Expand description
Raw FFI bindings to Google Tink via a C shim, built against tink-cc v2.5.0.
This crate provides low-level extern "C" functions that map directly to the
C shim built on top of tink-cc. Most users should prefer the safe
tink_ffi crate, which wraps these bindings in idiomatic Rust with
automatic memory management.
§Conventions
- All functions return
c_intwhere0means success and non-zero means error. - On error, a thread-local message is set and can be retrieved with
tink_error_message. - Pointers returned by these functions are allocated on the C++ side. The caller
must free them with
tink_free_bytes(for*mut u8+ length) ortink_free_string(for*mut c_char). - Opaque handle types (e.g.
TinkAead) must be freed with their corresponding_freefunction.
§Build
This crate builds tink-cc from source via CMake. You need CMake 3.13+ and a C++17 compiler.
Structs§
- Tink
Aead - Opaque handle to a Tink AEAD primitive. See
Aeadintink-ffifor the safe wrapper. - Tink
Decrypting Stream - Opaque handle to an in-progress decrypting stream.
- Tink
Deterministic Aead - Opaque handle to a Tink deterministic AEAD primitive. See
DeterministicAeadintink-ffifor the safe wrapper. - Tink
Encrypting Stream - Opaque handle to an in-progress encrypting stream.
- Tink
Hybrid Decrypt - Opaque handle to a Tink hybrid decryption primitive. See
HybridDecryptintink-ffifor the safe wrapper. - Tink
Hybrid Encrypt - Opaque handle to a Tink hybrid encryption primitive. See
HybridEncryptintink-ffifor the safe wrapper. - Tink
JwtMac - Opaque handle to a Tink JWT MAC primitive. See
JwtMacintink-ffifor the safe wrapper. - Tink
JwtSigner - Opaque handle to a Tink JWT signer. See
JwtSignintink-ffifor the safe wrapper. - Tink
JwtVerifier - Opaque handle to a Tink JWT verifier. See
JwtVerifyintink-ffifor the safe wrapper. - Tink
Keyset Deriver - Opaque handle to a Tink keyset deriver. See
KeysetDeriverintink-ffifor the safe wrapper. - Tink
Keyset Handle - Opaque handle to a Tink keyset. See
KeysetHandleintink-ffifor the safe wrapper. - TinkMac
- Opaque handle to a Tink MAC primitive. See
Macintink-ffifor the safe wrapper. - Tink
PrfSet - Opaque handle to a Tink PRF set. See
PrfSetintink-ffifor the safe wrapper. - Tink
Signer - Opaque handle to a Tink public-key signer. See
Signerintink-ffifor the safe wrapper. - Tink
Streaming Aead - Opaque handle to a Tink streaming AEAD primitive. See
StreamingAeadintink-ffifor the safe wrapper. - Tink
Verifier - Opaque handle to a Tink public-key verifier. See
Verifierintink-ffifor the safe wrapper.
Functions§
- tink_
aead_ ⚠decrypt - Decrypt ciphertext with associated data. Caller must free plaintext with
tink_free_bytes. - tink_
aead_ ⚠encrypt - Encrypt plaintext with associated data. Caller must free ciphertext with
tink_free_bytes. - tink_
aead_ ⚠free - Free an AEAD handle.
- tink_
aead_ ⚠new - Create a new AEAD primitive from a keyset handle.
- tink_
decrypting_ ⚠stream_ free - Free a decrypting stream handle.
- tink_
decrypting_ ⚠stream_ read - Read decrypted plaintext from a decrypting stream into a buffer. Returns bytes read.
- tink_
deterministic_ ⚠aead_ decrypt - Decrypt deterministically-encrypted ciphertext. Caller must free plaintext with
tink_free_bytes. - tink_
deterministic_ ⚠aead_ encrypt - Deterministically encrypt plaintext with associated data. Caller must free ciphertext with
tink_free_bytes. - tink_
deterministic_ ⚠aead_ free - Free a deterministic AEAD handle.
- tink_
deterministic_ ⚠aead_ new - Create a new deterministic AEAD primitive from a keyset handle.
- tink_
encrypting_ ⚠stream_ finalize - Finalize an encrypting stream and retrieve the full ciphertext. Caller must free with
tink_free_bytes. - tink_
encrypting_ ⚠stream_ free - Free an encrypting stream handle.
- tink_
encrypting_ ⚠stream_ write - Write plaintext data to an encrypting stream. Returns bytes written.
- tink_
error_ ⚠message - Return the thread-local error message from the last failed operation, or null if none.
- tink_
free_ ⚠bytes - Free a byte buffer allocated by the C shim.
- tink_
free_ ⚠string - Free a C string allocated by the C shim.
- tink_
hybrid_ ⚠decrypt - Hybrid-decrypt ciphertext with context info. Caller must free plaintext with
tink_free_bytes. - tink_
hybrid_ ⚠decrypt_ free - Free a hybrid decrypt handle.
- tink_
hybrid_ ⚠decrypt_ new - Create a new hybrid decryption primitive from a keyset handle containing a private key.
- tink_
hybrid_ ⚠encrypt - Hybrid-encrypt plaintext with context info. Caller must free ciphertext with
tink_free_bytes. - tink_
hybrid_ ⚠encrypt_ free - Free a hybrid encrypt handle.
- tink_
hybrid_ ⚠encrypt_ new - Create a new hybrid encryption primitive from a keyset handle containing a public key.
- tink_
jwt_ ⚠mac_ compute_ and_ encode - Compute and encode a JWT MAC. Caller must free the compact token with
tink_free_string. - tink_
jwt_ ⚠mac_ free - Free a JWT MAC handle.
- tink_
jwt_ ⚠mac_ new - Create a new JWT MAC primitive from a keyset handle.
- tink_
jwt_ ⚠mac_ verify_ and_ decode - Verify and decode a compact JWT token. Caller must free the claims JSON with
tink_free_string. - tink_
jwt_ ⚠signer_ free - Free a JWT signer handle.
- tink_
jwt_ ⚠signer_ new - Create a new JWT signer from a keyset handle containing a private key.
- tink_
jwt_ ⚠signer_ sign_ and_ encode - Sign and encode a JWT. Caller must free the compact token with
tink_free_string. - tink_
jwt_ ⚠verifier_ free - Free a JWT verifier handle.
- tink_
jwt_ ⚠verifier_ new - Create a new JWT verifier from a keyset handle containing a public key.
- tink_
jwt_ ⚠verifier_ verify_ and_ decode - Verify and decode a compact JWT token. Caller must free the claims JSON with
tink_free_string. - tink_
key_ ⚠template_ serialize - Serialize a named key template to its protobuf bytes. Caller must free with
tink_free_bytes. - tink_
keyset_ ⚠deriver_ derive - Derive a new keyset handle from a salt. The caller owns the returned handle.
- tink_
keyset_ ⚠deriver_ free - Free a keyset deriver handle.
- tink_
keyset_ ⚠deriver_ new - Create a new keyset deriver from a keyset handle.
- tink_
keyset_ ⚠handle_ free - Free a keyset handle.
- tink_
keyset_ ⚠handle_ from_ binary - Deserialize a keyset handle from binary.
- tink_
keyset_ ⚠handle_ from_ json - Deserialize a keyset handle from a JSON string.
- tink_
keyset_ ⚠handle_ generate_ from_ template_ bytes - Generate a new keyset from raw serialized key-template bytes.
- tink_
keyset_ ⚠handle_ generate_ new - Generate a new keyset for the named key template.
- tink_
keyset_ ⚠handle_ info - Return keyset metadata as a JSON string. Caller must free with
tink_free_string. - tink_
keyset_ ⚠handle_ public - Extract the public key portion of an asymmetric keyset.
- tink_
keyset_ ⚠handle_ read_ encrypted - Decrypt and deserialize an encrypted keyset. The master keyset provides the AEAD key used for decryption.
- tink_
keyset_ ⚠handle_ to_ binary - Serialize a keyset handle to binary. Caller must free with
tink_free_bytes. - tink_
keyset_ ⚠handle_ to_ json - Serialize a keyset handle to JSON. Caller must free the string with
tink_free_string. - tink_
keyset_ ⚠handle_ write_ encrypted - Serialize and encrypt a keyset. Caller must free the output with
tink_free_bytes. - tink_
mac_ ⚠compute - Compute a MAC tag over data. Caller must free the tag with
tink_free_bytes. - tink_
mac_ ⚠free - Free a MAC handle.
- tink_
mac_ ⚠new - Create a new MAC primitive from a keyset handle.
- tink_
mac_ ⚠verify - Verify a MAC tag against data.
- tink_
prf_ ⚠set_ compute - Compute a specific PRF by key ID over input. Caller must free output with
tink_free_bytes. - tink_
prf_ ⚠set_ compute_ primary - Compute the primary PRF over input. Caller must free output with
tink_free_bytes. - tink_
prf_ ⚠set_ free - Free a PRF set handle.
- tink_
prf_ ⚠set_ key_ ids - Get the key IDs of all PRFs in the set. Caller must free with
tink_free_bytes. - tink_
prf_ ⚠set_ new - Create a new PRF set from a keyset handle.
- tink_
prf_ ⚠set_ primary_ id - Get the key ID of the primary PRF in the set.
- tink_
register_ ⚠all - Register all Tink primitive factories (AEAD, MAC, signatures, hybrid, JWT, PRF, etc.).
- tink_
signer_ ⚠free - Free a signer handle.
- tink_
signer_ ⚠new - Create a new public-key signer from a keyset handle containing a private key.
- tink_
signer_ ⚠sign - Sign data. Caller must free the signature with
tink_free_bytes. - tink_
streaming_ ⚠aead_ decrypt_ start - Begin a streaming decryption of the given ciphertext with associated data.
- tink_
streaming_ ⚠aead_ encrypt_ start - Begin a streaming encryption with the given associated data.
- tink_
streaming_ ⚠aead_ free - Free a streaming AEAD handle.
- tink_
streaming_ ⚠aead_ new - Create a new streaming AEAD primitive from a keyset handle.
- tink_
verifier_ ⚠free - Free a verifier handle.
- tink_
verifier_ ⚠new - Create a new public-key verifier from a keyset handle containing a public key.
- tink_
verifier_ ⚠verify - Verify a signature over data.