v2.6.0

This is Tink Go 2.6.0

What's new

The complete list of changes since 2.5.0 can be found here.

• Fixed non-determinism in test (fixes #41).
• Added ML_KEM768 and ML_KEM1024 to proto/hpke.proto
• Added ML_DSA_87 to proto/ml_dsa.proto

Future work

To see what we're working towards, check our
project roadmap.

Get started

To get started using Tink, see the setup guide.

Go tooling

go get github.com/tink-crypto/tink-go/[email protected]

v2.5.0

This is Tink Go 2.5.0

What's new

The complete list of changes since 2.4.0 can be found here.

• Added key and parameters for:
  • PRF:
    • AES-CMAC-PRF
    • HKDF-PRF
  • Streaming AEAD:
    • AES-CTR-HMAC
    • AES-GCM-HKDF
  • JWT:
    • JWT-ECDSA
    • JWT-RSA-SSA-PKCS1
    • JWT-RSA-SSA-PSS
    • JWT-HMAC
  • Signature:
    • ML-DSA
    • SLH-DSA
• Behavior changes:
  • The NewKey and NewKeyData methods of aessiv key manager no longer accept a nil serialized key format.
  • It is no longer possible to create keysets with invalid JWT ECDSA, RSA-SSA-PKCS1 and RSA-SSA-PSS keys. We believe this will mostly affect tests, and shouldn't be a breaking change for Tink users. If not, please
    file an issue.
  • JWT key managers no longer allow creating Primitives. They have been replaced by "full" primitive implementations. If this affects you, please file an issue.
  • keyderivation.New now expects key managers to implement the keyderiver.KeyDeriver interface. This may affect users registering a key derivation key manager whose Primitive() method returns a custom KeysetDeriver primitive. The returned primitive will have to implement the DeriveKey([] salt) (key.Key, error) method as well. Please file an issue if this affects you.
  • AEAD key managers returned by registry.GetKeyManager() will no longer implement internalregistry.DerivableKeyManager. Please file an issue if this affects you.
  • The Primitive() method of the key manager returned by registry.GetKeyManager("type.googleapis.com/google.crypto.tink.PrfBasedDeriverKey") is now unimplemented. Users who access the key manager directly must now create a new keyset.Handle and obtain the primitive with keyderivation.New.
• Minimum supported Go version is 1.24.

Future work

To see what we're working towards, check our project roadmap.

Get started

To get started using Tink, see the setup guide.

Go tooling

go get github.com/tink-crypto/tink-go/[email protected]

v2.4.0

This is Tink Go 2.4.0

What's new

The complete list of changes since 2.3.0 can be found here.

• Added key and parameters definitions for:
  • DAEAD
    • AES-SIV
  • Hybrid
    • ECIES
    • HPKE
  • MAC
    • AES-CMAC
    • HMAC
• Dependencies upgrades:
  • github.com/google/go-cmp => v0.7.0
  • golang.org/x/crypto => v0.35.0
  • google.golang.org/protobuf => v1.36.5
• Set minimum supported Go version to 1.23.0

Future work

To see what we're working towards, check our project roadmap.

Get started

To get started using Tink, see the setup guide.

Go tooling

go get github.com/tink-crypto/tink-go/[email protected]

v2.3.0

This is Tink Go 2.3.0

What's new

The complete list of changes since 2.2.0 can be found here.

New APIs

Keyset Handle and Manager

• Added methods to keyset.Handle: Len(), Primary(), and Entry(i int).
• keyset.Manager makes a deep copy of the keyset on calls to Handle().
• Added AddKey and AddNewKeyFromParameters to keyset.Manager
• Added Key and Parameters interface which represent keys and their
  parameters. Added key.Parameters and key.Key definitions for:
  • AEAD
    • AES-CTR-HMAC
    • AES-GCM
    • AES-GCM-SIV
    • ChaCha20Poly1305
    • X-AES-GCM
    • XChaCha20Poly1305
  • Signature
    • Ed25519
    • ECDSA
    • RSA-SSA-PKCS1
    • RSA-SSA-PSS
• Made keyset.Handle NewHandle.* APIs accept only valid keysets; expect
  parsing of invalid proto keysets to fail for invalid keysets. With this
  change, tests that create keysets with an empty or invalid KeyData and
  expect a failure on primitive creation will now fail. The user can still
  create an empty keyset.Handle, for which all methods fail. A valid keyset
  is such that:
  • Is non-empty
  • Keys have key data and valid output prefix and status
  • Has only one primary key, which must be ENABLED
• Added keyset.ReadWithContext and keyset.WriteWithContext that use the
  tink.AEADWithContext interface.
• Made WriteWithNoSecrets fail with a nil proto keyset consistently with
  all other Write.* methods.

Other

• Added the insecuresecretdataaccess.Token struct to track and optionally
  restrict raw key material access, and secretdata.Bytes to wrap access
  controlled key bytes. In tests, insecuresecretkeyaccesstest.Token() can be
  used.
• Added the tink.AEADWithContext interface, which allows a context.Context
  to be passed along. KMS implementations should prefer this interface when
  implementing a remote AEAD.
• When serializing ECDSA keys, the encoding changed (as padding of the points
  changed). Users should not rely on specific encodings produced by Tink.
• Set Go 1.22 as the minimum supported version.
• Upgraded deps:
  • golang.org/x/crypto to v0.31.0
  • google.golang.org/protobuf to v1.36.0
  • golang.org/x/sys to v0.28.0
• Add HPKE KEM support for the NIST curves.
• Add HPKE KDF support for SHA-384 and SHA-512.
• Performance improvments for AEAD primitives.

Removed APIs

• Removed Bazel config. With this change Bazel users will no longer be able to
  import tink-go as a pure Bazel dependency (bazel_dep) in their
  MODULE.bazel file. However, Bazel users can continue importing tink-go
  using bazel-gazelle. If this
  causes any issues in your project, please file an issue.
• Removed ChaCha20Poly1305 subtle's exported Key field. This was added by
  mistake.
• Removed primitiveset.PrimitiveSet, keyset.Primitives and
  keyset.PrimitivesWithKeyManager from the public API. This API was never
  really intended to be used outside Tink. We are making changes to Tink
  internals and we prefer to break users at compile time. If this affects you,
  please file an issue.

Future work

To see what we're working towards, check our project roadmap.

Get started

To get started using Tink, see the setup guide.

Go tooling

go get github.com/tink-crypto/tink-go/[email protected]

Tink Go 2.2.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Go 2.2.0

To get started using Tink, see the setup guide.

What's new?

The complete list of changes since 2.1.0 can be found here.

• Changed target Go language version to 1.21
• Use the crypto/rsa Validate() method when instantiating keys via struct
  literals in the signature and jwt packages. Certain invalid keys (e.g.
  corrupted) will fail earlier, during primitive creation instead of during
  cryptographic operations.
• encrypted keysets produced with keyset.NewBinaryWriter are now smaller,
  because the unused keyset_info metadata is not written anymore.
  keyset.NewJSONWriter is unchanged and still output this metadata.
• Added Bzlmod support.
• Upgraded dependencies:
  • golang.org/x/crypto => v0.17.0
  • google.golang.org/protobuf => v1.33.0
• JWT keys that don't use TINK or RAW output prefix type are now rejected.
• Removed the exported "Key" field in of several subtle primitives.
• Added proto definitions to proto/.
• Improved performance of Streaming AEAD implementations by reducing memory allocations.

Future work

To see what we're working towards, check our project roadmap.

Getting started

To get started using Tink, see the setup guide.

Go Tooling

go get github.com/tink-crypto/tink-go/[email protected]

Bazel

If you want to use Tink Go with Bazel, you should use bazel-gazelle. It can be also included as a Bazel-only dependency as follows:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "io_bazel_rules_go",
    integrity = "sha256-gKmCd60TEdrNg3+bFttiiHcC6fHRxMn3ltASGkbI4YQ=",
    urls = [
 "https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.46.0/rules_go-v0.46.0.zip",
        "https://github.com/bazelbuild/rules_go/releases/download/v0.46.0/rules_go-v0.46.0.zip",
    ],
)

http_archive(
    name = "bazel_gazelle",
    integrity = "sha256-MpOL2hbmcABjA1R5Bj2dJMYO2o15/Uc5Vj9Q0zHLMgk=",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.35.0/bazel-gazelle-v0.35.0.tar.gz",
        "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.35.0/bazel-gazelle-v0.35.0.tar.gz",
    ],
)

TINK_GO_VERSION="2.2.0"
TINK_GO_SHA256="fea1ff9ed06a7302e3496587834a53f91235085e45e3de03af80b897514b7a1b"

http_archive(
        name = "com_github_tink_crypto_tink_go_v2",
        urls = ["https://github.com/tink-crypto/tink-go/releases/download/v%s/tink-go-%s.zip" % (TINK_GO_VERSION, TINK_GO_VERSION)],
        strip_prefix = "tink-go-%s" % TINK_GO_VERSION,
        sha256 = TINK_GO_SHA256,
    )

load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")

load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies", "go_repository")

load("@com_github_tink_crypto_tink_go_v2//:deps.bzl", tink_go_dependencies="go_dependencies")

tink_go_dependencies()

#######################################
#
# Your project dependencies here.
#
#######################################

go_rules_dependencies()

go_register_toolchains(version = "1.21.8")

gazelle_dependencies()

Tink Go 2.1.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Go 2.1.0

To get started using Tink, see the setup guide.

What's new?

The complete list of changes since 2.1.0 can be found here.

• Prevented Hybrid Encryption keyset handles from returning AEAD primitives.
• Restricted visibility of keyderivation/internal/streamingprf with Bazel.
• Changed target Go language version to 1.20
• testutil.DummyMAC.VerifyMAC now returns error if the mac is incorrect.
• Fixed unsafe proto field acces in the aead, hybrid, mac, prf, signature, and
  streamingaead packages. This prevents panics when loading invalid keysets.
• Made //aead/subtle:subtle public
• Upgraded dependencies:
  • github.com/google/go-cmp => v0.6.0
  • golang.org/x/crypto => v0.14.0
  • google.golang.org/protobuf => v1.31.0
  • golang.org/x/sys => v0.13.0
    (commit)

Future work

To see what we're working towards, check our project roadmap.

Getting started

To get started using Tink, see the setup guide.

Go Tooling

go get github.com/tink-crypto/tink-go/[email protected]

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "io_bazel_rules_go",
    sha256 = "6dc2da7ab4cf5d7bfc7c949776b1b7c733f05e56edc4bcd9022bb249d2e2a996",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.39.1/rules_go-v0.39.1.zip",
        "https://github.com/bazelbuild/rules_go/releases/download/v0.39.1/rules_go-v0.39.1.zip",
    ],
)

http_archive(
    name = "bazel_gazelle",
    sha256 = "ecba0f04f96b4960a5b250c8e8eeec42281035970aa8852dda73098274d14a1d",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
        "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
    ],
)

http_archive(
    name = "com_github_tink_crypto_tink_go_v2",
    urls = ["https://github.com/tink-crypto/tink-go/releases/download/v2.1.0/tink-go-2.1.0.zip"],
    strip_prefix = "tink-go-2.1.0",
    sha256 = "84b4b233fb20b570812e61ccb134d230222b79d2fd765c1d57352a53d439d746",
)

load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")

load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies", "go_repository")

load("@com_github_tink_crypto_tink_go_v2//:deps.bzl", tink_go_dependencies="go_dependencies")

tink_go_dependencies()

#######################################
#
# Your project dependencies here.
#
#######################################

go_rules_dependencies()

go_register_toolchains(version = "1.20.10")

gazelle_dependencies()

Tink Go v2.0.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Go 2.0.0

What's new

This is the first release from https://github.com/tink-crypto/tink-go.

The complete list of changes since 1.7.0 can be found here.

• Upgraded to use Bazel 6.0.0
• Changed target Go language version to 1.19
• Moved KMS extensions to separate modules:
  • github.com/tink-crypto/tink-go-awskms
  • github.com/tink-crypto/tink-go-gcpkms
  • github.com/tink-crypto/tink-go-hcvault
• Deprecations:
  • MemReaderWriter (commit)
  • insecurecleartextkeyset.KeysetHandle (commit)
  • testkeyset.KeysetHandle (commit)
• Removed deprecated APIs/files:
  • NewWithKeyManager (commit)
  • tink_go_deps.bzl and tink_go_deps_init.bzl (commit)
  • Rotate (commit)
  • aead.NewKMSEnvelopeAEAD (commit)
  • signature.ECDSAP384KeyTemplate (commit)
• Added support for RSA SSA PSS asymmetric signatures
• Added support for JWT asymmetric signatures using RSA-SSA-PKCS1 (RS256,RS384,RS512) and RSA-SSA-PSS (PS256,PS384,PS512)
• Performance improvements (especially for AEAD) by avoiding unneeded copies and memory allocations (commits: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13).
• ​​Restricted KMS envelope AEAD to only use Tink AEAD key types as DEK (commit).
• Added initial monitoring support. This is not yet part of the public API.
• Added support for PRF-based key derivation using HKDF SHA-256 or HKDF SHA-512 PRF
• Added API to store keyset entries in order to allow key derivation
• Added/upgraded CI test scripts

Get Started

To get started using Tink, see the setup guide.

Go Tooling

go get github.com/tink-crypto/tink-go/[email protected]

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "io_bazel_rules_go",
    sha256 = "6dc2da7ab4cf5d7bfc7c949776b1b7c733f05e56edc4bcd9022bb249d2e2a996",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.39.1/rules_go-v0.39.1.zip",
        "https://github.com/bazelbuild/rules_go/releases/download/v0.39.1/rules_go-v0.39.1.zip",
    ],
)

http_archive(
    name = "bazel_gazelle",
    sha256 = "ecba0f04f96b4960a5b250c8e8eeec42281035970aa8852dda73098274d14a1d",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
        "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
    ],
)

http_archive(
    name = "com_github_tink_crypto_tink_go_v2",
    urls = ["https://github.com/tink-crypto/tink-go/archive/refs/tags/v2.0.0.zip"],
    strip_prefix = "tink-go-2.0.0",
    sha256 = "27f7446a29956173e10a65d0f71f7cd795ba3049b96fa5fae47333e06661ac2a",
)

load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")

load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies", "go_repository")

load("@com_github_tink_crypto_tink_go_v2//:deps.bzl", tink_go_dependencies="go_dependencies")

tink_go_dependencies()

#######################################
#
# Your project dependencies here.
#
#######################################

go_rules_dependencies()

go_register_toolchains(version = "1.19.9")

gazelle_dependencies()

> WARNING: KMS extensions are now published in separate repositories:
>  - https://github.com/tink-crypto/tink-go-awskms
>  - https://github.com/tink-crypto/tink-go-gcpkms
>  - https://github.com/tink-crypto/tink-go-hcvault