Releases: tink-crypto/tink-go
Releases · tink-crypto/tink-go
v2.3.0
This is Tink Go 2.3.0
What's new
The complete list of changes since 2.2.0 can be found here.
New APIs
Keyset Handle and Manager
- Added methods to
keyset.Handle:Len(),Primary(), andEntry(i int). keyset.Managermakes a deep copy of the keyset on calls toHandle().- Added
AddKeyandAddNewKeyFromParameterstokeyset.Manager - Added
KeyandParametersinterface which represent keys and their
parameters. Addedkey.Parametersandkey.Keydefinitions for:- AEAD
- AES-CTR-HMAC
- AES-GCM
- AES-GCM-SIV
- ChaCha20Poly1305
- X-AES-GCM
- XChaCha20Poly1305
- Signature
- Ed25519
- ECDSA
- RSA-SSA-PKCS1
- RSA-SSA-PSS
- AEAD
- Made
keyset.HandleNewHandle.*APIs accept only valid keysets; expect
parsing of invalid proto keysets to fail for invalid keysets. With this
change, tests that create keysets with an empty or invalidKeyDataand
expect a failure on primitive creation will now fail. The user can still
create an emptykeyset.Handle, for which all methods fail. A valid keyset
is such that:- Is non-empty
- Keys have key data and valid output prefix and status
- Has only one primary key, which must be
ENABLED
- Added
keyset.ReadWithContextandkeyset.WriteWithContextthat use the
tink.AEADWithContextinterface. - Made
WriteWithNoSecretsfail with anilproto keyset consistently with
all otherWrite.*methods.
Other
- Added the
insecuresecretdataaccess.Tokenstruct to track and optionally
restrict raw key material access, andsecretdata.Bytesto wrap access
controlled key bytes. In tests,insecuresecretkeyaccesstest.Token()can be
used. - Added the
tink.AEADWithContextinterface, which allows acontext.Context
to be passed along. KMS implementations should prefer this interface when
implementing a remote AEAD. - When serializing ECDSA keys, the encoding changed (as padding of the points
changed). Users should not rely on specific encodings produced by Tink. - Set Go 1.22 as the minimum supported version.
- Upgraded deps:
golang.org/x/cryptoto v0.31.0google.golang.org/protobufto v1.36.0golang.org/x/systo v0.28.0
- Add HPKE KEM support for the NIST curves.
- Add HPKE KDF support for SHA-384 and SHA-512.
- Performance improvments for AEAD primitives.
Removed APIs
- Removed Bazel config. With this change Bazel users will no longer be able to
import tink-go as a pure Bazel dependency (bazel_dep) in their
MODULE.bazelfile. However, Bazel users can continue importing tink-go
using bazel-gazelle. If this
causes any issues in your project, please file an issue. - Removed ChaCha20Poly1305 subtle's exported
Keyfield. This was added by
mistake. - Removed
primitiveset.PrimitiveSet,keyset.Primitivesand
keyset.PrimitivesWithKeyManagerfrom the public API. This API was never
really intended to be used outside Tink. We are making changes to Tink
internals and we prefer to break users at compile time. If this affects you,
please file an issue.
Future work
To see what we're working towards, check our project roadmap.
Get started
To get started using Tink, see the setup guide.
Go tooling
go get github.com/tink-crypto/tink-go/v2@v2.3.0
Tink Go 2.2.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Go 2.2.0
To get started using Tink, see the setup guide.
What's new?
The complete list of changes since 2.1.0 can be found here.
- Changed target Go language version to 1.21
- Use the
crypto/rsaValidate()method when instantiating keys via struct
literals in the signature and jwt packages. Certain invalid keys (e.g.
corrupted) will fail earlier, during primitive creation instead of during
cryptographic operations. - encrypted keysets produced with
keyset.NewBinaryWriterare now smaller,
because the unused keyset_info metadata is not written anymore.
keyset.NewJSONWriteris unchanged and still output this metadata. - Added Bzlmod support.
- Upgraded dependencies:
golang.org/x/crypto=>v0.17.0google.golang.org/protobuf=>v1.33.0
- JWT keys that don't use TINK or RAW output prefix type are now rejected.
- Removed the exported "Key" field in of several subtle primitives.
- Added proto definitions to
proto/. - Improved performance of Streaming AEAD implementations by reducing memory allocations.
Future work
To see what we're working towards, check our project roadmap.
Getting started
To get started using Tink, see the setup guide.
Go Tooling
go get github.com/tink-crypto/tink-go/v2@v2.2.0
Bazel
If you want to use Tink Go with Bazel, you should use bazel-gazelle. It can be also included as a Bazel-only dependency as follows:
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
http_archive(
name = "io_bazel_rules_go",
integrity = "sha256-gKmCd60TEdrNg3+bFttiiHcC6fHRxMn3ltASGkbI4YQ=",
urls = [
"https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.46.0/rules_go-v0.46.0.zip",
"https://github.com/bazelbuild/rules_go/releases/download/v0.46.0/rules_go-v0.46.0.zip",
],
)
http_archive(
name = "bazel_gazelle",
integrity = "sha256-MpOL2hbmcABjA1R5Bj2dJMYO2o15/Uc5Vj9Q0zHLMgk=",
urls = [
"https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.35.0/bazel-gazelle-v0.35.0.tar.gz",
"https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.35.0/bazel-gazelle-v0.35.0.tar.gz",
],
)
TINK_GO_VERSION="2.2.0"
TINK_GO_SHA256="fea1ff9ed06a7302e3496587834a53f91235085e45e3de03af80b897514b7a1b"
http_archive(
name = "com_github_tink_crypto_tink_go_v2",
urls = ["https://github.com/tink-crypto/tink-go/releases/download/v%s/tink-go-%s.zip" % (TINK_GO_VERSION, TINK_GO_VERSION)],
strip_prefix = "tink-go-%s" % TINK_GO_VERSION,
sha256 = TINK_GO_SHA256,
)
load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")
load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies", "go_repository")
load("@com_github_tink_crypto_tink_go_v2//:deps.bzl", tink_go_dependencies="go_dependencies")
tink_go_dependencies()
#######################################
#
# Your project dependencies here.
#
#######################################
go_rules_dependencies()
go_register_toolchains(version = "1.21.8")
gazelle_dependencies()Tink Go 2.1.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Go 2.1.0
To get started using Tink, see the setup guide.
What's new?
The complete list of changes since 2.1.0 can be found here.
- Prevented Hybrid Encryption keyset handles from returning AEAD primitives.
- Restricted visibility of
keyderivation/internal/streamingprfwith Bazel. - Changed target Go language version to 1.20
testutil.DummyMAC.VerifyMACnow returns error if the mac is incorrect.- Fixed unsafe proto field acces in the aead, hybrid, mac, prf, signature, and
streamingaead packages. This prevents panics when loading invalid keysets. - Made
//aead/subtle:subtlepublic - Upgraded dependencies:
github.com/google/go-cmp=>v0.6.0golang.org/x/crypto=>v0.14.0google.golang.org/protobuf=>v1.31.0golang.org/x/sys=>v0.13.0
(commit)
Future work
To see what we're working towards, check our project roadmap.
Getting started
To get started using Tink, see the setup guide.
Go Tooling
go get github.com/tink-crypto/tink-go/v2@v2.1.0
Bazel
workspace(name = "example")
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
http_archive(
name = "io_bazel_rules_go",
sha256 = "6dc2da7ab4cf5d7bfc7c949776b1b7c733f05e56edc4bcd9022bb249d2e2a996",
urls = [
"https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.39.1/rules_go-v0.39.1.zip",
"https://github.com/bazelbuild/rules_go/releases/download/v0.39.1/rules_go-v0.39.1.zip",
],
)
http_archive(
name = "bazel_gazelle",
sha256 = "ecba0f04f96b4960a5b250c8e8eeec42281035970aa8852dda73098274d14a1d",
urls = [
"https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
"https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
],
)
http_archive(
name = "com_github_tink_crypto_tink_go_v2",
urls = ["https://github.com/tink-crypto/tink-go/releases/download/v2.1.0/tink-go-2.1.0.zip"],
strip_prefix = "tink-go-2.1.0",
sha256 = "84b4b233fb20b570812e61ccb134d230222b79d2fd765c1d57352a53d439d746",
)
load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")
load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies", "go_repository")
load("@com_github_tink_crypto_tink_go_v2//:deps.bzl", tink_go_dependencies="go_dependencies")
tink_go_dependencies()
#######################################
#
# Your project dependencies here.
#
#######################################
go_rules_dependencies()
go_register_toolchains(version = "1.20.10")
gazelle_dependencies()
Tink Go v2.0.0
Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.
This is Tink Go 2.0.0
What's new
This is the first release from https://github.com/tink-crypto/tink-go.
The complete list of changes since 1.7.0 can be found here.
- Upgraded to use Bazel 6.0.0
- Changed target Go language version to 1.19
- Moved KMS extensions to separate modules:
- Deprecations:
- Removed deprecated APIs/files:
- Added support for RSA SSA PSS asymmetric signatures
- Added support for JWT asymmetric signatures using RSA-SSA-PKCS1 (RS256,RS384,RS512) and RSA-SSA-PSS (PS256,PS384,PS512)
- Performance improvements (especially for AEAD) by avoiding unneeded copies and memory allocations (commits: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13).
- Restricted KMS envelope AEAD to only use Tink AEAD key types as DEK (commit).
- Added initial monitoring support. This is not yet part of the public API.
- Added support for PRF-based key derivation using HKDF SHA-256 or HKDF SHA-512 PRF
- Added API to store keyset entries in order to allow key derivation
- Added/upgraded CI test scripts
Get Started
To get started using Tink, see the setup guide.
Go Tooling
go get github.com/tink-crypto/tink-go/v2@v2.0.0
Bazel
workspace(name = "example")
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
http_archive(
name = "io_bazel_rules_go",
sha256 = "6dc2da7ab4cf5d7bfc7c949776b1b7c733f05e56edc4bcd9022bb249d2e2a996",
urls = [
"https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.39.1/rules_go-v0.39.1.zip",
"https://github.com/bazelbuild/rules_go/releases/download/v0.39.1/rules_go-v0.39.1.zip",
],
)
http_archive(
name = "bazel_gazelle",
sha256 = "ecba0f04f96b4960a5b250c8e8eeec42281035970aa8852dda73098274d14a1d",
urls = [
"https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
"https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
],
)
http_archive(
name = "com_github_tink_crypto_tink_go_v2",
urls = ["https://github.com/tink-crypto/tink-go/archive/refs/tags/v2.0.0.zip"],
strip_prefix = "tink-go-2.0.0",
sha256 = "27f7446a29956173e10a65d0f71f7cd795ba3049b96fa5fae47333e06661ac2a",
)
load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")
load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies", "go_repository")
load("@com_github_tink_crypto_tink_go_v2//:deps.bzl", tink_go_dependencies="go_dependencies")
tink_go_dependencies()
#######################################
#
# Your project dependencies here.
#
#######################################
go_rules_dependencies()
go_register_toolchains(version = "1.19.9")
gazelle_dependencies()
> WARNING: KMS extensions are now published in separate repositories:
> - https://github.com/tink-crypto/tink-go-awskms
> - https://github.com/tink-crypto/tink-go-gcpkms
> - https://github.com/tink-crypto/tink-go-hcvault