Skip to content

v2.3.0

Latest
Latest
Compare
Choose a tag to compare
@morambro morambro released this 14 Jan 17:09
· 9 commits to main since this release
v2.3.0
4460d31

This is Tink Go 2.3.0

What's new

The complete list of changes since 2.2.0 can be found here.

New APIs

Keyset Handle and Manager

  • Added methods to keyset.Handle: Len(), Primary(), and Entry(i int).
  • keyset.Manager makes a deep copy of the keyset on calls to Handle().
  • Added AddKey and AddNewKeyFromParameters to keyset.Manager
  • Added Key and Parameters interface which represent keys and their
    parameters. Added key.Parameters and key.Key definitions for:
    • AEAD
      • AES-CTR-HMAC
      • AES-GCM
      • AES-GCM-SIV
      • ChaCha20Poly1305
      • X-AES-GCM
      • XChaCha20Poly1305
    • Signature
      • Ed25519
      • ECDSA
      • RSA-SSA-PKCS1
      • RSA-SSA-PSS
  • Made keyset.Handle NewHandle.* APIs accept only valid keysets; expect
    parsing of invalid proto keysets to fail for invalid keysets. With this
    change, tests that create keysets with an empty or invalid KeyData and
    expect a failure on primitive creation will now fail. The user can still
    create an empty keyset.Handle, for which all methods fail. A valid keyset
    is such that:
    • Is non-empty
    • Keys have key data and valid output prefix and status
    • Has only one primary key, which must be ENABLED
  • Added keyset.ReadWithContext and keyset.WriteWithContext that use the
    tink.AEADWithContext interface.
  • Made WriteWithNoSecrets fail with a nil proto keyset consistently with
    all other Write.* methods.

Other

  • Added the insecuresecretdataaccess.Token struct to track and optionally
    restrict raw key material access, and secretdata.Bytes to wrap access
    controlled key bytes. In tests, insecuresecretkeyaccesstest.Token() can be
    used.
  • Added the tink.AEADWithContext interface, which allows a context.Context
    to be passed along. KMS implementations should prefer this interface when
    implementing a remote AEAD.
  • When serializing ECDSA keys, the encoding changed (as padding of the points
    changed). Users should not rely on specific encodings produced by Tink.
  • Set Go 1.22 as the minimum supported version.
  • Upgraded deps:
    • golang.org/x/crypto to v0.31.0
    • google.golang.org/protobuf to v1.36.0
    • golang.org/x/sys to v0.28.0
  • Add HPKE KEM support for the NIST curves.
  • Add HPKE KDF support for SHA-384 and SHA-512.
  • Performance improvments for AEAD primitives.

Removed APIs

  • Removed Bazel config. With this change Bazel users will no longer be able to
    import tink-go as a pure Bazel dependency (bazel_dep) in their
    MODULE.bazel file. However, Bazel users can continue importing tink-go
    using bazel-gazelle. If this
    causes any issues in your project, please file an issue.
  • Removed ChaCha20Poly1305 subtle's exported Key field. This was added by
    mistake.
  • Removed primitiveset.PrimitiveSet, keyset.Primitives and
    keyset.PrimitivesWithKeyManager from the public API. This API was never
    really intended to be used outside Tink. We are making changes to Tink
    internals and we prefer to break users at compile time. If this affects you,
    please file an issue.

Future work

To see what we're working towards, check our project roadmap.

Get started

To get started using Tink, see the setup guide.

Go tooling

go get github.com/tink-crypto/tink-go/v2@v2.3.0
Assets 3
Loading