fix(deps): update dependency com.google.crypto.tink:tink-android to v1.13.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.google.crypto.tink:tink-android	1.12.0 -> 1.13.0

---

Release Notes

tink-crypto/tink-java (com.google.crypto.tink:tink-android)

v1.13.0: Tink Java 1.13.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.13.0

To get started using Tink, see the setup guide.

What's new?

Bugs fixed:

• JwkSetConverter now encodes RSA public keys without leading zero, as
  required by RFC 7518.

Performance improvements:

• Encrypted keysets produced with BinaryKeysetWriter or TinkProtoKeysetFormat
  are now smaller, because the unused keyset info metadata is not written
  anymore. JsonKeysetWriter and TinkJsonProtoKeysetFormat still output this
  metadata.
• Tink now uses the JCE implementation of ChaCha20Poly1305 if available. This
  makes encryption with ChaCha20Poly1305 and XChaCha20Poly1305 about 2-3 times
  faster.
• AES-GCM is now about 20% faster.

API changes:

• For Android: Support for SDK 19 has been removed.
• Removed PrimitiveSet and Registry.registerPrimitiveWrapper from the
  public API. While these were in the public API, they have changed semantics
  in the past and will change more in the future. Code using either
  PrimitiveSet or Registry.registerPrimitiveWrapper will not work after
  upcoming changes. Instead of breaking users silently, we prefer to break
  during compilation. If affected, please file an issue on
  github.com/tink-crypto/tink-java/.
• For keyset that contain JWT keys, JwtSignatureConfig.register() or
  JwtMacConfig.register() now need to be called before the keyset is parsed.
  If not, calling keysetHandle.getPrimitive(...) will fail with an error
  message: "Unable to get primitive interface
  com.google.crypto.tink.jwt.JwtPublicKeySign for key of type ..." or "Unable
  to get primitive interface com.google.crypto.tink.jwt.JwtPublicKeyVerify for
  key of type ...".
• Removed the constructors of HmacKeyManager and HmacPrfKeyManager from the
  public API. These were never intended to be public, and we expect that
  nobody used either of them.
• Removed the constructors of
  com.google.crypto.tink.subtle.EciesAeadHkdfHybridDecrypt and
  com.google.crypto.tink.subtle.EciesAeadHkdfHybridEncrypt from the public
  API. These took as argument a EciesAeadHkdfDemHelper object whose only
  implementation was private to Tink. We are hence confident that this is
  unused.
• Removed test-only AndroidKeystoreKmsClient.setKeyStore. This function didn't
  work as expected, as in some places, still the real KeyStore was used. If you
  need to test your code with a fake KeyStore instance, it is preferable to
  inject fake security provider using Security.addProvider, see
  FakeAndroidKeystoreProvider.java as an example for such a provider.
• Added methods in the class LegacyKeysetSerialization. Users do not need to
  consider this. This will be used later for automatic migrations.
• Introduced ConfigurationFips140v2. Users who do not want to restrict the
  whole binary to FIPS-only but still want to use FIPS-compliant primitives at
  specific call sites can use
  keysetHandle.GetPrimitive(ConfigurationFips140v2.get(), ExamplePrimitive.class).
• Introduced ConfigurationV0 containing Tink's recommended primitives.
  Usage: keysetHandle.GetPrimitive(ConfigurationV0.get(), ExamplePrimitive.class).

Dependencies changes:

• Upgraded:
  • com.google.protobuf:protobuf => 3.25.1.

Future work

To see what we're working towards, check our project roadmap.

Getting started

Maven:

<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.13.0</version>
</dependency>

Gradle:

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.13.0'
}

Bazel:

load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "5.3"
RULES_JVM_EXTERNAL_SHA ="d31e369b854322ca5098ea12c69d7175ded971435e55c18dd9dd5f29cc5249ac"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/releases/download/%s/rules_jvm_external-%s.tar.gz" % (RULES_JVM_EXTERNAL_TAG, RULES_JVM_EXTERNAL_TAG)
)

load("@​rules_jvm_external//:repositories.bzl", "rules_jvm_external_deps")

rules_jvm_external_deps()

load("@​rules_jvm_external//:setup.bzl", "rules_jvm_external_setup")

rules_jvm_external_setup()

maven_install(
    artifacts = [
        "com.google.crypto.tink:tink:1.13.0",

### ... other dependencies ...
    ],
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

Alternatively, one can build Tink from source, and include it with http_archive:

http_archive(
    name = "com_github_tink_crypto_tink_java",
    urls = ["https://github.com/tink-crypto/tink-java/archive/refs/tags/v1.13.0.zip"],
    strip_prefix = "tink-java-1.13.0",
    sha256 = ...
)

load("@​tink_java//:tink_java_deps.bzl", "TINK_MAVEN_ARTIFACTS", "tink_java_deps")

tink_java_deps()

load("@​tink_java//:tink_java_deps_init.bzl", "tink_java_deps_init")

tink_java_deps_init()

### ...

maven_install(
    artifacts = TINK_MAVEN_ARTIFACTS + # ... other dependencies ...
    repositories = [
        "https://repo1.maven.org/maven2",
    ],
)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.04%. Comparing base (b69dd06) to head (836835c).

Additional details and impacted files

@@           Coverage Diff            @@
##           develop     #845   +/-   ##
========================================
  Coverage    97.04%   97.04%           
========================================
  Files           64       64           
  Lines          610      610           
  Branches        49       49           
========================================
  Hits           592      592           
  Misses          14       14           
  Partials         4        4           

Flag	Coverage Δ
unittests	97.04% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.