyset parsing that resulted in a
RuntimeException when parsing invalid input.
- Fixed bug where the channel obtained from
newSeekableDecryptingChannel falsely returned -1 on read calls. This only happens if read was called with an empty buffer, and if the previous call to read sucessfully read the end of the stream.
Upgraded dependencies
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.14.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.14.0'
}
Bazel:
The recommended way to use tink-java is as a Maven dependency through rules_jvm_external.
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "6.1"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.14.0",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source and include it with http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.14.0.zip"],
strip_prefix = "tink-java-1.14.0",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.13.0: Tink Java 1.13.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.13.0
To get started using Tink, see the setup guide.
What's new?
Bugs fixed:
JwkSetConverter now encodes RSA public keys without leading zero, as
required by RFC 7518.
Performance improvements:
- Encrypted keysets produced with BinaryKeysetWriter or TinkProtoKeysetFormat
are now smaller, because the unused keyset info metadata is not written
anymore. JsonKeysetWriter and TinkJsonProtoKeysetFormat still output this
metadata.
- Tink now uses the JCE implementation of ChaCha20Poly1305 if available. This
makes encryption with ChaCha20Poly1305 and XChaCha20Poly1305 about 2-3 times
faster.
- AES-GCM is now about 20% faster.
API changes:
- For Android: Support for SDK 19 has been removed.
- Removed
PrimitiveSet and Registry.registerPrimitiveWrapper from the
public API. While these were in the public API, they have changed semantics
in the past and will change more in the future. Code using either
PrimitiveSet or Registry.registerPrimitiveWrapper will not work after
upcoming changes. Instead of breaking users silently, we prefer to break
during compilation. If affected, please file an issue on
github.com/tink-crypto/tink-java/.
- For keyset that contain JWT keys,
JwtSignatureConfig.register() or
JwtMacConfig.register() now need to be called before the keyset is parsed.
If not, calling keysetHandle.getPrimitive(...) will fail with an error
message: "Unable to get primitive interface
com.google.crypto.tink.jwt.JwtPublicKeySign for key of type ..." or "Unable
to get primitive interface com.google.crypto.tink.jwt.JwtPublicKeyVerify for
key of type ...".
- Removed the constructors of HmacKeyManager and HmacPrfKeyManager from the
public API. These were never intended to be public, and we expect that
nobody used either of them.
- Removed the constructors of
com.google.crypto.tink.subtle.EciesAeadHkdfHybridDecrypt and
com.google.crypto.tink.subtle.EciesAeadHkdfHybridEncrypt from the public
API. These took as argument a EciesAeadHkdfDemHelper object whose only
implementation was private to Tink. We are hence confident that this is
unused.
- Removed test-only
AndroidKeystoreKmsClient.setKeyStore. This function didn't
work as expected, as in some places, still the real KeyStore was used. If you
need to test your code with a fake KeyStore instance, it is preferable to
inject fake security provider using Security.addProvider, see
FakeAndroidKeystoreProvider.java as an example for such a provider.
- Added methods in the class LegacyKeysetSerialization. Users do not need to
consider this. This will be used later for automatic migrations.
- Introduced
ConfigurationFips140v2. Users who do not want to restrict the
whole binary to FIPS-only but still want to use FIPS-compliant primitives at
specific call sites can use
keysetHandle.GetPrimitive(ConfigurationFips140v2.get(), ExamplePrimitive.class).
- Introduced
ConfigurationV0 containing Tink's recommended primitives.
Usage: keysetHandle.GetPrimitive(ConfigurationV0.get(), ExamplePrimitive.class).
Dependencies changes:
- Upgraded:
com.google.protobuf:protobuf => 3.25.1.
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.13.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.13.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "5.3"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.13.0",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.13.0.zip"],
strip_prefix = "tink-java-1.13.0",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.12.0: Tink Java 1.12.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.12.0
To get started using Tink, see the setup guide.
What's new?
Bugs fixed:
- On Android, API version 29 and older, AES-GCM-SIV: Due to a bug in Android,
Tink previously uses an AES-GCM cipher for AES-GCM-SIV keys. Now, Tink will
throw an exception on encrypt/decrypt calls (issue).
API changes:
- Disabled registration of custom key managers for primitives other than
Aead, DeterministicAead, StreamingAead, HybridEncrypt, HybridDecrypt, Mac, PublicKeySign, PublicKeyVerify. To the best of our knowledge there is no
user using this mechanism for any other class (which would be fairly
exotic).
- The parser used in JwkSetConverter.toPublicKeysetHandle has been changed and
now rejects duplicate map keys.
- Removed
PrivilegedRegistry. This was never intended to be public, and to
the best of our knowledge there is no user of this class outside of Tink.
- Removed
Registry methods which triggered a TypeParameterUnusedInFormals
error prone warnings. Using these is a bug, and the methods were deprecated
in October 2018. See
https://errorprone.info/bugpattern/TypeParameterUnusedInFormals for
information about this warning.
- Removed
AesCtrKeyManager. This was never intended to be public, and to the
best of our knowledge there are no users of this class outside Tink.
- Remove KMS related constants from the
TestUtil class.
- Added Primitive creation functions to subtle API:
AesGcmHkdfStreaming::create.AesCtrHmacStreaming::create.EncryptThenAuthenticate::create for AesCtrHmacAeadKey.ChaCha20Poly1305::create.XChaCha20Poly1305::create.AesGcmSiv::create.AesEaxJce::create.EcdsaSignJce::create, EcdsaVerifyJce::create.RsaSsaPkcsSignJce::create, RsaSsaPkcsVerifyJce::create.RsaSsaPssSignJce::create, RsaSsaPssVerifyJce::create.Ed25519Sign::create, Ed25519Verify::create.
Dependencies changes:
- Upgraded:
com.google.protobuf:protobuf => 3.24.3.com.google.errorprone:error-prone-annotations => 2.22.0com.google.http-client:google-http-client => 2.22.0rules_jvm_external => 5.3
- Removed:
com.google.auto:auto-common:1.2.1com.google.auto.service:auto-service:1.0.1com.google.auto.service:auto-service-annotations:1.0.1
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.12.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.12.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "5.3"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.12.0",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.12.0.zip"],
strip_prefix = "tink-java-1.12.0",
sha256 = "c5f79c4f51e55d5c7bbd52c0b17fc8eeedf36d74a231e134882f9c4a74c3fbb1",
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.11.0: Tink Java 1.11.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.11.0
To get started using Tink, see the setup guide.
What's new?
The complete list of changes since 1.10.0 can be found here.
- Added new key/parameter classes for all remaining keys: Ecies, JwtRsaSsaPkcs1, JwtRsaSsapss, LegacyKmsAead, LegacyKmsEnvelopeAead.
- Key IDs of newly generated keys can now be negative (commit).
- Added APIs:
KmsEnvelopeAead.create (commit)HkdfStreamingPrf::create(HkdfPrfKey key) (commit)
- Removed
AeadKeyTemplates.createKmsAeadKeyTemplate (commit)
- Made
InputStreamDecrypter.read() InputStream compliant (issue, commit).
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.11.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.11.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
load("@​rules_jvm_external//:defs.bzl", "maven_install")
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.11.0",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with http_archive:
http_archive(
name = "tink_java",
urls = ["https://github.com/tink-crypto/tink-java/releases/download/v1.11.0/tink-java-1.11.0.zip"],
strip_prefix = "tink-java-1.11.0",
sha256 = "2bd264c2f0c474c77e2d1e04c627398e963b7a6d0164cfb743ab60a59ab998bd",
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.10.0: Tink Java 1.10.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.10.0
What is new?
The complete list of changes since 1.9.0 can be found here.
New Features:
- Added Key Derivation
KeysetHandle#equalsKeyset can now be used to compare keysets- Added Key classes:
JwtEcdsaPrivateKey, JwtEcdsaPublicKey, RsaSsaPssPrivateKey, RsaSsaPssPublicKey.
- Added
RawJwt.getJsonPayload.
- Restrict KMS Envelope AEAD DEK key type to only Tink AEAD key types.
- Use Conscrypt as source of randomness if possible.
Potentially breaking changes:
While we aim to be backwards compatible in minor releases, we removed some APIs that were not meant to be public and/or that we are confident are not widely used. If you are impacted by any of these, please file an issue.
- Removed
PrivilegedRegistry.parseKeyData -- this was never meant to be in the public API.
Future work
To see what we're working towards, check our project roadmap.
Getting started
To get started using Tink, see the setup guide.
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.10.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.10.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
load("@​rules_jvm_external//:defs.bzl", "maven_install")
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.10.0",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.10.0.zip"],
strip_prefix = "tink-java-1.10.0",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)v1.9.0: Tink Java 1.9.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.9.0
To get started using Tink, see the setup guide.
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.9.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.9.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
load("@​rules_jvm_external//:defs.bzl", "maven_install")
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.9.0",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.9.0.zip"],
strip_prefix = "tink-java-1.9.0",
sha256 = "9735df7992df73d1518661ac6cf8918fa4693673adaaf0bdee253c24c521c832",
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://maven.google.com",
"https://repo1.maven.org/maven2",
],
)
WARNING: When building from source users that require KMS extensions as well must now explicitly include them, since they are published in separate repositories:
For example, to use tink-java-gcpkms your WORKSPACE file becomes as follows (analogously for tink-java-awskms):
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.9.0.zip"],
strip_prefix = "tink-java-1.9.0",
sha256 = "9735df7992df73d1518661ac6cf8918fa4693673adaaf0bdee253c24c521c832",
)
http_archive(
name = "tink_java_gcpkms",
urls = ["https://github.com/tink-crypto/tink-java-gcpkms/archive/refs/tags/v<SOME_RELEASE>.zip"],
strip_prefix = "tink-java-gcpkms-<SOME_RELEASE>",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
load("@​tink_java_gcpkms//:tink_java_gcpkms_deps.bzl", "TINK_JAVA_GCPKMS_MAVEN_ARTIFACTS")
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS +
TINK_JAVA_GCPKMS_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://maven.google.com",
"https://repo1.maven.org/maven2",
],
)Dependencies to targets in //src/main/java/com/google/crypto/tink/integration/gcpkms now are located in @tink_java_gcpkms.
What's new
The complete list of changes since 1.8.0 can be found here.
- Removed deprecation of some APIs
- Minor refactorings/code improvements
- Added new key/parameter interfaces for StreamingAead, DeterministicAead, HmacPrf and JwtMac
- Added new key/parameter/serialization classes:
- AesGcmHkdfStreaming
- AesCtrHmacAead
- AesCtrHmacStreaming
- AesCmacPrf
Ed25519 - RsaSsaPkcs1
- AesSiv
- JwtHmac
- Add Refaster (https://errorprone.info/docs/refaster) templates to easily migrate away from deprecated APIs
- Improved performance of
AesGcmSiv (commit)
- Fixed Maven dependency issues:
- #4: Removed
androidx.annotations from com.google.crypto.tink:tink (commit); as a result, com.google.crypto.tink:tink has only dependencies from Maven Central.
- #7: Add missing dependencies to
com.google.crypto.tink:tink-android’s POM file (commit).
- Upgraded dependencies:
- com.google.code.gson:gson:2.10.1
- com.google.errorprone:error_prone_annotations:2.18
- com.google.http-client:google-http-client:1.43.1
- com.google.http-client:google-http-client-gson:1.43.1
- joda-time:joda-time:2.12.5
- junit:junit:4.13.2
- androidx.annotation:annotation:1.5.0
To see what we're working towards, check our project roadmap.
v1.8.0: Tink Java 1.8.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.8.0
To get started using Tink, see the setup guide.
Maven:
<dependency>
<groupId>com.google.crypto.tink</groupId>
<artifactId>tink</artifactId>
<version>1.8.0</version>
</dependency>
Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.8.0'
}
Bazel:
load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)
load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
load("@​rules_jvm_external//:defs.bzl", "maven_install")
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.8.0",
### ... other dependencies ...
],
repositories = [
"https://maven.google.com",
"https://repo1.maven.org/maven2",
],
)Alternatively, one can build Tink from source, and include it with http_archive:
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.8.0.zip"],
strip_prefix = "tink-java-1.8.0",
sha256 = "cff458ea60897f7a5edc91d1eb9c58c650c2fd3206d94672f29c950b94398a49"
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://maven.google.com",
"https://repo1.maven.org/maven2",
],
)
WARNING: When building from source users that require KMS extensions as well must now explicitly include them, since they are published in separate repositories:
For example, to use tink-java-gcpkms your WORKSPACE file becomes as follows (analogously for tink-java-awskms):
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.8.0.zip"],
strip_prefix = "tink-java-1.8.0",
sha256 = "cff458ea60897f7a5edc91d1eb9c58c650c2fd3206d94672f29c950b94398a49"
)
http_archive(
name = "tink_java_gcpkms",
urls = ["https://github.com/tink-crypto/tink-java-gcpkms/archive/refs/tags/v<SOME_RELEASE>.zip"],
strip_prefix = "tink-java-gcpkms-<SOME_RELEASE>",
sha256 = ...
)
load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
load("@​tink_java_gcpkms//:tink_java_gcpkms_deps.bzl", "TINK_JAVA_GCPKMS_MAVEN_ARTIFACTS")
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS +
TINK_JAVA_GCPKMS_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://maven.google.com",
"https://repo1.maven.org/maven2",
],
)Dependencies to targets in //src/main/java/com/google/crypto/tink/integration/gcpkms now are located in @tink_java_gcpkms.
What's new
This is the first release from https://github.com/tink-crypto/tink-java.
The complete list of changes since 1.7.0 can be found here.
- Changed the
tink-java POM file as follows:
- Added missing dependency on
androidx.annotation.annotation.
- Only direct dependencies are listed.
- Updated SCM details to point to github.com/tink-crypto/tink-java.
- Upgraded to Bazel 6.0.
- The ChunkedMac primitive can now be used, available implementations are
AesCmac and Hmac.
- Added new API to read and write keysets:
TinkProtoKeysetFormat and TinkJsonProtoKeysetFormat.
- JSON parsing now rejects duplicated map entries.
- Fixed two race conditions in
com.google.crypto.tink.integration.android. Also improved the exceptions raised.
- ECDSA keys are now serialized using fixed size byte arrays.
- Tink will prefer Conscrypt as a JCE provider for ECDSA if available.
- Changes to PrimitiveSet API. Please note that the use of this class is discouraged and should be omitted when possible.
- For the relevant changes see commit.
- (Only relevant if you use or maintain a custom Wrapper class) Registering a wrapper in Registry now requires that the object being registered is always the same. See examples here and here.
- Upgraded dependencies:
- Protobuf to X.21.9 443baab.
com.google.errorprone:error_prone_annotations to 2.16.google.http-client:google-http-client to 1.42.3.com.google.api-client:google-api-client to 2.2.0.com.google.code.gson:gson to 2.10.
To see what we're working towards, check our project roadmap.
Uh oh!
There was an error while loading. Please reload this page.
This PR contains the following updates:
1.7.0->1.19.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
tink-crypto/tink-java (com.google.crypto.tink:tink-android)
v1.19.0: Tink Java v1.19.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.19
The complete list of changes since 1.18.0 can be found here.
Build changes
Dependencies
Obscure behaviour changes
Tink will reject custom key types where the Type-Url has non-ASCII characters.
Tink may serialize keysets slightly differently in certain cases. For
example, in the serialization of a ECDSA keyset, the points might be padded
differently than before. Users should not depend on the exact format of
Tink's serialization.
Use Conscrypt's AES-CMAC implementation when available and when the input is larger than 64 byte. This may improves the performance of AES-CMAC, AES-SIV and AES-EAX for large inputs.
Removed usage of thread-local Ciphers for ChaCha20Poly1305.
Added APIs
Added public
JwtEcdsaParameters.Algorithm.getEcParameterSpecmethod.The AES-SIV implementation in subtle now accepts multiple associated datas.
Future work
To see what we're working towards, check our project roadmap.
Getting started
To get started using Tink, see the setup guide.
Maven:
Gradle:
Bazel:
Using bzlmod
Using WORKSPACE
Alternatively, one can build Tink from source, and include it with
http_archive:v1.18.0: Tink Java v1.18.0Tink is a multi-language, cross-platform library that provides simple and
misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.18.0
The complete list of changes since 1.17.0 can be found here.
Dropped support
Tink Android no longer supports API level 21 and 22. From Tink 1.18.0, the
minimum API level is 23.
Removed
Registry.wrap. This API cannot have been used by users: thePrimitiveSetneeded for it was already moved to internal in Tink 1.13.0.New Features
Use Conscrypt's implementation of
Ed25519when available.Improved performance of AES-GCM-SIV.
Tink now provides a flag
GlobalTinkFlags.validateKeysetsOnParsing(). Ifset to true, Tink will run certain validations on a keyset before it creates
a
KeysetHandle. We plan to flip the default of this flag to true in Tink2.0.
Bug fixes
AeadConfig.register()now always registers AES-GCM-SIV. If it's notsupported by the registered JCE Providers, it will fail when the primitive
is created.
The Aead implementation returned by
com.google.crypto.tink.integration.android.AndroidKeystore.getAead()created invalid ciphertexts on Android API version 28 and older when
the input was larger than 128kB. Now, it throws an exception instead.
JwtHmacKey,LegacyKmsAeadKey, andLegacyKmsEnvelopeAeadKeyare nowfinal. These cannot be properly subclassed as this would break
equalsKey.Obscure behaviour changes
available. Previously, this used to work with some Configurations succeeding
and the primitive then failed when encrypt or decrypt was called.
Future work
To see what we're working towards, check our
project roadmap.
Getting started
To get started using Tink, see
the setup guide.
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:v1.17.0: Tink Java v1.17.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.17.0
What's new
The complete list of changes since 1.16.0 can be found here.
New APIs
This release does not add new functionality.
Bugfixes
Tink Java 1.17.0 fixes the following bugs:
allocateDirectto get a buffer which is only cleaned up asynchronously. This could lead to excessive memory consumption. Thanks to behrooz-stripe@ for reporting and fixing the issue!Future work
To see what we're working towards, check our
project roadmap.
Getting started
To get started using Tink, see
the setup guide.
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:v1.16.0: Tink Java v1.16.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.16.0
What's new
The complete list of changes since 1.15.0 can be found here.
AndroidKeystore, which is now the preferred way to interact with the Android Keystore.X25519when available. On Android, it is available since API version 31. This makes HPKE both faster and uses less memory.@AccessesPartialKeyto be applied to fields and local variables, as well as methods and classes.X-AES-GCM, which is an AEAD algorithm with extended nonce. It usesAES-CMACfor key derivation andAES-GCMfor encryption. It is a generalization of the specification in https://c2sp.org/XAES-256-GCM.ConfigurationV0) that are backwards compatible with behavior before configs were introduced.Future work
To see what we're working towards, check our project roadmap.
Getting started
To get started using Tink, see the setup guide.
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:v1.15.0: Tink Java v1.15.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.15.0
To get started using Tink, see the setup guide.
What's new?
ConfigurationFips140v2.ConfigurationFips140v2.RsaSsaPssSignJceandRsaSsaPssVerifyJcenow throw an exception ifsigHashandmgf1Hashare not equal. This makes these functions consistent with the non-subtle API and with other languages.AeadOrDaeadandEciesAeadHkdfDemHelperfrom subtle API. These were internal helper classes for hybrid encryption that are not needed anymore.tink-android'sandroidx.annotationdependency tov1.8.2.Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
Gradle:
Bazel:
The recommended way to use tink-java is as a Maven dependency through
rules_jvm_external.Alternatively, one can build Tink from source and include it with
http_archive:v1.14.1Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.14.1
To get started using Tink, see the setup guide.
What's new?
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
Gradle:
Bazel:
The recommended way to use tink-java is as a Maven dependency through
rules_jvm_external.Alternatively, one can build Tink from source and include it with
http_archive:v1.14.0: Tink Java 1.14.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.14.0
To get started using Tink, see the setup guide.
What's new?
API changes
PrimitiveWrapper. We anticipate no impact on users, as this class was already rendered unavailable afterRegistry.registerPrimitiveWrapperwas removed in Tink Java 1.13.0.Performance improvements
Bug fixes
TinkBugExceptionwhen parsing invalid input.RuntimeExceptionwhen parsing invalid input.newSeekableDecryptingChannelfalsely returned -1 onreadcalls. This only happens ifreadwas called with an empty buffer, and if the previous call toreadsucessfully read the end of the stream.Upgraded dependencies
Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
Gradle:
Bazel:
The recommended way to use tink-java is as a Maven dependency through
rules_jvm_external.Alternatively, one can build Tink from source and include it with
http_archive:v1.13.0: Tink Java 1.13.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.13.0
To get started using Tink, see the setup guide.
What's new?
Bugs fixed:
JwkSetConverternow encodes RSA public keys without leading zero, asrequired by RFC 7518.
Performance improvements:
are now smaller, because the unused keyset info metadata is not written
anymore. JsonKeysetWriter and TinkJsonProtoKeysetFormat still output this
metadata.
makes encryption with ChaCha20Poly1305 and XChaCha20Poly1305 about 2-3 times
faster.
API changes:
PrimitiveSetandRegistry.registerPrimitiveWrapperfrom thepublic API. While these were in the public API, they have changed semantics
in the past and will change more in the future. Code using either
PrimitiveSetorRegistry.registerPrimitiveWrapperwill not work afterupcoming changes. Instead of breaking users silently, we prefer to break
during compilation. If affected, please file an issue on
github.com/tink-crypto/tink-java/.
JwtSignatureConfig.register()orJwtMacConfig.register()now need to be called before the keyset is parsed.If not, calling
keysetHandle.getPrimitive(...)will fail with an errormessage: "Unable to get primitive interface
com.google.crypto.tink.jwt.JwtPublicKeySign for key of type ..." or "Unable
to get primitive interface com.google.crypto.tink.jwt.JwtPublicKeyVerify for
key of type ...".
public API. These were never intended to be public, and we expect that
nobody used either of them.
com.google.crypto.tink.subtle.EciesAeadHkdfHybridDecryptandcom.google.crypto.tink.subtle.EciesAeadHkdfHybridEncryptfrom the publicAPI. These took as argument a
EciesAeadHkdfDemHelperobject whose onlyimplementation was private to Tink. We are hence confident that this is
unused.
AndroidKeystoreKmsClient.setKeyStore. This function didn'twork as expected, as in some places, still the real KeyStore was used. If you
need to test your code with a fake KeyStore instance, it is preferable to
inject fake security provider using
Security.addProvider, seeFakeAndroidKeystoreProvider.java as an example for such a provider.
consider this. This will be used later for automatic migrations.
ConfigurationFips140v2. Users who do not want to restrict thewhole binary to FIPS-only but still want to use FIPS-compliant primitives at
specific call sites can use
keysetHandle.GetPrimitive(ConfigurationFips140v2.get(), ExamplePrimitive.class).ConfigurationV0containing Tink's recommended primitives.Usage:
keysetHandle.GetPrimitive(ConfigurationV0.get(), ExamplePrimitive.class).Dependencies changes:
com.google.protobuf:protobuf=> 3.25.1.Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:v1.12.0: Tink Java 1.12.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.12.0
To get started using Tink, see the setup guide.
What's new?
Bugs fixed:
Tink previously uses an AES-GCM cipher for AES-GCM-SIV keys. Now, Tink will
throw an exception on encrypt/decrypt calls (issue).
API changes:
Aead, DeterministicAead, StreamingAead, HybridEncrypt, HybridDecrypt, Mac, PublicKeySign, PublicKeyVerify. To the best of our knowledge there is nouser using this mechanism for any other class (which would be fairly
exotic).
now rejects duplicate map keys.
PrivilegedRegistry. This was never intended to be public, and tothe best of our knowledge there is no user of this class outside of Tink.
Registrymethods which triggered a TypeParameterUnusedInFormalserror prone warnings. Using these is a bug, and the methods were deprecated
in October 2018. See
https://errorprone.info/bugpattern/TypeParameterUnusedInFormals for
information about this warning.
AesCtrKeyManager. This was never intended to be public, and to thebest of our knowledge there are no users of this class outside Tink.
TestUtilclass.AesGcmHkdfStreaming::create.AesCtrHmacStreaming::create.EncryptThenAuthenticate::createfor AesCtrHmacAeadKey.ChaCha20Poly1305::create.XChaCha20Poly1305::create.AesGcmSiv::create.AesEaxJce::create.EcdsaSignJce::create,EcdsaVerifyJce::create.RsaSsaPkcsSignJce::create,RsaSsaPkcsVerifyJce::create.RsaSsaPssSignJce::create,RsaSsaPssVerifyJce::create.Ed25519Sign::create,Ed25519Verify::create.Dependencies changes:
com.google.protobuf:protobuf=> 3.24.3.com.google.errorprone:error-prone-annotations=> 2.22.0com.google.http-client:google-http-client=> 2.22.0rules_jvm_external=> 5.3com.google.auto:auto-common:1.2.1com.google.auto.service:auto-service:1.0.1com.google.auto.service:auto-service-annotations:1.0.1Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:v1.11.0: Tink Java 1.11.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.11.0
To get started using Tink, see the setup guide.
What's new?
The complete list of changes since 1.10.0 can be found here.
KmsEnvelopeAead.create(commit)HkdfStreamingPrf::create(HkdfPrfKey key)(commit)AeadKeyTemplates.createKmsAeadKeyTemplate(commit)InputStreamDecrypter.read()InputStreamcompliant (issue, commit).Future work
To see what we're working towards, check our project roadmap.
Getting started
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:v1.10.0: Tink Java 1.10.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.10.0
What is new?
The complete list of changes since 1.9.0 can be found here.
New Features:
KeysetHandle#equalsKeysetcan now be used to compare keysetsJwtEcdsaPrivateKey,JwtEcdsaPublicKey,RsaSsaPssPrivateKey,RsaSsaPssPublicKey.RawJwt.getJsonPayload.Potentially breaking changes:
While we aim to be backwards compatible in minor releases, we removed some APIs that were not meant to be public and/or that we are confident are not widely used. If you are impacted by any of these, please file an issue.
PrivilegedRegistry.parseKeyData-- this was never meant to be in the public API.Future work
To see what we're working towards, check our project roadmap.
Getting started
To get started using Tink, see the setup guide.
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:v1.9.0: Tink Java 1.9.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.9.0
To get started using Tink, see the setup guide.
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:For example, to use
tink-java-gcpkmsyourWORKSPACEfile becomes as follows (analogously fortink-java-awskms):Dependencies to targets in
//src/main/java/com/google/crypto/tink/integration/gcpkmsnow are located in@tink_java_gcpkms.What's new
The complete list of changes since 1.8.0 can be found here.
Ed25519AesGcmSiv(commit)androidx.annotationsfromcom.google.crypto.tink:tink(commit); as a result, com.google.crypto.tink:tink has only dependencies from Maven Central.com.google.crypto.tink:tink-android’s POM file (commit).To see what we're working towards, check our project roadmap.
v1.8.0: Tink Java 1.8.0Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Java 1.8.0
To get started using Tink, see the setup guide.
Maven:
Gradle:
Bazel:
Alternatively, one can build Tink from source, and include it with
http_archive:For example, to use
tink-java-gcpkmsyourWORKSPACEfile becomes as follows (analogously fortink-java-awskms):Dependencies to targets in
//src/main/java/com/google/crypto/tink/integration/gcpkmsnow are located in@tink_java_gcpkms.What's new
This is the first release from https://github.com/tink-crypto/tink-java.
The complete list of changes since 1.7.0 can be found here.
tink-javaPOM file as follows:androidx.annotation.annotation.AesCmacandHmac.TinkProtoKeysetFormatandTinkJsonProtoKeysetFormat.com.google.crypto.tink.integration.android. Also improved the exceptions raised.com.google.errorprone:error_prone_annotationsto 2.16.google.http-client:google-http-clientto 1.42.3.com.google.api-client:google-api-clientto 2.2.0.com.google.code.gson:gsonto 2.10.To see what we're working towards, check our project roadmap.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.