Hacking Tink for Java and Android

Building Tink

  • Install Bazel.

  • To build Java, install Android SDK 23 or newer and set the ANDROID_HOME environment variable to the path of your Android SDK. On macOS, the SDK is usually installed at /Users/username/Library/Android/sdk/. You also need Android SDK Build Tools 24.0.3 or newer.

  • Check out source code and build

git clone https://github.com/google/tink
cd tink
bazel test java/...

Code structure

Java packages

  • com.google.crypto.tink This package consists only the core of Tink, including the primitive interfaces and key management APIs. Users that develop their own primitives or key types can depend only on this package and exclude the rest.

    • internal dependencies: none
    • external dependencies
      • com.google.protobuf.ByteString
      • com.google.protobuf.MessageLite
      • javax.annotation.concurrent.GuardedBy
      • org.json.JSONArray
      • org.json.JSONException
      • org.json.JSONObject
    • API backward-compatibility guarantee: yes

  • com.google.crypto.tink.aead|daead|mac|signature|hybrid|streamingaead These packages contain the public APIs exposing the primitives that Tink supports.

    • internal dependencies
      • com.google.crypto.tink
      • com.google.crypto.tink.subtle
      • com.google.crypto.tink.proto
    • external dependencies
      • com.google.protobuf.ByteString
      • com.google.protobuf.MessageLite
      • javax.annotation.concurrent.GuardedBy
    • API backward-compatibility guarantee: yes

  • com.google.crypto.tink.integration.gcpkms This package allows users to store keys in Google Cloud Key Management System.

    • internal dependencies
      • com.google.crypto.tink
      • com.google.crypto.tink.subtle
    • external dependencies
      • com.google.api.services.cloudkms.v1
      • com.google.api.client.googleapis.auth.oauth2.GoogleCredential
      • com.google.api.client.http.javanet.NetHttpTransport
      • com.google.api.client.json.jackson2.JacksonFactory
      • com.google.auto.service.AutoService
    • API backward-compatibility guarantee: yes

  • com.google.crypto.tink.integration.awskms This package allows users to store keys in AWS Key Management System.

    • internal dependencies
      • com.google.crypto.tink
      • com.google.crypto.tink.subtle
    • external dependencies
      • com.amazonaws.AmazonServiceException
      • com.amazonaws.auth.AWSCredentialsProvider
      • com.amazonaws.auth.DefaultAWSCredentialsProviderChain
      • com.amazonaws.auth.PropertiesFileCredentialsProvider
      • com.amazonaws.services.kms
      • com.google.auto.service.AutoService
    • API backward-compatibility guarantee: yes

  • com.google.crypto.tink.integration.android This package allows Android users to store keys in private preferences, wrapped with master key in Android Keystore. The integration with Android Keystore only works on Android M (API level 23) or higher.

    • internal dependencies
      • com.google.crypto.tink
      • com.google.crypto.tink.subtle
    • external dependencies
      • Android SDK 23 or higher
    • API backward-compatibility guarantee: yes

  • com.google.crypto.tink.subtle This package contains implementations of primitives. Aside from the primitive interfaces, this package is not allowed to depend on anything else in Tink. Users should never directly depend on this package.

    • internal dependencies
      • com.google.crypto.tink.Aead
      • com.google.crypto.tink.DeterministicAead
      • com.google.crypto.tink.HybridDecrypt
      • com.google.crypto.tink.HybridEncrypt
      • com.google.crypto.tink.Mac
      • com.google.crypto.tink.StreamingAead
      • com.google.crypto.tink.PublicKeySign
      • com.google.crypto.tink.PublicKeyVerify
    • external dependencies
      • javax.annotation.concurrent.GuardedBy
    • API backward-compatibility guarantee: no

  • com.google.crypto.tink.proto This package contains protobuf auto-generated Java code. Users should never directly depend on this package.

    • internal dependencies: none
    • external dependencies: none
    • API backward-compatibility guarantee: no

Bazel targets

  • //java This public target exports all public APIs, except com.google.crypto.tink.integration.android and com.google.crypto.tink.CleartextKeysetHandle. It is expected to run on servers, not Android.

  • //java:android Similar to java, but this public target adds com.google.crypto.tink.integration.android, and removes com.google.crypto.tink.integration.gcpkms and com.google.crypto.tink.integration.awskms. To build it, one needs Android SDK 23 or newer.

  • //java:subtle This restricted target exposes com.google.crypto.tink.subtle. It's restricted because most users are supposed not to use it directly.

  • //java:cleartext_keyset_handle and //java:cleartext_keyset_handle_android This restricted target exposes com.google.crypto.tink.CleartextKeysetHandle. It's restricted because it allows users to read cleartext keysets from disk, which is a bad practice.

  • //java:protos and //java:protos_android This restricted target exposes com.google.crypto.tink.proto. It's restricted because most users are supposed not to use it directly.

Maven jars