### Basic CMake Setup Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/CMakeLists.txt Configures the minimum CMake version, project name, and C++ standard for the examples. ```cmake cmake_minimum_required(VERSION 3.13) project(Examples CXX) set(CMAKE_CXX_STANDARD 14) set(CMAKE_CXX_STANDARD_REQUIRED ON) set(CMAKE_BUILD_TYPE Release) ``` -------------------------------- ### Install Tink with go get for Golang Source: https://github.com/tink-crypto/tink/blob/master/README.md Use go get to install the Tink library for Golang projects. ```sh go get github.com/google/tink/go/... ``` -------------------------------- ### Build and Run MAC Example with Bazel Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/mac/README.md Builds the Tink Java examples using Bazel and then runs the MAC example to compute and verify a MAC. ```shell git clone https://github.com/google/tink cd tink/examples/java_src bazel build ... echo "some data" > data.txt touch mac_file.txt ./bazel-bin/mac/mac_example compute \ ./mac/mac_test_keyset.json data.txt mac_file.txt ./bazel-bin/mac/mac_example verify \ ./mac/mac_test_keyset.json data.txt mac_file.txt ``` -------------------------------- ### Build and Run Java Signature Example with Bazel Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/signature/README.md Build the Java example using Bazel and then execute the signature and verification commands. ```shell git clone https://github.com/google/tink cd tink/examples/java_src bazel build ... echo "some data" > data.txt touch signature_file.txt ./bazel-bin/signature/signature_example sign \ ./signature/signature_test_private_keyset.json data.txt signature_file.txt ./bazel-bin/signature/signature_example verify \ ./signature/signature_test_public_keyset.json data.txt signature_file.txt ``` -------------------------------- ### Build Java AEAD Example with Bazel Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/aead/README.md Clones the Tink repository and builds the Java AEAD example using Bazel. This is a setup step before running the encryption and decryption commands. ```shell git clone https://github.com/google/tink cd tink/examples/java_src bazel build ... ``` -------------------------------- ### Build Tink Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/cleartextkeyset/README.md Builds the Tink Java examples using Bazel. Ensure you have cloned the Tink repository and navigated to the correct directory. ```shell git clone https://github.com/google/tink cd tink/examples/java_src bazel build ... ``` -------------------------------- ### Install Tink with Pip Source: https://github.com/tink-crypto/tink/blob/master/python/examples/envelope_aead/README.md Clone the Tink repository and install the Python package using pip. This is a prerequisite for running the Pip-based envelope encryption example. ```shell $ git clone https://github.com/google/tink $ cd tink/python $ pip3 install . ``` -------------------------------- ### Build and Install Tink Python Package with pip Source: https://github.com/tink-crypto/tink/blob/master/docs/PYTHON-HOWTO.md Build and install the Tink Python package using pip and the provided setup script. This method requires Bazel and the protobuf compiler. ```shell cd python pip3 install . ``` -------------------------------- ### Build and Run JWT Signing Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/jwt/README.md Builds and runs the Java JWT signing example using Bazel. This command signs a JWT with the provided private keyset and audience, saving the token to a file. ```shell $ git clone https://github.com/google/tink $ cd tink/examples/java_src $ bazel build ... $ touch token.txt $ ./bazel-bin/jwt/jwt_sign \ ./jwt/jwt_signature_test_private_keyset.json example_audience token.txt ``` -------------------------------- ### Build and Run JWT Verification Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/jwt/README.md Builds and runs the Java JWT verification example using Bazel. This command verifies a JWT against a public JWK set and audience, reading the token from a file. ```shell $ ./bazel-bin/jwt/jwt_verify \ public_jwk_set.json example_audience token.txt ``` -------------------------------- ### Install Tink with pip for Python Source: https://github.com/tink-crypto/tink/blob/master/README.md Use pip to install the Tink library for Python projects. ```sh pip3 install tink ``` -------------------------------- ### Build Hybrid Encryption Example with Bazel Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/hybrid/README.md Clone the Tink repository and build the hybrid encryption example using Bazel. This prepares the executable for running encryption and decryption. ```shell git clone https://github.com/google/tink cd tink/java_src/examples bazel build hybrid_example ``` -------------------------------- ### Build Tink Python Examples with Bazel Source: https://github.com/tink-crypto/tink/blob/master/python/examples/aead/README.md Clone the Tink repository and build the Python examples using Bazel. This is a prerequisite for running the AEAD CLI tool. ```shell $ git clone https://github.com/google/tink $ cd tink/python/examples $ bazel build ... ``` -------------------------------- ### Install Cocoapod Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Execute this command after updating your Podfile to install the specified Tink version. ```sh $ pod install ``` -------------------------------- ### Install Tink from TestPyPI Source: https://github.com/tink-crypto/tink/blob/master/python/tools/distribution/README.md Install the Tink package from the TestPyPI repository using pip. Useful for verifying releases before uploading to the main PyPI. ```bash pip3 install -i https://test.pypi.org/simple/ tink ``` -------------------------------- ### Encrypt File using Deterministic AEAD Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/deterministicaead/README.md Encrypt a file using the compiled Deterministic AEAD example. This command takes the keyset file, input plaintext file, and output ciphertext file as arguments. ```shell echo "some data" > testdata.txt ./bazel-bin/deterministicaead/deterministic_aead_example encrypt \ ./deterministicaead/deterministic_aead_test_keyset.json \ testdata.txt testdata.txt.encrypted ``` -------------------------------- ### Encrypt File with Java AEAD Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/aead/README.md Encrypts the content of a file using the pre-generated AEAD keyset and the compiled Java AEAD example binary. The encrypted output is saved to a new file. ```shell echo "some data" > testdata.txt ./bazel-bin/aead/aead_example encrypt \ ./aead/aead_test_keyset.json \ testdata.txt testdata.txt.encrypted ``` -------------------------------- ### Decrypt File using Deterministic AEAD Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/deterministicaead/README.md Decrypt an encrypted file using the compiled Deterministic AEAD example. This command requires the keyset file, the encrypted ciphertext file, and the output decrypted plaintext file. ```shell ./bazel-bin/deterministicaead/deterministic_aead_example decrypt \ ./deterministicaead/deterministic_aead_test_keyset.json \ testdata.txt.encrypted testdata.txt.decrypted diff testdata.txt testdata.txt.decrypted ``` -------------------------------- ### Register All Tink Implementations Source: https://github.com/tink-crypto/tink/blob/master/docs/JAVA-HOWTO.md Use this snippet to register all available implementations of all primitives in Tink. This is a convenient way to get started with Tink's full functionality. ```java import com.google.crypto.tink.config.TinkConfig; TinkConfig.register(); ``` -------------------------------- ### Encrypt File with Java Streaming AEAD Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/streamingaead/README.md Encrypt a local file using the compiled Bazel executable. Provide the path to the keyset file, the input file, and the desired output file name for the encrypted data. ```shell echo "some data" > testdata.txt ./bazel-bin/streamingaead/streamingaead_example encrypt \ ./streamingaead/streaming_aead_test_keyset.json \ testdata.txt testdata.txt.encrypted ``` -------------------------------- ### Enabling Testing and Subdirectories Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/CMakeLists.txt Enables testing and adds subdirectories for various Tink example modules. ```cmake enable_testing() add_subdirectory(util) add_subdirectory(aead) add_subdirectory(digital_signatures) add_subdirectory(hybrid_encryption) add_subdirectory(jwt) add_subdirectory(mac) add_subdirectory(walkthrough) ``` -------------------------------- ### Generate Cleartext Keyset Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/cleartextkeyset/README.md Generates a cleartext keyset file using the Tink example binary. This command creates a JSON file containing the keyset. ```shell ./bazel-bin/cleartextkeyset/cleartext_keyset_example generate aes128_gcm_test_keyset.json ``` -------------------------------- ### Decrypt File with Java AEAD Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/aead/README.md Decrypts a previously encrypted file using the AEAD keyset and the Java AEAD example binary. The decrypted content is saved to a new file, which can then be compared to the original. ```shell ./bazel-bin/aead/aead_example decrypt \ ./aead/aead_test_keyset.json \ testdata.txt.encrypted testdata.txt.decrypted diff testdata.txt testdata.txt.decrypted ``` -------------------------------- ### Decrypt File with Java Streaming AEAD Example Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/streamingaead/README.md Decrypt an encrypted file using the compiled Bazel executable. Provide the path to the keyset file, the encrypted input file, and the desired output file name for the decrypted data. Verify the decryption by comparing with the original file. ```shell ./bazel-bin/streamingaead/streamingaead_example decrypt \ ./streamingaead/streaming_aead_test_keyset.json \ testdata.txt.encrypted testdata.txt.decrypted diff testdata.txt testdata.txt.decrypted ``` -------------------------------- ### Encrypt File using Hybrid Encryption Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/hybrid/README.md Encrypts a file using the hybrid encryption example executable and a public keyset. The output is a ciphertext file. ```shell echo "some data" > testdata.txt ../bazel-bin/hybrid/hybrid_example encrypt \ ../hybrid/hybrid_test_public_keyset.json \ testdata.txt testdata.txt.encrypted ``` -------------------------------- ### Encrypt File with Envelope Encryption Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/envelopeaead/README.md Encrypts a file using the envelope AEAD example. Requires a service account JSON file and a KMS key URI. ```shell echo "some data" > testdata.txt # Replace `` in `gcp-kms://` with your key URI, and # my-service-account.json with your service account's credential JSON file. ./bazel-bin/envelopeaead/envelope_aead_example encrypt \ my-service-account.json \ gcp-kms:// \ testdata.txt testdata.txt.encrypted ``` -------------------------------- ### Generate Deterministic AEAD Keyset Source: https://github.com/tink-crypto/tink/blob/master/python/examples/deterministic_aead/README.md Use Tinkey to create a keyset for Deterministic AEAD encryption. Ensure Tinkey is installed and in your PATH. ```shell $ tinkey create-keyset --key-template AES256_SIV --out-format JSON --out deterministic_aead_test_keyset.json ``` -------------------------------- ### GoogleTest Dependency Management Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/CMakeLists.txt Manages the GoogleTest dependency, either by finding an installed version or fetching it using FetchContent. ```cmake if (TINK_USE_INSTALLED_GOOGLETEST) find_package(GTest CONFIG REQUIRED) # NOTE: _create_interface_target is inherited by Tink. _create_interface_target(gmock GTest::gmock) _create_interface_target(gtest_main GTest::gtest_main) else() include(FetchContent) FetchContent_Declare( googletest URL https://github.com/google/googletest/archive/refs/tags/release-1.11.0.tar.gz URL_HASH SHA256=b4870bf121ff7795ba20d20bcdd8627b8e088f2d1dab299a031c1034eddc93d5 ) FetchContent_GetProperties(googletest) if(NOT googletest_POPULATED) FetchContent_Populate(googletest) add_subdirectory( ${googletest_SOURCE_DIR} ${googletest_BINARY_DIR}) endif() endif() ``` -------------------------------- ### Encrypt File with Streaming AEAD CLI Source: https://github.com/tink-crypto/tink/blob/master/python/examples/streaming_aead/README.md Encrypts a local file using the streaming AEAD CLI tool. This requires the keyset generated previously and the Tink examples to be built. ```shell $ echo "some data" > testdata.txt $ ./bazel-bin/streaming_aead/streaming_aead_cli --mode encrypt \ --keyset_path ./streaming_aead/streaming_aead_keyset.json \ --input_path testdata.txt \ --output_path testdata.txt.ciphertext ``` -------------------------------- ### Generate Streaming AEAD Keyset Source: https://github.com/tink-crypto/tink/blob/master/python/examples/streaming_aead/README.md Generates a keyset for streaming AEAD encryption using Tinkey. Ensure Tinkey is installed and in your PATH. ```shell $ tinkey create-keyset --key-template AES256_CTR_HMAC_SHA256_1MB \ --out-format JSON --out streaming_aead_keyset.json ``` -------------------------------- ### Decrypt File using Hybrid Encryption Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/hybrid/README.md Decrypts an encrypted file using the hybrid encryption example executable and a private keyset. Verifies the decrypted content against the original. ```shell ../bazel-bin/hybrid/hybrid_example decrypt \ ../hybrid/hybrid_test_private_keyset.json \ testdata.txt.encrypted testdata.txt.decrypted diff testdata.txt testdata.txt.decrypted ``` -------------------------------- ### Decrypt Data with Hybrid Encryption Primitive Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Shows how to get a HybridDecrypt primitive from a keyset handle and use it to decrypt ciphertext with context information. Includes essential error checking. ```objc #import "Tink/TINKHybridDecrypt.h" #import "Tink/TINKKeysetHandle.h" #import "Tink/TINKHybridDecryptFactory.h" // 1. Get a handle to the key material. TINKKeysetHandle *keysetHandle = ...; // 2. Get the primitive. NSError *error = nil; id hybridDecrypt = [TINKHybridDecryptFactory primitiveWithKeysetHandle:keysetHandle error:&error]; if (!hybridDecrypt || error) { // handle error. } // 3. Use the primitive. NSData *plaintext = [hybridDecrypt decrypt:ciphertext withContextInfo:contextInfo error:&error]; if (!plaintext || error) { // handle error. } ``` -------------------------------- ### Initialize Cocoapods Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Run this command to create a Podfile in your project directory. ```sh pod init ``` -------------------------------- ### Generate Build Directory and Build Project Source: https://github.com/tink-crypto/tink/blob/master/docs/CMAKE-HOWTO.md Standard CMake commands to create a build directory, configure the project, and build the executable. Recommended to use Ninja for faster builds. ```bash mkdir build && cd build cmake .. make ./your_app ``` ```bash cmake -DCMAKE_GENERATOR=Ninja .. ninja ``` -------------------------------- ### Initialize Tink with All Configurations Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Use this snippet to register all available Tink implementations for all primitives. Ensure Tink/TINKAllConfig.h and Tink/TINKConfig.h are imported. ```objc #import "Tink/TINKAllConfig.h" #import "Tink/TINKConfig.h" NSError *error = nil; TINKAllConfig *config = [[TINKAllConfig alloc] initWithError:&error]; if (!config || error) { // handle error. } if (![TINKConfig registerConfig:config error:&error]) { // handle error. } ``` -------------------------------- ### Initialize Tink with AEAD Configuration Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md This snippet registers only the AEAD primitive implementations. Import Tink/TINKAeadConfig.h and Tink/TINKConfig.h. ```objc #import "Tink/TINKAeadConfig.h" #import "Tink/TINKConfig.h" NSError *error = nil; TINKAeadConfig *aeadConfig = [[TINKAeadConfig alloc] initWithError:&error]; if (!aeadConfig || error) { // handle error. } if (![TINKConfig registerConfig:aeadConfig error:&error]) { // handle error. } ``` -------------------------------- ### Run All Tink Go Tests Locally Source: https://github.com/tink-crypto/tink/blob/master/docs/GOLANG-HOWTO.md Navigates to the Tink Go source directory and executes all tests using the go test command. ```sh cd $GOPATH/go/src/github.com/google/tink/go go test ./... ``` -------------------------------- ### Define and Configure Tink Crypto Utility Library Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/util/CMakeLists.txt Defines the static library 'util' and sets its include directories. It also links the library against the Tink static library. ```cmake add_library(util util.cc util.h) target_include_directories(util PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}" "${TINK_EXAMPLES_INCLUDE_PATH}") target_link_libraries(util tink::static) ``` -------------------------------- ### Sign Data with Signature CLI Source: https://github.com/tink-crypto/tink/blob/master/python/examples/signature/README.md Use the signature CLI tool to sign data from a file using a private keyset. The signature is saved to a specified file. ```shell $ echo "some data" > data.txt $ touch signature_file.txt $ ./bazel-bin/signature/signature_cli --mode sign --keyset_path ./signature/signature_test_private_keyset.json --data_path data.txt --signature_path signature_file.txt ``` -------------------------------- ### Get Hybrid Decrypt Primitive Source: https://github.com/tink-crypto/tink/blob/master/docs/CPP-HOWTO.md Obtain a HybridDecrypt primitive from a KeysetHandle for hybrid encryption operations. This primitive combines public-key and symmetric-key encryption. ```cpp #include "tink/hybrid_decrypt.h" #include "tink/keyset_handle.h" // 1. Get a handle to the key material. KeysetHandle keyset_handle = ...; // 2. Get the primitive. auto hybrid_decrypt_result = keyset_handle.GetPrimitive(); if (!hybrid_decrypt_result.ok()) return hybrid_decrypt_result.status(); auto hybrid_decrypt = std::move(hybrid_decrypt_result.ValueOrDie()); // 3. Use the primitive. auto plaintext_result = hybrid_decrypt.Decrypt(ciphertext, context_info); if (!plaintext_result.ok()) return plaintext_result.status(); auto plaintext = std::move(plaintext_result.ValueOrDie()); ``` -------------------------------- ### Get AEAD Primitive Source: https://github.com/tink-crypto/tink/blob/master/docs/CPP-HOWTO.md Obtain an AEAD primitive from a KeysetHandle to perform symmetric key encryption and decryption. Ensure the KeysetHandle is properly initialized. ```cpp #include "tink/aead.h" #include "tink/keyset_handle.h" // 1. Get a handle to the key material. KeysetHandle keyset_handle = ...; // 2. Get the primitive. auto aead_result= keyset_handle.GetPrimitive(); if (!aead_result.ok()) return aead_result.status(); auto aead = std::move(aead_result.ValueOrDie()); // 3. Use the primitive. auto ciphertext_result = aead.Encrypt(plaintext, aad); if (!ciphertext_result.ok()) return ciphertext_result.status(); auto ciphertext = std::move(ciphertext_result.ValueOrDie()); ``` -------------------------------- ### Register All Standard Tink Implementations Source: https://github.com/tink-crypto/tink/blob/master/docs/PYTHON-HOWTO.md Use this snippet to register all standard Tink implementations for all primitives. This is the most common way to initialize Tink for general use. ```python import tink from tink import tink_config tink_config.register() ``` -------------------------------- ### Register Standard AEAD Primitive Implementation Source: https://github.com/tink-crypto/tink/blob/master/docs/PYTHON-HOWTO.md Register only the standard implementations for the AEAD primitive. Use this when you only need AEAD functionality and want a more minimal setup. ```python import tink from tink import aead aead.register() ``` -------------------------------- ### Generate New Keyset with AEAD Key Template Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Generates a KeysetHandle with fresh AEAD key material using a specified key template. Requires importing Tink/TINKAeadKeyTemplate.h and Tink/TINKKeysetHandle.h. ```objc #import "Tink/TINKAeadKeyTemplate.h" #import "Tink/TINKKeysetHandle.h" NSError *error = nil; TINKAeadKeyTemplate *tpl = [[TINKAeadKeyTemplate alloc] initWithKeyTemplate:TINKAes128Gcm error:&error]; if (!tpl || error) { // handle error. } TINKKeysetHandle *handle = [[TINKKeysetHandle alloc] initWithKeyTemplate:tpl error:&error]; if (!handle || error) { // handle error. } ``` -------------------------------- ### Register All Standard Tink Implementations Source: https://github.com/tink-crypto/tink/blob/master/docs/CPP-HOWTO.md Use this snippet to initialize Tink by registering all standard implementations of all primitives available in the current release. Ensure proper error handling for the status object. ```cpp #include "tink/config/tink_config.h" // ... auto status = TinkConfig::Register(); if (!status.ok()) /* ... handle failure */; // ... ``` -------------------------------- ### Build and Test Tink Go with Bazel Source: https://github.com/tink-crypto/tink/blob/master/docs/GOLANG-HOWTO.md Builds all targets and runs tests for Tink Go using Bazel, a build and test tool. ```sh cd $GOPATH/go/src/github.com/google/tink/go bazel build ... && bazel test ... ``` -------------------------------- ### Generate AEAD Keyset with Tinkey Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/aead/README.md Generates a new AEAD keyset using the AES128_GCM template and saves it to a JSON file. This is a prerequisite for running the Java AEAD example. ```shell tinkey create-keyset --key-template AES128_GCM --out-format JSON --out aead_test_keyset.json ``` -------------------------------- ### Add Tink Pod to Podfile (Specific Version) Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Use this format in your Podfile to specify a particular pre-release version of Tink. ```ruby pod 'Tink', '1.2.0-rc2' ``` -------------------------------- ### Envelope Encryption with GCP KMS Source: https://github.com/tink-crypto/tink/blob/master/docs/PYTHON-HOWTO.md Perform envelope encryption using a Google Cloud KMS key and AES256 GCM. Requires GCP credentials and client setup. ```python import tink from tink import aead from tink.integration import gcpkms import logging key_uri = 'gcp-kms://projects/tink-examples/locations/global/keyRings/foo/cryptoKeys/bar' gcp_credentials = 'credentials.json' plaintext = b'your data...' associated_data = b'context' # Read the GCP credentials and setup client try: gcp_client = gcpkms.GcpKmsClient(key_uri, gcp_credentials) gcp_aead = gcp_client.get_aead(key_uri) except tink.TinkError as e: logging.error('Error initializing GCP client: %s', e) # In a real application, you would handle this error appropriately # For this example, we'll assume it might fail and proceed to show the next step gcp_aead = None # Placeholder for error case # Create envelope AEAD primitive using AES256 GCM for encrypting the data try: key_template = aead.aead_key_templates.AES256_GCM # Ensure gcp_aead is initialized before using it if gcp_aead: env_aead = aead.KmsEnvelopeAead(key_template, gcp_aead) else: # Handle the case where gcp_aead initialization failed env_aead = None # Or raise an exception, depending on desired behavior except tink.TinkError as e: logging.error('Error creating primitive: %s', e) env_aead = None # Placeholder for error case # Use env_aead to encrypt data # This part assumes env_aead was successfully created if env_aead: ciphertext = env_aead.encrypt(plaintext, associated_data) else: ciphertext = None # Indicate failure to encrypt ``` -------------------------------- ### Navigate to Xcode Project Directory Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Change into the directory containing your Xcode project before initializing Cocoapods. ```sh cd /path/to/your/Xcode project/ ``` -------------------------------- ### Generate New Keyset Handle in C++ Source: https://github.com/tink-crypto/tink/blob/master/docs/CPP-HOWTO.md Use KeysetHandle::GenerateNew to create a new KeysetHandle with fresh key material directly in C++ code. This is useful when Tinkey is not an option. Ensure you handle the potential error status returned by the operation. ```cpp auto new_keyset_handle_result = KeysetHandle::GenerateNew(key_template); if (!new_keyset_handle_result.ok()) return new_keyset_handle_result.status(); auto keyset_handle = std::move(new_keyset_handle_result.ValueOrDie()); // use the keyset... ``` -------------------------------- ### Register AEAD Primitive Implementations Source: https://github.com/tink-crypto/tink/blob/master/docs/JAVA-HOWTO.md Use this snippet to register only the implementations for the AEAD (Authenticated Encryption with Associated Data) primitive. This is useful when you only need AEAD functionality and want a more minimal setup. ```java import com.google.crypto.tink.aead.AeadConfig; AeadConfig.register(); ``` -------------------------------- ### Generate Keyset with Tinkey Source: https://github.com/tink-crypto/tink/blob/master/python/examples/signature/README.md Use the tinkey command-line tool to create private and public keysets for digital signatures. Specify the key template and output format. ```shell $ tinkey create-keyset --key-template ECDSA_P256 --out-format JSON --out signature_test_private_keyset.json $ tinkey create-public-keyset --in signature_test_private_keyset.json --in-format JSON --out-format JSON --out signature_test_public_keyset.json ``` -------------------------------- ### Decrypt File with Envelope Encryption Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/envelopeaead/README.md Decrypts a file that was previously encrypted using the envelope AEAD example. Requires the same service account JSON file and KMS key URI used for encryption. ```shell ./bazel-bin/envelopeaead/envelope_aead_example decrypt \ my-service-account.json \ gcp-kms:// \ testdata.txt.encrypted testdata.txt ``` -------------------------------- ### Script to Apply Refaster Templates Source: https://github.com/tink-crypto/tink/blob/master/java_src/tools/refaster/README.md This bash script demonstrates the process of applying Refaster templates to Tink user code. It involves downloading dependencies, compiling Refaster rules, and using Error Prone to generate and apply patches. ```bash ## Note: This script expects to be run from the working directory it is in. ## (I.e., first go into the directory this README.md is in, then copy paste). ## STEP 0: Switch to a directory so the remainder of the script can be run ## without modifying the working directory. code_path=$(pwd) cd $(mktemp -d) ## STEP 1: We get the 3 jar files: ## tink-{version}-jar, error_prone_refaster-{version}.jar, and error_prone_core-{version}.jar ## (For good measure, we verify the 3 sha256sums.) mkdir jars pushd jars maven_base="repo1.maven.org/maven2/com/google" # We download Tink from Head because Tink 1.9 does not have all key templates # This URL is found by going to https://oss.sonatype.org/ and browsing. readonly tink_jar="tink-HEAD-20230824.091635-3982.jar" readonly tink_url="https://oss.sonatype.org/service/local/repositories/snapshots/content/com/google/crypto/tink/tink/HEAD-SNAPSHOT/tink-HEAD-20230824.091635-3982.jar" readonly tink_sha256="ffc313081523d5acf2383a36e21cc6d5e122c3173ae81d12b4d63da00258d871" readonly errorprone_version="2.18.0" readonly refaster_jar="error_prone_refaster-${errorprone_version}.jar" readonly refaster_sha256="0cde0a3db5c2f748fae4633ccd8c66a9ba9c5a0f7a380c9104b99372fd0c4959" readonly errorprone_jar="error_prone_core-${errorprone_version}-with-dependencies.jar" readonly errorprone_sha256="2b3f2d21e7754bece946cf8f7b0e2b2f805c46f58b4839eb302c3d2498a3a55e" wget "${tink_url}" echo "${tink_sha256} ${tink_jar}" | sha256sum -c wget "https://${maven_base}/errorprone/error_prone_refaster/${errorprone_version}/${refaster_jar}" echo "${refaster_sha256} ${refaster_jar}" | sha256sum -c wget "https://${maven_base}/errorprone/error_prone_core/${errorprone_version}/${errorprone_jar}" echo "${errorprone_sha256} ${errorprone_jar}" | sha256sum -c popd ## STEP 2: Use the current file in tink1to2 to create a "tinkrule.refaster": ## First we delete the results of previous copy operations. rm -rf refaster/ ; cp -r "${code_path}" . javac -cp "jars/${tink_jar}:jars/${refaster_jar}" \ "-Xplugin:RefasterRuleCompiler --out ${PWD}/tinkrule.refaster" \ refaster/java/com/google/tink1_templates/AllChanges.java ## STEP 3: Use error prone to create a patch: javac -cp "jars/${tink_jar}:jars/${errorprone_jar}" \ -XDcompilePolicy=byfile \ -processorpath "jars/${errorprone_jar}" \ "-Xplugin:ErrorProne -XepPatchChecks:refaster:${PWD}/tinkrule.refaster -XepPatchLocation:${PWD}" \ refaster/java/com/google/tinkuser/TinkUser.java patch refaster/java/com/google/tinkuser/TinkUser.java error-prone.patch diff refaster/java/com/google/tinkuser/TinkUser.java \ refaster/java/com/google/tinkuser/TinkUser.java_expected ``` -------------------------------- ### Encrypt Data with AEAD Primitive Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Demonstrates how to obtain an AEAD primitive using a keyset handle and then use it to encrypt plaintext data with associated data. Ensure proper error handling. ```objc #import "Tink/TINKAead.h" #import "Tink/TINKKeysetHandle.h" #import "Tink/TINKAeadFactory.h" // 1. Get a handle to the key material. TINKKeysetHandle *keysetHandle = ...; // 2. Get the primitive. NSError *error = nil; id aead = [TINKAeadFactory primitiveWithKeysetHandle:keysetHandle error:&error]; if (!aead || error) { // handle error. } // 3. Use the primitive. NSData *ciphertext = [aead encrypt:plaintext withAdditionalData:aad error:&error]; if (!ciphertext || error) { // handle error. } ``` -------------------------------- ### Obtain and Use Symmetric Key Encryption (AEAD) Primitive Source: https://github.com/tink-crypto/tink/blob/master/docs/JAVA-HOWTO.md Use this snippet to get an AEAD primitive for encrypting or decrypting data with symmetric keys. Ensure you have the necessary Tink AEAD dependencies. ```java import com.google.crypto.tink.Aead; import com.google.crypto.tink.aead.PredefinedAeadParameters; // 1. Generate the key material. KeysetHandle keysetHandle = KeysetHandle.generateNew( PredefinedAeadParameters.AES128_GCM); // 2. Get the primitive. Aead aead = keysetHandle.getPrimitive(Aead.class); // 3. Use the primitive to encrypt a plaintext, byte[] ciphertext = aead.encrypt(plaintext, aad); // ... or to decrypt a ciphertext. byte[] decrypted = aead.decrypt(ciphertext, aad); ``` -------------------------------- ### Add Tink Pod to Podfile (Stable Release) Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Include this line in your Podfile to specify the current stable release of Tink. ```ruby pod 'Tink' ``` -------------------------------- ### Encrypt Data with Hybrid Encryption CLI Source: https://github.com/tink-crypto/tink/blob/master/python/examples/hybrid/README.md Encrypts a file using the hybrid encryption CLI tool built with Bazel. Requires a public keyset and an input file. ```shell $ echo "some data" > testdata.txt $ ./bazel-bin/hybrid/hybrid_cli --mode encrypt \ --keyset_path ./hybrid/hybrid_test_public_keyset.json \ --input_path testdata.txt --output_path testdata.txt.encrypted ``` -------------------------------- ### Encrypt Data with Envelope CLI (Pip) Source: https://github.com/tink-crypto/tink/blob/master/python/examples/envelope_aead/README.md Encrypt a file using the envelope_cli installed via Pip. Requires specifying the encryption mode, GCP credentials path, KMS key URI, input file, and output file. ```shell $ echo "some data" > testdata.txt $ python3 envelope_cli.py --mode encrypt \ --gcp_credential_path my-service-account.json \ --kek_uri gcp-kms:// \ --input_path testdata.txt --output_path testdata.txt.encrypted ``` -------------------------------- ### Build Tink Python Release Source: https://github.com/tink-crypto/tink/blob/master/python/tools/distribution/README.md Run this script from the python/ folder to create binary and source wheels for the Tink Python package. Requires Docker. ```bash ./tools/distribution/create_release.sh ``` -------------------------------- ### Encrypt and Load Tink Keyset with AEAD in Go Source: https://github.com/tink-crypto/tink/blob/master/docs/GOLANG-HOWTO.md Use this snippet to generate a new keyset, encrypt it using an AEAD primitive (like GCP KMS), and then decrypt and load it. This is crucial for securely persisting keys. ```go package main import ( "bytes" "fmt" "log" "github.com/google/tink/go/aead" "github.com/google/tink/go/core/registry" "github.com/google/tink/go/integration/gcpkms" "github.com/google/tink/go/keyset" ) const ( // Change this. AWS KMS, Google Cloud KMS and HashiCorp Vault are supported out of the box. keyURI = "gcp-kms://projects/tink-examples/locations/global/keyRings/foo/cryptoKeys/bar" credentialsPath = "credentials.json" ) func main() { // Generate a new keyset handle. handle1, err := keyset.NewHandle(aead.AES128GCMKeyTemplate()) if err != nil { log.Fatal(err) } // Get the key encryption AEAD from a KMS. gcpClient, err := gcpkms.NewClientWithCredentials(keyURI, credentialsPath) if err != nil { log.Fatal(err) } registry.RegisterKMSClient(gcpClient) keyEncryptionAEAD, err := gcpClient.GetAEAD(keyURI) if err != nil { log.Fatal(err) } // Serialize and encrypt the keyset handle using the key encryption AEAD. // We strongly recommend that you encrypt the keyset handle before persisting // it. buf := new(bytes.Buffer) writer := keyset.NewBinaryWriter(buf) err = handle1.Write(writer, keyEncryptionAEAD) if err != nil { log.Fatal(err) } encryptedHandle := buf.Bytes() // Decrypt and parse the encrypted keyset using the key encryption AEAD. reader := keyset.NewBinaryReader(bytes.NewReader(encryptedHandle)) handle2, err := keyset.Read(reader, keyEncryptionAEAD) if err != nil { log.Fatal(err) } } ``` -------------------------------- ### Load Cleartext Binary Keyset in C++ Source: https://github.com/tink-crypto/tink/blob/master/docs/CPP-HOWTO.md Load a cleartext binary keyset using BinaryKeysetReader and CleartextKeysetHandle::Read. This method is suitable for unencrypted keysets and requires proper error handling. ```cpp #include "tink/binary_keyset_reader.h" #include "tink/cleartext_keyset_handle.h" // ... std::string binary_keyset = ...; auto reader_result = BinaryKeysetReader::New(binary_keyset); if (!reader_result.ok()) return reader_result.status(); auto reader = std::move(reader_result.ValueOrDie()); auto handle_result = CleartextKeysetHandle::Read(std::move(reader)); if (!handle_result.ok()) return handle_result.status(); auto keyset_handle = std::move(handle_result.ValueOrDie()); ``` -------------------------------- ### CMakeLists.txt Configuration for Hybrid CLI Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/hybrid_encryption/CMakeLists.txt This snippet shows the CMake configuration for building the hybrid_cli executable and setting up its dependencies and test environment. It includes linking against Tink libraries and defining test cases. ```cmake add_executable(hybrid_cli hybrid_cli.cc) target_include_directories(hybrid_cli PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}" "${TINK_EXAMPLES_INCLUDE_PATH}") target_link_libraries(hybrid_cli tink::static absl::check absl::flags_parse util) # Tink CMake's configuration doesn't expose tink::core::hpke_config. Remove # HPKE from this example when building with CMake. target_compile_definitions(hybrid_cli PRIVATE TINK_EXAMPLES_EXCLUDE_HPKE) add_test( NAME hybrid_cli_test COMMAND "${BASH_PROGRAM}" "${CMAKE_CURRENT_SOURCE_DIR}/hybrid_cli_test.sh" "${CMAKE_CURRENT_BINARY_DIR}/hybrid_cli" "${CMAKE_CURRENT_SOURCE_DIR}/testdata/hybrid_test_private_keyset.json" "${CMAKE_CURRENT_SOURCE_DIR}/testdata/hybrid_test_public_keyset.json") ``` -------------------------------- ### Build Digital Signatures Executable Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/digital_signatures/CMakeLists.txt Defines the executable for the digital signatures CLI, sets include directories, and links necessary libraries. ```cmake add_executable(digital_signatures_cli digital_signatures_cli.cc) target_include_directories(digital_signatures_cli PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}" "${TINK_EXAMPLES_INCLUDE_PATH}") target_link_libraries(digital_signatures_cli tink::static absl::check absl::flags_parse util) ``` -------------------------------- ### Run Tink Tests with Bazel Source: https://github.com/tink-crypto/tink/blob/master/docs/PYTHON-HOWTO.md Execute all tests for the Tink Python implementation using Bazel. Ensure you are in the python directory before running. ```shell cd python bazel test ... ``` -------------------------------- ### Register Standard AEAD Primitive Implementations Source: https://github.com/tink-crypto/tink/blob/master/docs/CPP-HOWTO.md Initialize Tink by registering only the standard implementations for the AEAD primitive. This is useful when you only need AEAD functionality. Check the status for success or failure. ```cpp #include "tink/aead/aead_config.h" // ... auto status = AeadConfig::Register(); if (!status.ok()) /* ... handle failure */; // ... ``` -------------------------------- ### Upload Release to PyPI Source: https://github.com/tink-crypto/tink/blob/master/python/tools/distribution/README.md Upload the final release packages to the main PyPI repository. Requires twine. ```python python3 -m twine upload release/* ``` -------------------------------- ### Build Tink with Bazel Source: https://github.com/tink-crypto/tink/blob/master/docs/PYTHON-HOWTO.md Build the Tink Python implementation using Bazel. This command compiles the C++ implementation and its Python wrapper. ```shell cd python bazel build ... ``` -------------------------------- ### Build Tink iOS Framework with Bazel Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Build the Tink static iOS framework using Bazel, specifying Xcode and SDK versions. Adjust XCODE_VERSION and IOS_SDK to match your environment. ```sh cd tink export XCODE_VERSION=9.2 export IOS_SDK=11.2 bazel build -c opt --ios_multi_cpus=i386,x86_64,armv7,arm64 --xcode_version="${XCODE_VERSION}" --ios_sdk_version="${IOS_SDK}" //objc:Tink_framework ``` -------------------------------- ### Verify Signature with Signature CLI Source: https://github.com/tink-crypto/tink/blob/master/python/examples/signature/README.md Use the signature CLI tool to verify a signature against data using a public keyset. This confirms the integrity and authenticity of the data. ```shell $ ./bazel-bin/signature/signature_cli --mode verify --keyset_path ./signature/signature_test_public_keyset.json --data_path data.txt --signature_path signature_file.txt ``` -------------------------------- ### Upload Release to TestPyPI Source: https://github.com/tink-crypto/tink/blob/master/python/tools/distribution/README.md Upload the generated release packages to the TestPyPI repository for initial testing. Requires twine. ```python python3 -m twine upload --repository testpypi release/* ``` -------------------------------- ### Load Cleartext Keyset from Binary Data Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Loads a Tink keyset from raw binary data using a TINKBinaryKeysetReader. This method is intended for cleartext keysets and requires appropriate reader initialization. ```objc #import "Tink/TINKBinaryKeysetReader.h" #import "Tink/TINKKeysetHandle+Cleartext.h" NSError *error = nil; NSData *binaryKeyset = ...; TINKBinaryKeysetReader *reader = [[TINKBinaryKeysetReader alloc] initWithSerializedKeyset:binaryKeyset error:&error]; if (!reader || error) { // handle error. } TINKKeysetHandle *handle = [[TINKKeysetHandle alloc] initCleartextKeysetHandleWithKeysetReader:reader error:&error]; if (!handle || error) { // handle error. } ``` -------------------------------- ### Load Cleartext JSON Keyset Source: https://github.com/tink-crypto/tink/blob/master/docs/PYTHON-HOWTO.md Use `cleartext_keyset_handle.read` with a `JsonKeysetReader` to load a cleartext keyset. ```python import tink from tink import cleartext_keyset_handle json_keyset = ... reader = tink.JsonKeysetReader(json_keyset) keyset_handle = cleartext_keyset_handle.read(reader) ``` -------------------------------- ### Build Tink with CMake for Development Source: https://github.com/tink-crypto/tink/blob/master/docs/CMAKE-HOWTO.md Build Tink as a regular CMake project, enabling tests and the shared library. This ensures the full CMake configuration is evaluated for development purposes. ```bash mkdir tink-build && cd tink-build cmake ../tink -DTINK_BUILD_TESTS=ON -DCMAKE_GENERATOR=Ninja ninja CTEST_OUTPUT_ON_FAILURE=1 ninja test ninja package ``` -------------------------------- ### Unzip Tink Framework Source: https://github.com/tink-crypto/tink/blob/master/docs/OBJC-HOWTO.md Extract the Tink static framework from the zip archive into your Xcode project folder. ```sh unzip bazel-bin/objc/Tink_framework.zip -d /path/to/your/project/folder/ ``` -------------------------------- ### Encrypt File with Cleartext Keyset Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/cleartextkeyset/README.md Encrypts a file using a generated cleartext keyset. The output is a new encrypted file. ```shell echo "some data" > testdata.txt ./bazel-bin/cleartextkeyset/cleartext_keyset_example encrypt \ aes128_gcm_test_keyset.json \ testdata.txt testdata.txt.encrypted ``` -------------------------------- ### Configure Digital Signatures Test Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/digital_signatures/CMakeLists.txt Adds a test case for the digital signatures CLI, specifying the executable, private key, and public key set paths. ```cmake add_test( NAME digital_signatures_cli_test COMMAND "${BASH_PROGRAM}" "${CMAKE_CURRENT_SOURCE_DIR}/digital_signatures_cli_test.sh" "${CMAKE_CURRENT_BINARY_DIR}/digital_signatures_cli" "${CMAKE_CURRENT_SOURCE_DIR}/digital_signature_private_keyset.json" "${CMAKE_CURRENT_SOURCE_DIR}/digital_signature_public_keyset.json") ``` -------------------------------- ### Encrypt File with Deterministic AEAD CLI Source: https://github.com/tink-crypto/tink/blob/master/python/examples/deterministic_aead/README.md Encrypt a file using the Deterministic AEAD CLI tool. This command requires the path to the keyset file and the input/output file paths. ```shell $ echo "some data" > testdata.txt $ ./bazel-bin/deterministic_aead/deterministic_aead_cli --mode encrypt --keyset_path deterministic_aead/deterministic_aead_test_keyset.json --input_path testdata.txt --output_path testdata.txt.encrypted ``` -------------------------------- ### Build JWT Signing Executable Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/jwt/CMakeLists.txt Configures the build for the jwt_sign executable, linking necessary Tink and utility libraries. ```cmake add_executable(jwt_sign jwt_sign.cc) target_include_directories(jwt_sign PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}" "${TINK_EXAMPLES_INCLUDE_PATH}") target_link_libraries(jwt_sign tink::static tink::jwt::jwt_signature_config absl::check absl::flags_parse util) ``` -------------------------------- ### Generate Keyset with Tinkey Source: https://github.com/tink-crypto/tink/blob/master/java_src/examples/signature/README.md Use the tinkey command-line tool to create private and public keysets for digital signatures using the ECDSA_P256 template. ```shell tinkey create-keyset --key-template ECDSA_P256 --out-format JSON \ --out signature_test_private_keyset.json tinkey create-public-keyset --in signature_test_private_keyset.json \ --in-format JSON --out-format JSON --out signature_test_public_keyset.json ``` -------------------------------- ### Encrypt Data with Envelope CLI (Bazel) Source: https://github.com/tink-crypto/tink/blob/master/python/examples/envelope_aead/README.md Encrypt a file using the envelope_cli built with Bazel. Requires specifying the encryption mode, GCP credentials path, KMS key URI, input file, and output file. ```shell $ echo "some data" > testdata.txt # Replace `` in `gcp-kms://` with your key URI, and # my-service-account.json with your service account's credential JSON file. $ ./bazel-bin/envelope/envelope_cli --mode encrypt \ --gcp_credential_path my-service-account.json \ --kek_uri gcp-kms:// \ --input_path testdata.txt --output_path testdata.txt.encrypted ``` -------------------------------- ### Configure AEAD CLI Test Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/aead/CMakeLists.txt Sets up a test for the AEAD CLI executable, specifying the test script and necessary arguments. ```cmake add_test( NAME aead_cli_test COMMAND "${BASH_PROGRAM}" "${CMAKE_CURRENT_SOURCE_DIR}/aead_cli_test.sh" "${CMAKE_CURRENT_BINARY_DIR}/aead_cli" "${CMAKE_CURRENT_SOURCE_DIR}/aead_test_keyset.json") ``` -------------------------------- ### Importing Tink Dependency Source: https://github.com/tink-crypto/tink/blob/master/cc/examples/CMakeLists.txt Imports the Tink library as an in-tree dependency and sets up include paths. ```cmake # Import Tink as an in-tree dependency. set(TINK_BUILD_TESTS OFF) add_subdirectory(../.. tink) # Include path at the base of the examples folder. set(TINK_EXAMPLES_INCLUDE_PATH "${CMAKE_SOURCE_DIR}") ``` -------------------------------- ### Compute MAC using Tink CLI Source: https://github.com/tink-crypto/tink/blob/master/python/examples/mac/README.md Computes the MAC for a given data file using the Tink CLI. This command requires a keyset file and specifies the input data and output MAC file paths. ```shell $ echo "some data" > data.txt $ touch mac_file.txt $ ./bazel-bin/mac/mac_cli --mode compute \ --keyset_path ./mac/mac_test_keyset.json \ --data_path data.txt --mac_path mac_file.txt ```