Skip to content

chore(deps): update dependency com.google.crypto.tink:tink to v1.19.0 #1652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency com.google.crypto.tink:tink to v1.19.0 #1652

wants to merge 1 commit into from

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Feb 4, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.google.crypto.tink:tink 1.15.0 -> 1.19.0 age adoption passing confidence

Release Notes

tink-crypto/tink-java (com.google.crypto.tink:tink)

v1.19.0: Tink Java v1.19.0

Compare Source

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.19

The complete list of changes since 1.18.0 can be found here.

Build changes

  • For Bazel builds, we now use Bazel 7.6.1. in our tests.
  • For Bazel builds, Tink now supports bzlmod.
  • Tink no longer supports Java 8. The minimum version starting from 1.19.0 is Java 11.

Dependencies

  • Protobuf 4.28.2 was upgraded to Protobuf 4.32.1. (Note: we plan to shade protobuf in the next minor version of Tink which should resolve compatibility issues)

Obscure behaviour changes

  • Tink will reject custom key types where the Type-Url has non-ASCII characters.

  • Tink may serialize keysets slightly differently in certain cases. For
    example, in the serialization of a ECDSA keyset, the points might be padded
    differently than before. Users should not depend on the exact format of
    Tink's serialization.

  • Use Conscrypt's AES-CMAC implementation when available and when the input is larger than 64 byte. This may improves the performance of AES-CMAC, AES-SIV and AES-EAX for large inputs.

  • Removed usage of thread-local Ciphers for ChaCha20Poly1305.

Added APIs

  • Added public JwtEcdsaParameters.Algorithm.getEcParameterSpec method.

  • The AES-SIV implementation in subtle now accepts multiple associated datas.

Future work

To see what we're working towards, check our project roadmap.

Getting started

To get started using Tink, see the setup guide.

Maven:
<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.19.0</version>
</dependency>
Gradle:
dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.19.0'
}
Bazel:
Using bzlmod
bazel_dep(name = "tink_java", version = "1.19.0")

git_override(
    module_name = "tink_java",
    remote = "https://github.com/tink-crypto/tink-java",
    tag = "v1.19.0",
)
Using WORKSPACE
load("@&#8203;bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)

load("@&#8203;rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@&#8203;rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

load("@&#8203;rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:NEXT_VERSION",

### ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with
http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/NEXT_VERSION.zip"],
    strip_prefix = "tink-java-NEXT_VERSION",
    sha256 = ...
)

load("@&#8203;tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@&#8203;tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

### ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

v1.18.0: Tink Java v1.18.0

Compare Source

Tink is a multi-language, cross-platform library that provides simple and
misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.18.0

The complete list of changes since 1.17.0 can be found here.

Dropped support

  • Tink Android no longer supports API level 21 and 22. From Tink 1.18.0, the
    minimum API level is 23.

  • Removed Registry.wrap. This API cannot have been used by users: the
    PrimitiveSet needed for it was already moved to internal in Tink 1.13.0.

New Features

  • Use Conscrypt's implementation of Ed25519 when available.

  • Improved performance of AES-GCM-SIV.

  • Tink now provides a flag GlobalTinkFlags.validateKeysetsOnParsing(). If
    set to true, Tink will run certain validations on a keyset before it creates
    a KeysetHandle. We plan to flip the default of this flag to true in Tink
    2.0.

Bug fixes

  • AeadConfig.register() now always registers AES-GCM-SIV. If it's not
    supported by the registered JCE Providers, it will fail when the primitive
    is created.

  • The Aead implementation returned by
    com.google.crypto.tink.integration.android.AndroidKeystore.getAead()
    created invalid ciphertexts on Android API version 28 and older when
    the input was larger than 128kB. Now, it throws an exception instead.

  • JwtHmacKey, LegacyKmsAeadKey, and LegacyKmsEnvelopeAeadKey are now
    final. These cannot be properly subclassed as this would break equalsKey.

Obscure behaviour changes

  • Primitive creation of AES-GCM-SIV now will fail if the algorithm is not
    available. Previously, this used to work with some Configurations succeeding
    and the primitive then failed when encrypt or decrypt was called.

Future work

To see what we're working towards, check our
project roadmap.

Getting started

To get started using Tink, see
the setup guide.

Maven:
<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.18.0</version>
</dependency>
Gradle:
dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.18.0'
}
Bazel:
load("@&#8203;bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)

load("@&#8203;rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@&#8203;rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

load("@&#8203;rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.18.0",

### ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with
http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/1.18.0.zip"],
    strip_prefix = "tink-java-1.18.0",
    sha256 = ...
)

load("@&#8203;tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@&#8203;tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

### ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

v1.17.0: Tink Java v1.17.0

Compare Source

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.17.0

What's new

The complete list of changes since 1.16.0 can be found here.

New APIs

This release does not add new functionality.

Bugfixes

Tink Java 1.17.0 fixes the following bugs:

  • Memory leak in Prf. See #​53. When computing Hkdf, Tink used allocateDirect to get a buffer which is only cleaned up asynchronously. This could lead to excessive memory consumption. Thanks to behrooz-stripe@ for reporting and fixing the issue!

Future work

To see what we're working towards, check our
project roadmap.

Getting started

To get started using Tink, see
the setup guide.

Maven:
<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.17.0</version>
</dependency>
Gradle:
dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.17.0'
}
Bazel:
load("@&#8203;bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)

load("@&#8203;rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@&#8203;rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

load("@&#8203;rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.17.0",

### ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.17.0.zip"],
    strip_prefix = "tink-java-1.17.0",
    sha256 = ...
)

load("@&#8203;tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@&#8203;tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

### ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

v1.16.0: Tink Java v1.16.0

Compare Source

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.16.0

What's new

The complete list of changes since 1.15.0 can be found here.

  • Added new API AndroidKeystore, which is now the preferred way to interact with the Android Keystore.
  • Before this release, the decision whether to use Conscrypt was done at time of class loading of some specific internal classes. If Conscrypt was not installed before the specific class for a primitive was loaded, Conscrypt was never used. Now, the decision is made whenever a new primitive is instantiated.
  • In HPKE, use Conscrypt implementation of X25519 when available. On Android, it is available since API version 31. This makes HPKE both faster and uses less memory.
  • Updated deps:
    • protobuf (4.28.2)
  • Allow @AccessesPartialKey to be applied to fields and local variables, as well as methods and classes.
  • Added support for X-AES-GCM, which is an AEAD algorithm with extended nonce. It uses AES-CMAC for key derivation and AES-GCM for encryption. It is a generalization of the specification in https://c2sp.org/XAES-256-GCM.
  • Added configurations that allow specifying what key types are when using Tink in your application. Tink provides defaults (ConfigurationV0) that are backwards compatible with behavior before configs were introduced.

Future work

To see what we're working towards, check our project roadmap.

Getting started

To get started using Tink, see the setup guide.

Maven:
<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.16.0</version>
</dependency>
Gradle:
dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.16.0'
}
Bazel:
load("@&#8203;bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)

load("@&#8203;rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@&#8203;rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

load("@&#8203;rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.16.0",

### ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.16.0.zip"],
    strip_prefix = "tink-java-1.16.0",
    sha256 = ...
)

load("@&#8203;tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@&#8203;tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

### ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team as code owners February 4, 2025 19:55
@product-auto-label product-auto-label bot added the size: xs Pull request size is extra small. label Feb 4, 2025
@dpebot
Copy link

dpebot commented Feb 4, 2025

/gcbrun

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 4, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 4, 2025
@lqiu96
Copy link
Member

lqiu96 commented Feb 10, 2025

@huangjiahua Could you take a look at the CI issues regarding Aead?

@huangjiahua
Copy link
Contributor

huangjiahua commented Feb 10, 2025
edited
Loading

Looks like Tink is upgrading to protobuf 4.28 in the new version:

Error:  +-com.google.auth:google-auth-library-cab-token-generator:1.31.1-SNAPSHOT
Error:    +-com.google.protobuf:protobuf-java:3.25.5
Error:  and
Error:  +-com.google.auth:google-auth-library-cab-token-generator:1.31.1-SNAPSHOT
Error:    +-dev.cel:cel:0.9.0-proto3
Error:      +-com.google.protobuf:protobuf-java:3.25.5 (managed) <-- com.google.protobuf:protobuf-java:3.25.5
Error:  and
Error:  +-com.google.auth:google-auth-library-cab-token-generator:1.31.1-SNAPSHOT
Error:    +-com.google.crypto.tink:tink:1.16.0
Error:      +-com.google.protobuf:protobuf-java:3.25.5 (managed) <-- com.google.protobuf:protobuf-java:4.28.2
Error:  and
Error:  +-com.google.auth:google-auth-library-cab-token-generator:1.31.1-SNAPSHOT
Error:    +-dev.cel:cel:0.9.0-proto3
Error:      +-com.google.protobuf:protobuf-java-util:3.25.5
Error:        +-com.google.protobuf:protobuf-java:3.25.5 (managed) <-- com.google.protobuf:protobuf-java:3.25.5
Error:  ]

This is the PR that they upgraded protobuf: tink-crypto/tink-java#44. It seems that their reasoning is protobuf 4.28 has restored binary compatibility with classes generated using 3.x. Does this mean we can exclude the protobuf version for Tink?

@renovate-bot renovate-bot force-pushed the renovate/project.tink.version branch from b8189ab to a67a2e8 Compare February 24, 2025 17:05
@dpebot
Copy link

dpebot commented Feb 24, 2025

/gcbrun

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 24, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 24, 2025
@renovate-bot renovate-bot force-pushed the renovate/project.tink.version branch from a67a2e8 to 06d4fe4 Compare February 25, 2025 22:16
@dpebot
Copy link

dpebot commented Feb 25, 2025

/gcbrun

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 25, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 25, 2025
@renovate-bot renovate-bot changed the title chore(deps): update dependency com.google.crypto.tink:tink to v1.16.0 chore(deps): update dependency com.google.crypto.tink:tink to v1.17.0 Mar 14, 2025
@renovate-bot renovate-bot force-pushed the renovate/project.tink.version branch from 06d4fe4 to e3c5810 Compare March 14, 2025 04:10
@dpebot
Copy link

dpebot commented Mar 14, 2025

/gcbrun

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 14, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 14, 2025
@renovate-bot renovate-bot changed the title chore(deps): update dependency com.google.crypto.tink:tink to v1.17.0 chore(deps): update dependency com.google.crypto.tink:tink to v1.18.0 Jun 18, 2025
@renovate-bot renovate-bot force-pushed the renovate/project.tink.version branch from e3c5810 to 6c42022 Compare June 18, 2025 16:16
@dpebot
Copy link

dpebot commented Jun 18, 2025

/gcbrun

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 18, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 18, 2025
@renovate-bot renovate-bot force-pushed the renovate/project.tink.version branch from 6c42022 to 92b0f33 Compare June 20, 2025 17:51
@dpebot
Copy link

dpebot commented Jun 20, 2025

/gcbrun

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 20, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 20, 2025
@renovate-bot renovate-bot force-pushed the renovate/project.tink.version branch from 92b0f33 to a1a9507 Compare October 21, 2025 17:12
@renovate-bot renovate-bot changed the title chore(deps): update dependency com.google.crypto.tink:tink to v1.18.0 chore(deps): update dependency com.google.crypto.tink:tink to v1.19.0 Oct 21, 2025
@dpebot
Copy link

dpebot commented Oct 21, 2025

/gcbrun

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 21, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: xs Pull request size is extra small.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@renovate-bot @dpebot @lqiu96 @huangjiahua @yoshi-kokoro