Skip to content

project-oak/tink-rust

Repository files navigation

Tink in Rust

Docs MSRV CI Status Interop Status codecov

This repository holds a Rust port of Google's Tink cryptography library.

The following warnings apply to use of this repo:

  • This is not an official port of Tink, and is not supported by Google's cryptography teams.
  • The repo is under construction and so details of the API and the code may change without warning.

Also, this repository does not implement cryptographic functionality itself; the underlying cryptographic operations are currently provided by the RustCrypto crates – this repo focuses on making those cryptographic operations available via the Tink API.

This means that all of the security warnings for the underlying RustCrypto crates apply to this repo too.

Disclaimer

This is not an officially supported Google product.

Usage Overview

An introduction to working with the Tink API is provided here.

Crate Structure

The tink-core crate holds common functionality and includes the trait definitions for all primitives, but includes very little cryptographic functionality.

Individual cryptographic primitives are implemented in tink-<primitive> crates, which depend on:

  • the tink-core crate for common types and helpers
  • the tink-proto crate for protobuf-derived structs
  • the RustCrypto crates to provide underlying cryptographic implementations.

For example, the tink-aead crate provides code that performs authenticated encryption with additional data (AEAD), implementing the Aead trait from tink-core.

All of the tests for the Tink crates are integration tests (i.e. only use public APIs) and reside in a separate tink-tests crate.

Crate Features

The following crate features are available.

  • The tink-proto crate has a json feature that enables methods for serializing keysets to/from JSON. This additional functionality requires serde and serde_json as dependencies.
  • The tink-core crate also has a json feature that enables methods for serializing keysets to/from JSON, using tink-proto/json as above.
  • The tink-core crate also has an insecure feature, which enables methods that expose unencrypted key material. This feature should only be enabled for testing and development.

Port Design

A separate document describes the design choices involved in the Rust port.