v2.3.0

Tink C++ 2.3.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

To get started, see the setup guide.

CMake

You can import Tink C++ as an in-tree dependency.

cmake_minimum_required(VERSION 3.13)

project(Example CXX)

set(CMAKE_CXX_STANDARD 14)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

set(CMAKE_BUILD_TYPE Release)

# Import Tink as an in-tree dependency.

# Option 1: tink-cc is in third_party.
add_subdirectory(third_party/tink-cc tink)

# Option 2: Use FetchContent
# include(FetchContent)
#
# FetchContent_Declare(
#   tink
#   URL https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.3.0.zip
#   URL_HASH SHA256="363ce671ab5ce0b24f279d3647185597a25f407c3608db007315f79f151f436b"
# )
# FetchContent_GetProperties(tink)
# if(NOT googletest_POPULATED)
#   FetchContent_Populate(tink)
#   add_subdirectory(${tink_SOURCE_DIR} ${tink_BINARY_DIR} EXCLUDE_FROM_ALL)
# endif()

add_executable(example_app example_app.cc)
target_link_libraries(example_app tink::static)

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "com_github_tink_crypto_tink_cc",
    urls = ["https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.3.0.zip"],
    strip_prefix = "tink-cc-2.3.0",
    sha256 = "363ce671ab5ce0b24f279d3647185597a25f407c3608db007315f79f151f436b",
)

# Load Tink dependencies.

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

# ... Your dependencies here ...

What's new

The complete list of changes since 2.2.0 can be found here.

Additions

• DHKEM P-256 HKDF-SHA256 added to HPKE.
• Key Encapsulation Mechanism API.
• APIs for parsing and serializing encrypted keysets and parameters.
• Support for parsing ECDSA keys to SignaturePemKeysetReader.
• Support for converting Ed25519 public keys to JWKs.
• APIs to create a KeysetHandle using key generation configs via KeysetHandleBuilder and the KeysetHandle::generateNewFromParameters function.
• APIs to import and export keys for the following key types:
  • AES-CMAC-PRF
  • AES-CTR-HMAC Streaming
  • AES-GCM-HKDF Streaming
  • ChaCha20-Poly1305
  • HKDF-PRF
  • HMAC-PRF
  • JWT-RSA-SSA-PKCS1
  • JWT-RSA-SSA-PSS
• Made SignaturePemKeysetReader public.
• Made PartialKeyAccess and PartialKeyAccessToken public.
• Made SignaturePublicKey public.

Modifications

• Fixed bug in JsonKeysetReader parsing.
• Fixed issue with MSVC and C++17 where comparison of different std::string_views caused an assertion failure (#6).
• Fixed bug in RSA-SSA-PSS parameters parsing, which now fails if the hashes have different types.
• Switched key id type from int to int32_t.
• Combined keyset_handle_builder and keyset_handle targets into one.

Removals

• StatefulMac interface in subtle.
  • The implementation DummyStatefulMac in test_util.
  • StatefulHmacBoringSslFactory and the implementation StatefulHmacBoringSsl of StatefulMac in subtle.
  • StatefulCmacBoringSslFactory and the implementation StatefulCmacBoringSsl of StatefulMac in subtle.
  • These were never intended to be public APIs. If this affects you, please file an issue in github.com/tink-crypto/tink-cc so we better understand the usage. We recommend reimplementing removed interfaces and implementations in your code. Public users are recommended to use ChunkedMac.
• EciesAeadHkdfDemHelper from the crypto::tink namespace. This was never intended to be public APIs. If this affects you, please file an issue in github.com/tink-crypto/tink-cc so we better understand your usage.

Dependencies

• Upgrades
  • Bazel (7.1.2)
  • Bzlmod deps
    • abseil-cpp (20240722.0)
    • bazel_skylib (1.7.1)
    • boringssl (0.20240930.0)
    • googletest (1.15.2)
    • platforms (0.0.10)
    • rules_proto (6.0.2)
  • WORKSPACE deps
    • abseil-cpp (20240722.0)
    • bazel_skylib (1.7.1)
    • boringssl (0.20240930.0)
    • googletest (1.15.2)
• New
  • Bzlmod deps
    • rules_license (1.0.0)

Future

To see what we're working towards, check our project roadmap.

v2.2.0

Tink C++ 2.2.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink C++ 2.2.0.

To get started using Tink, see the setup guide.

CMake

You can import Tink C++ as an in-tree dependency.

cmake_minimum_required(VERSION 3.13)

project(Example CXX)

set(CMAKE_CXX_STANDARD 14)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

set(CMAKE_BUILD_TYPE Release)

# Import Tink as an in-tree dependency.

# Option 1: tink-cc is in third_party.
add_subdirectory(third_party/tink-cc tink)

# Option 2: Use FetchContent
# include(FetchContent)
#
# FetchContent_Declare(
#   tink
#   URL https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.2.0.zip
#   URL_HASH SHA256=88e1442182452caa16d0954ceaf73e17b0aa30837ee6c0cc16bf0112313ce753
# )
# FetchContent_GetProperties(tink)
# if(NOT googletest_POPULATED)
#   FetchContent_Populate(tink)
#   add_subdirectory(${tink_SOURCE_DIR} ${tink_BINARY_DIR} EXCLUDE_FROM_ALL)
# endif()

add_executable(example_app example_app.cc)
target_link_libraries(example_app tink::static)

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "com_github_tink_crypto_tink_cc",
    urls = ["https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.2.0.zip"],
    strip_prefix = "tink-cc-2.2.0",
    sha256 = "88e1442182452caa16d0954ceaf73e17b0aa30837ee6c0cc16bf0112313ce753",
)

# Load Tink dependencies.

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

# ... Your dependencies here ...

What's new

The complete list of changes since 2.1.0 can be found here.

• Added APIs to import and export keys for the following key types:

  • AES-CTR-HMAC-AEAD
  • AES-EAX
  • ECDSA
  • ECIES
  • JWT ECDSA
  • JWT HMAC
  • XChaCha20-Poly1305

• Removed the method HmacPrfKeyManager::MaxOutputLength from the public
  API. This method was never intended to be public and there is no reason
  to assume anyone uses it.

• Enabled building against pre-installed protobuf with CMake.

• Moved Bazel test-only deps to tink_cc_testonly_deps().

• Dependency upgrades:

  • protobuf (=> 26.1)
  • googletest (=> 1.14)
  • absl (=> 20230802.1)
  • BoringSSL (=> 07fa2780386fbbc001937fabf116c1fe4ddd2705)
  • bazel_skylib (=> 1.5.0)
  • Bazel (=> 6.4.0)

• Added class to represent elliptic curve points.

• Added SecretDataEquals. SecretData::operator== is currently not
  constant time, and should not be called by users. Tink 3.0 will change
  this, but in the mean time, it should not be called and SecretDataEquals
  should be used instead.

Future

To see what we're working towards, check our project roadmap.

v2.1.3

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink C++ 2.1.3

To get started using Tink, see the setup guide.

What's new?

This is a patch release.

The complete list of changes since 2.1.2 can be found here.

• Bug-fixes:
  • Use rapidjson::kParseIterativeFlag when parsing JSON keysets to make sure the stack size remains constant
  • Use the correct version in MODULE.bazel

Future work

To see what we're working towards, check our project roadmap.

Getting started

CMake

You can import Tink C++ as an in-tree dependency.

cmake_minimum_required(VERSION 3.13)

project(Example CXX)

set(CMAKE_CXX_STANDARD 14)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

set(CMAKE_BUILD_TYPE Release)

# Assumes tink-cc is in third_party.
add_subdirectory(third_party/tink-cc tink)

add_executable(example_app example_app.cc)
target_link_libraries(example_app tink::static)

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "com_github_tink_crypto_tink_cc",
    urls = ["https://github.com/tink-crypto/tink-cc/releases/download/v2.1.3/tink-cc-2.1.3.zip"],
    strip_prefix = "tink-cc-2.1.3",
    sha256 = "14a3f64a56d7e9296889d7eba7a3b8787c3281e5bc5791033c54baf810a0b6ef",
)

# Load Tink dependencies.

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

# ... Your dependencies here ...

Tink C++ 2.1.2

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink C++ v2.1.2

To get started using Tink, see the setup guide.

What's new?

This is a patch release.

The complete list of changes since 2.1.1 can be found here.

• Bug-fixes:
  • Fixed JsonKeysetReader::Read() making the process crash if the input JSON is valid but not an object.

Future work

To see what we're working towards, check our project roadmap.

Getting started

CMake

You can import Tink C++ as an in-tree dependency.

cmake_minimum_required(VERSION 3.13)

project(Example CXX)

set(CMAKE_CXX_STANDARD 14)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

set(CMAKE_BUILD_TYPE Release)

# Assumes tink-cc is in third_party.
add_subdirectory(third_party/tink-cc tink)

# Alternatively using FetchContent:
# include(FetchContent)
# FetchContent_Declare(
#   tink
#   URL       https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.1.2.zip
#   URL_HASH  SHA256=d0fefc61e3bde758c8773f1348e6a64fc4fd6ecafe62c4adc0df8957ce800757
# )
# FetchContent_GetProperties(tink)
# if(NOT googletest_POPULATED)
#   FetchContent_Populate(tink)
#     add_subdirectory(${tink_SOURCE_DIR} ${tink_BINARY_DIR} EXCLUDE_FROM_ALL)
# endif()

add_executable(example_app example_app.cc)
target_link_libraries(example_app tink::static)

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "com_github_tink_crypto_tink_cc",
    strip_prefix = "tink-cc-2.1.2",
    urls = ["https://github.com/tink-crypto/tink-cc/releases/download/v2.1.2/tink-cc-2.1.2.zip"],
    sha256 = "d0fefc61e3bde758c8773f1348e6a64fc4fd6ecafe62c4adc0df8957ce800757",
)

# Load Tink dependencies.

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

# ... Your dependencies here ...

Tink C++ 2.1.1

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink C++ 2.1.1

To get started using Tink, see the setup guide.

CMake

You can import Tink C++ as an in-tree dependency.

cmake_minimum_required(VERSION 3.13)

project(Example CXX)

set(CMAKE_CXX_STANDARD 14)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

set(CMAKE_BUILD_TYPE Release)

# Assumes tink-cc is in third_party.
add_subdirectory(third_party/tink-cc tink)

add_executable(example_app example_app.cc)
target_link_libraries(example_app tink::static)

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "com_github_tink_crypto_tink_cc",
    urls = ["https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.1.1.zip"],
    strip_prefix = "tink-cc-2.1.1",
    sha256 = "3080600b6c38421ebaca5bfc460aa965afc88c877695c080019a8905f0f1c1b8",
)

# Load Tink dependencies.

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

# ... Your dependencies here ...

What's new

This is a patch release.

The complete list of changes since 2.1.0 can be found here.

• Bug-fixing:
  • Parsing a keyset with an invalid HMAC key (which has an invalid hash
    type) can cause a binary compiled without "NDEBUG" to crash. This is now
    fixed.
• ConfigGlobalRegistry is now publicly visible.

Future work

To see what we're working towards, check our project roadmap.

Tink C++ 2.1.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink C++ 2.1.0

To get started using Tink, see the setup guide.

CMake

You can import Tink C++ as an in-tree dependency.

cmake_minimum_required(VERSION 3.13)

project(Example CXX)

set(CMAKE_CXX_STANDARD 14)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

set(CMAKE_BUILD_TYPE Release)

# Assumes tink-cc is in third_party.
add_subdirectory(third_party/tink-cc tink)

add_executable(example_app example_app.cc)
target_link_libraries(example_app tink::static)

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "com_github_tink_crypto_tink_cc",
    urls = ["https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.1.0.zip"],
    strip_prefix = "tink-cc-2.1.0",
    sha256 = "3804afecbe7096d3786b660e9cd5f365f064743eec52d76984abb9da38dd0fb3",
)

# Load Tink dependencies.

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

# ... Your dependencies here ...

What's new

The complete list of changes since 2.0.0 can be found here.

• Tink now supports building with OpenSSL 3.0 (commit)
• Tink now supports key derivation (commit)
• For the following key types, an API to import and export keys has been added:
  • HMAC (commit
  • AES GCM (commit)
  • AES SIV (commit)
  • HPKE (commit)
  • RSASSA-PKCS1 (commit)
  • RSASSA-PSS (commit)

(When exporting, this can be used with KeysetHandle::operator[] and a dynamic cast. When importing keys, this can be used with the KeysetHandleBuilder)

• Methods KeysetHandle::GetPrimitive, KeysetHandle::GenerateNew, and KeysetHandle::GetPublicKeysetHandle now take a configuration argument
• Tink defines crypto::tink::ConfigV0() and crypto::tink::ConfigFips140_2()
• Upgraded dependencies:
  • The abseil dependency has been upgraded to LTS 20230802.0
• Bug-fixing
  • Calling RandomAccessStream::size() for RandomAccessStream objects obtained from StreamingAead::NewDecryptingRandomAccessStream now attempts to find the correct key in the keyset. Previously, users had to first call PRead to make sure calling size works. (commit)

Future work

To see what we're working towards, check our project roadmap.

Tink C++ 2.0.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink C++ 2.0.0

To get started using Tink, see the setup guide.

CMake

You can import Tink C++ as an in-tree dependency.

cmake_minimum_required(VERSION 3.13)

project(Example CXX)

set(CMAKE_CXX_STANDARD 14)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

set(CMAKE_BUILD_TYPE Release)

# Assumes tink-cc is in third_party.
add_subdirectory(third_party/tink-cc tink)

add_executable(example_app example_app.cc)
target_link_libraries(example_app tink::static)

Bazel

workspace(name = "example")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "com_github_tink_crypto_tink_cc",
    urls = ["https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.0.0.zip"],
    strip_prefix = "tink-cc-2.0.0",
    sha256 = "103ddfce800e77f3b3b6b2c808a8611bc734b31ddb12fbcfd8bebc1b96a7e963",
)

# Load Tink dependencies.

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@com_github_tink_crypto_tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

# ... Your dependencies here ...

WARNING: Different from 1.7.0, labels are now prefixed by tink: for example @tink_cc
becomes @tink_cc//tink:tink_cc, or @tink_cc//aead/... becomes
@tink_cc//tink/aead/....

Bazel users of Tink can use the script tools/update_build_files_for_tink_2_0_bazel.sh to apply the necessary Bazel changes to their > BUILD files:

cd <path/to/tink_cc>
bazel run //tools:update_build_files_for_tink_2_0_bazel -- <path/to/you/project/root> \
  <tink-cc repository name>

WARNING: KMS extensions are now published in separate repositories:

• https://github.com/tink-crypto/tink-cc-awskms
• https://github.com/tink-crypto/tink-cc-gcpkms

What's new

This is the first release from https://github.com/tink-crypto/tink-cc.

The complete list of changes since 1.7.0 can be found here.

• Upgraded to use Bazel 6.0.0
• Changed minimum C++ version to C++14
• Changed minimum version of CMake to 3.13
• Changed the structure of the repository adding sources to tink. As a consequence, target labels are now prefixed with tink, for example @tink_cc becomes @tink_cc//tink:tink_cc, or @tink_cc//aead/... becomes @tink_cc//tink/aead/....
• KMS extensions are now published to separate repositories:
  • https://github.com/tink-crypto/tink-cc-awskms
  • https://github.com/tink-crypto/tink-cc-gcpkms
• Upgraded dependencies:
  • Abseil LTS 20230125
  • BoringSSL (Commit from 2023-02-15)
  • Protobuf X.21.9
• Added support for building on Windows with Microsoft Visual Studio 2019 version 16.10.4.0 or later with CMake and Bazel
• Added walkthrough examples and ability to build examples with CMake
• Added new keyset handle APIs (experimental)
• Added/upgraded CI test scripts
• Removed deprecated APIs:
  • Removed Catalogue APIs (commits: #1, #2, #3).
  • Removed RegisterKeyManager from Registry (commits: #1)
  • Removed Latest from Tink's *_config.h (commits: #1)
  • Removed config.h (commits: #1)
• Make util::Status an alias of absl::Status (commits: #1, #2)