Tink 设置

您可以从源代码构建 Tink,也可以使用特定于语言的软件包。请按照以下说明开始操作。

安装并设置完 Tink 后,请继续执行本页面末尾的后续步骤

C++

Tink 提供以下 C++ 库:

Tink C++ (tink-cc)

Tink C++ 依赖于:

Tink C++ 支持:

  • C++ >= 14
  • 操作系统:
    • UbuntuLTS >= 20.04 (x86_64)
    • macOS 12.5 Monterey(x86_64)及更高版本
    • Windows Server 2019 或更高版本 (x86_64)
  • 编译器:
    • GCC >= 7.5.0
    • Apple Clang 14 或更高版本
    • MSVC >= 2019
  • 构建系统:

CMake

您应将 tink-cc 添加为树内依赖项。例如:

cmake_minimum_required(VERSION 3.13)
project(YourProject CXX)
set(CMAKE_CXX_STANDARD_REQUIRED ON)
set(CMAKE_CXX_STANDARD 14)
include(FetchContent)

# Import Tink as an in-tree dependency.
FetchContent_Declare(
  tink
  URL       https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.3.0.zip
  URL_HASH  SHA256=363ce671ab5ce0b24f279d3647185597a25f407c3608db007315f79f151f436b
)
FetchContent_GetProperties(tink)
if(NOT googletest_POPULATED)
  FetchContent_Populate(tink)
    add_subdirectory(${tink_SOURCE_DIR} ${tink_BINARY_DIR} EXCLUDE_FROM_ALL)
endif()

add_executable(your_app your_app.cc)
target_link_libraries(your_app tink::static)

Bazel

Bzlmod

如果您使用的是将 Bazel 与模块搭配使用,请在 MODULE.bazel 文件中添加以下代码:

bazel_dep(name = "tink_cc", version = "2.3.0")

工作区

如果您将 Bazel 与 WORKSPACE 文件搭配使用,请在 WORKSPACE 文件中添加以下代码:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "tink_cc",
    urls = ["https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.3.0.zip"],
    strip_prefix = "tink-2.3.0",
    sha256 = "363ce671ab5ce0b24f279d3647185597a25f407c3608db007315f79f151f436b",
)

load("@tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

Tink C++ AWS KMS 扩展 (tink-cc-awskms)

Tink C++ Google Cloud KMS 依赖于:

Tink C++ AWS KMS 支持:

  • C++ >= 14
  • 操作系统:
    • UbuntuLTS >= 20.04 (x86_64)
    • macOS 12.5 Monterey(x86_64)及更高版本
  • 编译器:
    • GCC >= 7.5.0
    • Apple Clang 14 或更高版本
  • 构建系统:

Bazel

您应将以下代码添加到项目的 WORKSPACE 文件中:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "tink_cc",
    urls = ["https://github.com/tink-crypto/tink-cc/archive/refs/tags/v2.3.0.zip"],
    strip_prefix = "tink-2.3.0",
    sha256 = "363ce671ab5ce0b24f279d3647185597a25f407c3608db007315f79f151f436b",
)

load("@tink_cc//:tink_cc_deps.bzl", "tink_cc_deps")

tink_cc_deps()

load("@tink_cc//:tink_cc_deps_init.bzl", "tink_cc_deps_init")

tink_cc_deps_init()

http_archive(
    name = "tink_cc_awskms",
    urls = ["https://github.com/tink-crypto/tink-cc-awskms/archive/refs/tags/v2.0.1.zip"],
    strip_prefix = "tink-cc-awskms-2.0.1",
    sha256 = "366319b269f62af120ee312ce4c99ce3738ceb23ce3f9491b4859432f8b991a4",
)

load("@tink_cc_awskms//:tink_cc_awskms_deps.bzl", "tink_cc_awskms_deps")

tink_cc_awskms_deps()

Tink C++ Google Cloud KMS 扩展 (tink-cc-gcpkms)

Tink C++ Google Cloud KMS 依赖于:

Tink C++ Google Cloud KMS 支持:

  • C++ >= 14
  • 操作系统:
    • UbuntuLTS >= 20.04 (x86_64)
    • macOS 12.5 Monterey(x86_64)及更高版本
  • 编译器:
    • GCC >= 7.5.0
    • Apple Clang 14 或更高版本
  • 构建系统:

Bazel

您应将以下代码添加到项目的 WORKSPACE 文件中:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "tink_cc_gcpkms",
    urls = ["https://github.com/tink-crypto/tink-cc-gcpkms/releases/download/v2.2.0/tink-cc-gcpkms-2.2.0.zip"],
    strip_prefix = "tink-cc-gcpkms-2.2.0",
    sha256 = "ffb9d05c64ca28b5eb54fe79e7c3f93fad68f00e45f74f6b9ce1bd3a32b3d6fd",
)

load("@tink_cc_gcpkms//:tink_cc_gcpkms_deps.bzl", "tink_cc_gcpkms_deps")

tink_cc_gcpkms_deps()

load("@tink_cc_gcpkms//:tink_cc_gcpkms_deps_init.bzl", "tink_cc_gcpkms_deps_init")

tink_cc_gcpkms_deps_init(register_go = True)

Go

Tink 提供以下 Go 库:

所有 Tink Go 库都发布为 Go 模块,可与标准 Go 工具Bazel 搭配使用。

Tink Go (tink-go)

Go 工具

从项目目录运行以下命令:

go get github.com/tink-crypto/tink-go/v2@v2.2.0

请参阅官方 Go 文档

Tink Go AWS KMS 扩展程序 (tink-go-awskms)

Go 工具

从项目目录运行以下命令:

go get github.com/tink-crypto/tink-go-awskms/v2@2.1.0

请参阅官方 Go 文档

Tink Go Google Cloud KMS 扩展程序 (tink-go-gcpkms)

Go 工具

从项目目录运行以下命令:

go get github.com/tink-crypto/tink-go-gcpkms/v2@v2.2.0

请参阅官方 Go 文档

Tink Go HashiCorp Vault 扩展程序 (tink-go-hcvault)

Go 工具

从项目目录运行以下命令:

go get github.com/tink-crypto/tink-go-hcvault/v2@v2.2.0

请参阅官方 Go 文档

Java

Tink 提供以下 Java 库:

Java 版 Tink 支持 Java 8 或更高版本。您可以将 Tink Java Maven 工件添加到 Maven 或 Gradle 项目中,也可以使用 Bazel

从 API 级别 24 开始,完全支持 Tink Android。从 API 级别 21 开始,Tink 的大多数部分都应该可以正常运行。在 API 级别 21 下,Tink 无法开箱即用,需要进行以下配置:

  • JWT 库需要 API 级别 24,因为它使用 java.util.Optional 等类。通过脱糖可以避免此限制。
  • 从 API 级别 23 开始,com.google.crypto.tink.integration.android 中的类才会经过全面测试。
  • com.google.crypto.tink.streamingaead 中的某些 API 使用 SeekableByteBufferChannel,而 SeekableByteBufferChannel 仅从 API 级别 24 开始提供。

请注意,出于技术原因,我们仅在 Google 内部基础架构上测试 Android 版 Tink。我们预计不会因此出现任何问题,但如果您遇到任何问题,请提交问题。

Tink Android 无需 proguard 配置。

Tink Java (tink-java)

Maven

您可以使用 Maven 添加 Tink Java 和 Tink Android 库:

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.15.0</version>
</dependency>

如果您以 Android 为目标平台,则可以使用以下方法从 Gradle 使用 tink-android

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.15.0'
}

Bazel

Bazel 用户将 Tink Java 添加为依赖项的推荐方法是在 WORKSPACE 文件中使用 rules_jvm_external 工具安装 Maven 版本工件:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "6.1"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)

load("@rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

load("@rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.15.0",
        # ... other dependencies ...
    ],
    repositories = [
        "https://maven.google.com",
        "https://repo1.maven.org/maven2",
    ],
)

如果您想从源代码构建 tink-java(例如,固定特定提交),可以将其作为 http_archive 包含在 WORKSPACE 文件中:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

TINK_COMMIT="f4127f6b6ab9c367d41ade1f50db6f0ef9909044"
TINK_SHA256="e246f848f7749e37f558955ecb50345b04d79ddb9d8d1e8ae19f61e8de530582"

http_archive(
    name = "tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/%s.zip" % TINK_COMMIT],
    strip_prefix = "tink-%s" % TINK_COMMIT,
    sha256 = TINK_SHA256
)

load("@tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

# rules_jvm_external is imported and initialized by tink_java_deps and
# tink_java_deps_init.
load("@rules_jvm_external//:defs.bzl", "maven_install")

maven_install(
  artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
  repositories = [
      "https://maven.google.com",
      "https://repo1.maven.org/maven2",
  ],
)

Tink Java AWS KMS 扩展程序 (tink-java-awskms)

Maven

您可以使用 Maven 添加 Tink Java 和 Tink Android 库:

<dependencies>
  <dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink-awskms</artifactId>
    <version>1.10.1</version>
  </dependency>
</dependencies>

Bazel

您可以使用 rules_jvm_external 工具将 com.google.crypto.tink:tink-awskms Maven 工件与 com.google.crypto.tink:tink 一起安装。

# ...

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.15.0",
        "com.google.crypto.tink:tink-awskms:1.10.1",
        # ... other dependencies ...
    ],
    repositories = [
        "https://maven.google.com",
        "https://repo1.maven.org/maven2",
    ],
)

或者,您也可以将其作为 http_archive 依赖项添加:

# ...

http_archive(
    name = "tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/releases/download/v1.15.0/tink-java-1.15.0.zip"],
    strip_prefix = "tink-java-1.15.0",
    sha256 = "e246f848f7749e37f558955ecb50345b04d79ddb9d8d1e8ae19f61e8de530582",
)

load("@tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

http_archive(
    name = "tink_java_awskms",
    urls = ["https://github.com/tink-crypto/tink-java-awskms/releases/download/v1.10.1/tink-java-awskms-1.10.1.zip"],
    strip_prefix = "tink-java-awskms-1.10.1",
    sha256 = "5f08f3a343fb2028784ee2344e102cf4f753b4d23252318b3f8ac48208d3e2fa",
)

load("@tink_java_awskms//:tink_java_awskms_deps.bzl", "TINK_JAVA_AWSKMS_MAVEN_ARTIFACTS")

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + TINK_JAVA_AWSKMS_MAVEN_ARTIFACTS + [
        # ... other dependencies ...
    ],
    repositories = [
        "https://maven.google.com",
        "https://repo1.maven.org/maven2",
    ],
)

Tink Java Google Cloud KMS 扩展程序 (tink-java-gcpkms)

Maven

<dependencies>
  <dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink-gcpkms</artifactId>
    <version>1.10.0/version>
  </dependency>
</dependencies>

Bazel

您可以使用 rules_jvm_external 工具将 com.google.crypto.tink:tink-gcpkms Maven 工件与 com.google.crypto.tink:tink 一起安装。

# ...

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.15.0",
        "com.google.crypto.tink:tink-gcpkms:1.10.0",
        # ... other dependencies ...
    ],
    repositories = [
        "https://maven.google.com",
        "https://repo1.maven.org/maven2",
    ],
)

或者,您也可以将其作为 http_archive 依赖项添加:

# ...

http_archive(
    name = "tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/releases/download/v1.15.0/tink-java-1.15.0.zip"],
    strip_prefix = "tink-java-1.15.0",
    sha256 = "e246f848f7749e37f558955ecb50345b04d79ddb9d8d1e8ae19f61e8de530582",
)

load("@tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

http_archive(
    name = "tink_java_gcpkms",
    urls = ["https://github.com/tink-crypto/tink-java-gcpkms/releases/download/v1.10.0/tink-java-gcpkms-1.10.0.zip"],
    strip_prefix = "tink-java-gcpkms-1.10.0",
    sha256 = "ad85625cc4409f2f6ab13a8eef39c965501585e9323d59652cce322b3d2c09a2",
)

load("@tink_java_gcpkms//:tink_java_gcpkms_deps.bzl", "TINK_JAVA_GCPKMS_MAVEN_ARTIFACTS")

maven_install(
    artifacts =  TINK_MAVEN_ARTIFACTS + TINK_JAVA_GCPKMS_MAVEN_ARTIFACTS + [
        # ... other dependencies ...
    ],
    repositories = [
        "https://maven.google.com",
        "https://repo1.maven.org/maven2",
    ],
)

Tink Java Apps 扩展程序 (tink-java-apps)

Maven

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>apps-webpush</artifactId>
  <version>1.11.0</version>
</dependency>

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>apps-paymentmethodtoken</artifactId>
  <version>1.11.0</version>
</dependency>

<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>apps-rewardedads</artifactId>
  <version>1.11.0</version>
</dependency>

Bazel

您可以使用 rules_jvm_external 工具安装任何 com.google.crypto.tink:apps-* Maven 工件。

# ...

maven_install(
    artifacts = [
        "com.google.crypto.tink:apps-webpush:1.11.0",
        "com.google.crypto.tink:apps-paymentmethodtoken:1.11.0",
        "com.google.crypto.tink:apps-rewardedads:1.11.0",
        # ... other dependencies ...
    ],
    repositories = [
        "https://maven.google.com",
        "https://repo1.maven.org/maven2",
    ],
)

ObjC

请参阅 GitHub 上的操作方法

Python

Tink Python 库 tink-py 支持 macOS (x86-64 和 ARM64)、Linux (x86-64 和 ARM64) 和 Windows (x86-64) 上的 Python 3.8 或更高版本。最新版本为 1.10.0。您可以使用 Pip 在本地安装它,也可以与 Bazel 搭配使用。

Tink Python 支持与 AWS KMSGoogle Cloud KMSHashiCorp Vault 集成。

Pip

您可以通过运行以下命令,从 PyPI 为您的系统安装 Tink Python 二进制版本:

pip3 install tink==1.10.0
# Core Tink + Google Cloud KMS extension.
pip3 install tink[gcpkms]==1.10.0
# Core Tink + AWS KMS extension.
pip3 install tink[awskms]==1.10.0
# Core Tink + HashiCorp Vault KMS extension.
pip3 install tink[hcvault]==1.10.0
# Core Tink + all the KMS extensions.
pip3 install tink[all]==1.10.0

如果未针对您的环境发布二进制软件包,pip 会自动改用发布到 PyPI 的源代码分发版来构建项目。如果是这种情况,您需要安装 BazelBazelisk 以及 protobuf 编译器,才能成功构建项目。

Bazel

Bazel 用户可以在其 WORKSPACE 文件中添加 Tink Python,如下所示:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "tink_py",
    urls = ["https://github.com/tink-crypto/tink-py/releases/download/v1.10.0/tink-py-1.10.0.zip"],
    strip_prefix = "tink-py-1.10.0",
    sha256 = "767453aae4aad6de4fbb4162992184aa427b7b27864fe9912c270b24c673e1cc",
)

load("@tink_py//:tink_py_deps.bzl", "tink_py_deps")
tink_py_deps()

load("@rules_python//python:repositories.bzl", "py_repositories")
py_repositories()

load("@tink_py//:tink_py_deps_init.bzl", "tink_py_deps_init")
tink_py_deps_init("tink_py")

后续步骤

完成 Tink 设置后,请继续执行标准的 Tink 使用步骤:

  • 选择基元 - 根据您的用例确定要使用的基元
  • 管理密钥 - 使用外部 KMS 保护密钥、生成密钥集以及轮替密钥