chore(deps): update dependency com.google.crypto.tink:tink to v1.18.0

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.google.crypto.tink:tink	1.15.0 -> 1.18.0

---

Release Notes

tink-crypto/tink-java (com.google.crypto.tink:tink)

v1.18.0: Tink Java v1.18.0

Compare Source

Tink is a multi-language, cross-platform library that provides simple and
misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.18.0

The complete list of changes since 1.17.0 can be found here.

Dropped support

• Tink Android no longer supports API level 21 and 22. From Tink 1.18.0, the
  minimum API level is 23.

• Removed Registry.wrap. This API cannot have been used by users: the
  PrimitiveSet needed for it was already moved to internal in Tink 1.13.0.

New Features

• Use Conscrypt's implementation of Ed25519 when available.

• Improved performance of AES-GCM-SIV.

• Tink now provides a flag GlobalTinkFlags.validateKeysetsOnParsing(). If
  set to true, Tink will run certain validations on a keyset before it creates
  a KeysetHandle. We plan to flip the default of this flag to true in Tink
  2.0.

Bug fixes

• AeadConfig.register() now always registers AES-GCM-SIV. If it's not
  supported by the registered JCE Providers, it will fail when the primitive
  is created.

• The Aead implementation returned by
  com.google.crypto.tink.integration.android.AndroidKeystore.getAead()
  created invalid ciphertexts on Android API version 28 and older when
  the input was larger than 128kB. Now, it throws an exception instead.

• JwtHmacKey, LegacyKmsAeadKey, and LegacyKmsEnvelopeAeadKey are now
  final. These cannot be properly subclassed as this would break equalsKey.

Obscure behaviour changes

• Primitive creation of AES-GCM-SIV now will fail if the algorithm is not
  available. Previously, this used to work with some Configurations succeeding
  and the primitive then failed when encrypt or decrypt was called.

Future work

To see what we're working towards, check our
project roadmap.

Getting started

To get started using Tink, see
the setup guide.

Maven:

<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.18.0</version>
</dependency>

Gradle:

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.18.0'
}

Bazel:

load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)

load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

load("@​rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.18.0",

##### ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with
http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/1.18.0.zip"],
    strip_prefix = "tink-java-1.18.0",
    sha256 = ...
)

load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

##### ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

v1.17.0: Tink Java v1.17.0

Compare Source

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.17.0

What's new

The complete list of changes since 1.16.0 can be found here.

New APIs

This release does not add new functionality.

Bugfixes

Tink Java 1.17.0 fixes the following bugs:

• Memory leak in Prf. See https://github.com/tink-crypto/tink-java/issues/53. When computing Hkdf, Tink used allocateDirect to get a buffer which is only cleaned up asynchronously. This could lead to excessive memory consumption. Thanks to behrooz-stripe@ for reporting and fixing the issue!

Future work

To see what we're working towards, check our
project roadmap.

Getting started

To get started using Tink, see
the setup guide.

Maven:

<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.17.0</version>
</dependency>

Gradle:

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.17.0'
}

Bazel:

load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)

load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

load("@​rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.17.0",

### ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.17.0.zip"],
    strip_prefix = "tink-java-1.17.0",
    sha256 = ...
)

load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

### ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

v1.16.0: Tink Java v1.16.0

Compare Source

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.16.0

What's new

The complete list of changes since 1.15.0 can be found here.

• Added new API AndroidKeystore, which is now the preferred way to interact with the Android Keystore.
• Before this release, the decision whether to use Conscrypt was done at time of class loading of some specific internal classes. If Conscrypt was not installed before the specific class for a primitive was loaded, Conscrypt was never used. Now, the decision is made whenever a new primitive is instantiated.
• In HPKE, use Conscrypt implementation of X25519 when available. On Android, it is available since API version 31. This makes HPKE both faster and uses less memory.
• Updated deps:
  • protobuf (4.28.2)
• Allow @AccessesPartialKey to be applied to fields and local variables, as well as methods and classes.
• Added support for X-AES-GCM, which is an AEAD algorithm with extended nonce. It uses AES-CMAC for key derivation and AES-GCM for encryption. It is a generalization of the specification in https://c2sp.org/XAES-256-GCM.
• Added configurations that allow specifying what key types are when using Tink in your application. Tink provides defaults (ConfigurationV0) that are backwards compatible with behavior before configs were introduced.

Future work

To see what we're working towards, check our project roadmap.

Getting started

To get started using Tink, see the setup guide.

Maven:

<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.16.0</version>
</dependency>

Gradle:

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.16.0'
}

Bazel:

load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.5"
RULES_JVM_EXTERNAL_SHA ="b17d7388feb9bfa7f2fa09031b32707df529f26c91ab9e5d909eb1676badd9a6"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/archive/refs/tags/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)

load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

load("@​rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.16.0",

### ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.16.0.zip"],
    strip_prefix = "tink-java-1.16.0",
    sha256 = ...
)

load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

### ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[lqiu96]

@huangjiahua Could you take a look at the CI issues regarding Aead?

[huangjiahua]

Looks like Tink is upgrading to protobuf 4.28 in the new version:

Error:  +-com.google.auth:google-auth-library-cab-token-generator:1.31.1-SNAPSHOT
Error:    +-com.google.protobuf:protobuf-java:3.25.5
Error:  and
Error:  +-com.google.auth:google-auth-library-cab-token-generator:1.31.1-SNAPSHOT
Error:    +-dev.cel:cel:0.9.0-proto3
Error:      +-com.google.protobuf:protobuf-java:3.25.5 (managed) <-- com.google.protobuf:protobuf-java:3.25.5
Error:  and
Error:  +-com.google.auth:google-auth-library-cab-token-generator:1.31.1-SNAPSHOT
Error:    +-com.google.crypto.tink:tink:1.16.0
Error:      +-com.google.protobuf:protobuf-java:3.25.5 (managed) <-- com.google.protobuf:protobuf-java:4.28.2
Error:  and
Error:  +-com.google.auth:google-auth-library-cab-token-generator:1.31.1-SNAPSHOT
Error:    +-dev.cel:cel:0.9.0-proto3
Error:      +-com.google.protobuf:protobuf-java-util:3.25.5
Error:        +-com.google.protobuf:protobuf-java:3.25.5 (managed) <-- com.google.protobuf:protobuf-java:3.25.5
Error:  ]

This is the PR that they upgraded protobuf: tink-crypto/tink-java#44. It seems that their reasoning is protobuf 4.28 has restored binary compatibility with classes generated using 3.x. Does this mean we can exclude the protobuf version for Tink?

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun