Skip to content

feat(java): extend Google Tink detection with Mac, Hybrid and Signature primitives#407

Open
Chennamma-Hotkar wants to merge 4 commits intocbomkit:mainfrom
Chennamma-Hotkar:feature/java-tink-mac-hybrid-signature
Open

feat(java): extend Google Tink detection with Mac, Hybrid and Signature primitives#407
Chennamma-Hotkar wants to merge 4 commits intocbomkit:mainfrom
Chennamma-Hotkar:feature/java-tink-mac-hybrid-signature

Conversation

@Chennamma-Hotkar
Copy link
Copy Markdown

@Chennamma-Hotkar Chennamma-Hotkar commented May 9, 2026
edited
Loading

Summary

Follow-up to #406 (Tink AEAD detection rules). Extends Google Tink
coverage to three additional cryptographic primitives: MAC, hybrid
encryption, and digital signatures — each with key generation detection
and depending rules for the full operation surface.

Architecture

Each primitive follows the same pattern:

  1. KeysetHandle.generateNew(template) is the primary detection point
  2. Primitive operations (computeMac, sign, encrypt) are attached
    as depending rules — fired when called on the tracked variable
  3. Each primitive maps to its correct context:
    • AEAD/Hybrid → CipherContext
    • Mac → MacContext
    • Signature → SignatureContext

Detection Coverage

Primitive Context Templates
AEAD CipherContext AES128_GCM, AES256_GCM, AES128_CTR_HMAC_SHA256, AES256_CTR_HMAC_SHA256
Mac MacContext HMAC_SHA256_128BITTAG, HMAC_SHA256_256BITTAG, HMAC_SHA512_256BITTAG, HMAC_SHA512_512BITTAG, AES_CMAC
Signature SignatureContext ECDSA_P256, ECDSA_P384, ECDSA_P521, ED25519, RSA_SSA_PKCS1_3072_SHA256_F4
Hybrid CipherContext ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM, ECIES_P256_HKDF_HMAC_SHA256_AES128_CTR_HMAC_SHA256

Changes

  • TinkMac.java: HMAC/CMAC key generation + computeMac/verifyMac depending rules
  • TinkSignature.java: ECDSA/ED25519/RSA key generation + sign/verify depending rules
  • TinkHybrid.java: ECIES key generation + encrypt/decrypt depending rules
  • TinkDetectionRules.java: registers all new rule classes
  • 6 new test files (3 rule files + 3 test files)

Testing

Screenshot 2026-05-09 101930
  • 160 tests pass, 0 failures
  • 8 skipped tests are pre-existing (present before this PR)
  • mvn spotless:check passes
  • mvn -B clean package -pl java passes

Follow-up

  • DeterministicAead operations
  • ChaCha20Poly1305, AES_SIV, AES_EAX key templates
  • KeysetHandle.newBuilder() pattern detection

Note: This PR branches from a local main that includes #406 (Tink AEAD).
Once #406 merges upstream, this PR will show only the Mac/Hybrid/Signature
changes. The relevant commit is 9d63d21.

@Chennamma-Hotkar
feat(csharp): add ML-KEM detection rules for .NET 9
2a29f8f 
Signed-off-by: Chennamma <channuhotkar@gmail.com>
@Chennamma-Hotkar
fix(csharp): use correct .NET 10 ML-KEM API
a6e43e4 
Signed-off-by: Chennamma <channuhotkar@gmail.com>
@Chennamma-Hotkar
feat(java): add Google Tink AEAD detection rules with encrypt/decrypt…
800b40c 
… operations

Signed-off-by: Chennamma <channuhotkar@gmail.com>
@Chennamma-Hotkar
feat(java): extend Tink detection with Mac, Hybrid and Signature rules
9d63d21 
Signed-off-by: Chennamma <channuhotkar@gmail.com>
@Chennamma-Hotkar Chennamma-Hotkar requested a review from a team as a code owner May 9, 2026 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Chennamma-Hotkar