tink-crypto/tink-java (com.google.crypto.tink:tink-android)
### [`v1.13.0`](https://togithub.com/tink-crypto/tink-java/releases/tag/v1.13.0): Tink Java 1.13.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
**This is Tink Java 1.13.0**
To get started using Tink, see [the setup guide](https://developers.google.com/tink/tink-setup#java).
### What's new?
Bugs fixed:
- `JwkSetConverter` now encodes RSA public keys without leading zero, as
required by RFC 7518.
Performance improvements:
- Encrypted keysets produced with BinaryKeysetWriter or TinkProtoKeysetFormat
are now smaller, because the unused keyset info metadata is not written
anymore. JsonKeysetWriter and TinkJsonProtoKeysetFormat still output this
metadata.
- Tink now uses the JCE implementation of ChaCha20Poly1305 if available. This
makes encryption with ChaCha20Poly1305 and XChaCha20Poly1305 about 2-3 times
faster.
- AES-GCM is now about 20% faster.
API changes:
- For Android: Support for SDK 19 has been removed.
- Removed `PrimitiveSet` and `Registry.registerPrimitiveWrapper` from the
public API. While these were in the public API, they have changed semantics
in the past and will change more in the future. Code using either
`PrimitiveSet` or `Registry.registerPrimitiveWrapper` will not work after
upcoming changes. Instead of breaking users silently, we prefer to break
during compilation. If affected, please file an issue on
github.com/tink-crypto/tink-java/.
- For keyset that contain JWT keys, `JwtSignatureConfig.register()` or
`JwtMacConfig.register()` now need to be called before the keyset is parsed.
If not, calling `keysetHandle.getPrimitive(...)` will fail with an error
message: "Unable to get primitive interface
com.google.crypto.tink.jwt.JwtPublicKeySign for key of type ..." or "Unable
to get primitive interface com.google.crypto.tink.jwt.JwtPublicKeyVerify for
key of type ...".
- Removed the constructors of HmacKeyManager and HmacPrfKeyManager from the
public API. These were never intended to be public, and we expect that
nobody used either of them.
- Removed the constructors of
`com.google.crypto.tink.subtle.EciesAeadHkdfHybridDecrypt` and
`com.google.crypto.tink.subtle.EciesAeadHkdfHybridEncrypt` from the public
API. These took as argument a `EciesAeadHkdfDemHelper` object whose only
implementation was private to Tink. We are hence confident that this is
unused.
- Removed test-only `AndroidKeystoreKmsClient.setKeyStore`. This function didn't
work as expected, as in some places, still the real KeyStore was used. If you
need to test your code with a fake KeyStore instance, it is preferable to
inject fake security provider using `Security.addProvider`, see
FakeAndroidKeystoreProvider.java as an example for such a provider.
- Added methods in the class LegacyKeysetSerialization. Users do not need to
consider this. This will be used later for automatic migrations.
- Introduced `ConfigurationFips140v2`. Users who do not want to restrict the
whole binary to FIPS-only but still want to use FIPS-compliant primitives at
specific call sites can use
`keysetHandle.GetPrimitive(ConfigurationFips140v2.get(),
ExamplePrimitive.class)`.
- Introduced `ConfigurationV0` containing Tink's recommended primitives.
Usage: `keysetHandle.GetPrimitive(ConfigurationV0.get(),
ExamplePrimitive.class)`.
Dependencies changes:
- Upgraded:
- `com.google.protobuf:protobuf` => 3.25.1.
### Future work
To see what we're working towards, check our [project roadmap](https://developers.google.com/tink/roadmap).
### Getting started
##### Maven:
com.google.crypto.tinktink1.13.0
##### Gradle:
dependencies {
implementation 'com.google.crypto.tink:tink-android:1.13.0'
}
#### Bazel:
```python
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
RULES_JVM_EXTERNAL_TAG = "5.3"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"
http_archive(
name = "rules_jvm_external",
strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
sha256 = RULES_JVM_EXTERNAL_SHA,
url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)
load("@rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")
rules_jvm_external_deps()
load("@rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")
rules_jvm_external_setup()
maven_install(
artifacts = [
"com.google.crypto.tink:tink:1.13.0",
### ... other dependencies ...
],
repositories = [
"https://repo1.maven.org/maven2",
],
)
```
Alternatively, one can build Tink from source, and include it with `http_archive`:
```python
http_archive(
name = "com_github_tink_crypto_tink_java",
urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.13.0.zip"],
strip_prefix = "tink-java-1.13.0",
sha256 = ...
)
load("@tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")
tink_java_deps()
load("@tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")
tink_java_deps_init()
### ...
maven_install(
artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
repositories = [
"https://repo1.maven.org/maven2",
],
)
```
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1.12.0
->1.13.0
Release Notes
tink-crypto/tink-java (com.google.crypto.tink:tink-android)
### [`v1.13.0`](https://togithub.com/tink-crypto/tink-java/releases/tag/v1.13.0): Tink Java 1.13.0 Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks. **This is Tink Java 1.13.0** To get started using Tink, see [the setup guide](https://developers.google.com/tink/tink-setup#java). ### What's new? Bugs fixed: - `JwkSetConverter` now encodes RSA public keys without leading zero, as required by RFC 7518. Performance improvements: - Encrypted keysets produced with BinaryKeysetWriter or TinkProtoKeysetFormat are now smaller, because the unused keyset info metadata is not written anymore. JsonKeysetWriter and TinkJsonProtoKeysetFormat still output this metadata. - Tink now uses the JCE implementation of ChaCha20Poly1305 if available. This makes encryption with ChaCha20Poly1305 and XChaCha20Poly1305 about 2-3 times faster. - AES-GCM is now about 20% faster. API changes: - For Android: Support for SDK 19 has been removed. - Removed `PrimitiveSet` and `Registry.registerPrimitiveWrapper` from the public API. While these were in the public API, they have changed semantics in the past and will change more in the future. Code using either `PrimitiveSet` or `Registry.registerPrimitiveWrapper` will not work after upcoming changes. Instead of breaking users silently, we prefer to break during compilation. If affected, please file an issue on github.com/tink-crypto/tink-java/. - For keyset that contain JWT keys, `JwtSignatureConfig.register()` or `JwtMacConfig.register()` now need to be called before the keyset is parsed. If not, calling `keysetHandle.getPrimitive(...)` will fail with an error message: "Unable to get primitive interface com.google.crypto.tink.jwt.JwtPublicKeySign for key of type ..." or "Unable to get primitive interface com.google.crypto.tink.jwt.JwtPublicKeyVerify for key of type ...". - Removed the constructors of HmacKeyManager and HmacPrfKeyManager from the public API. These were never intended to be public, and we expect that nobody used either of them. - Removed the constructors of `com.google.crypto.tink.subtle.EciesAeadHkdfHybridDecrypt` and `com.google.crypto.tink.subtle.EciesAeadHkdfHybridEncrypt` from the public API. These took as argument a `EciesAeadHkdfDemHelper` object whose only implementation was private to Tink. We are hence confident that this is unused. - Removed test-only `AndroidKeystoreKmsClient.setKeyStore`. This function didn't work as expected, as in some places, still the real KeyStore was used. If you need to test your code with a fake KeyStore instance, it is preferable to inject fake security provider using `Security.addProvider`, see FakeAndroidKeystoreProvider.java as an example for such a provider. - Added methods in the class LegacyKeysetSerialization. Users do not need to consider this. This will be used later for automatic migrations. - Introduced `ConfigurationFips140v2`. Users who do not want to restrict the whole binary to FIPS-only but still want to use FIPS-compliant primitives at specific call sites can use `keysetHandle.GetPrimitive(ConfigurationFips140v2.get(), ExamplePrimitive.class)`. - Introduced `ConfigurationV0` containing Tink's recommended primitives. Usage: `keysetHandle.GetPrimitive(ConfigurationV0.get(), ExamplePrimitive.class)`. Dependencies changes: - Upgraded: - `com.google.protobuf:protobuf` => 3.25.1. ### Future work To see what we're working towards, check our [project roadmap](https://developers.google.com/tink/roadmap). ### Getting started ##### Maven:Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.