tink-crypto / tink Goto Github PK

Details outlined at https://research.swtch.com/vgo-intro and https://research.swtch.com/vgo-tour

Samples: https://github.com/rsc/quote

The go.mod will make your package vgo'able.

thanks

Currently JUL is beeing used for logging throughout the project. I assume this is by design? Would you consider Slf4j as an alternative in the future as it is more flexible?

We want to release a Go implementation in 1.2.0. Aside from missing features that we're working hard to implement, there's also a couple of things in the code base that I'm not sure what we should do. I want to use this ticket to get some help or comments from the Go community.

First thing first, does the Go API make sense?

We copied the Java API, so I'm not entirely sure that it fits Go's style and philosophy. For example, our Lint tool warns us that https://github.com/google/tink/blob/master/go/aead/aead_config.go#L39 and several other places return unexported type *aead.config, which can be annoying to use. Is this problem important and we should fix it?

Secondly, I don't know any good way to implement classes consisting of pure static methods like CleartextKeysetHandle. To call a function in this class Go users have to initialize an object, while in Java users can just call the function directly (e.g., CleartextKeysetHandle().blah() versus CleartextKeysetHandle.blah()).

Aside from these immediate issues, we'd love to hear any feedback from the Go community on the API, the structure of the code base, coding style, features, etc.

Thanks!

@gdbelvin @dgryski

Issue by jclinton
Thursday Aug 14, 2014 at 21:29 GMT
Originally opened as https://github.com/jclinton/K2/issues/9

Per Daniel:

"Default values should be avoided. They are always subject to interpretation and frequently a cause for incompatibility."

We have an application that was working properly against tink 1.0. We're trying to migrate to the snapshots of 1.1 (for streaming aead) in anticipation of the 1.1 release and we're running into trouble with our old code.

When I kick off tests they now fail with:

crypto.SignedPrincipalTests > crossedValidityTimesInvalidatePrincipal FAILED java.lang.NoClassDefFoundError: com/google/crypto/tink/subtle/Ed25519Constants at com.google.crypto.tink.subtle.Ed25519.select(Ed25519.java:545) at com.google.crypto.tink.subtle.Ed25519.scalarMultWithBase(Ed25519.java:601) at com.google.crypto.tink.subtle.Ed25519.scalarMultWithBaseToBytes(Ed25519.java:638) at com.google.crypto.tink.subtle.Ed25519Sign$KeyPair.newKeyPair(Ed25519Sign.java:88) at com.google.crypto.tink.signature.Ed25519PrivateKeyManager.newKey(Ed25519PrivateKeyManager.java:187) at com.google.crypto.tink.signature.Ed25519PrivateKeyManager.newKeyData(Ed25519PrivateKeyManager.java:78) at com.google.crypto.tink.Registry.newKeyData(Registry.java:243) at com.google.crypto.tink.KeysetManager.newKey(KeysetManager.java:215) at com.google.crypto.tink.KeysetManager.rotate(KeysetManager.java:66) at com.google.crypto.tink.KeysetHandle.generateNew(KeysetHandle.java:73)

I've truncated the stacktrace where it enters my code. The line of code that triggers this is simply:

KeysetHandle.generateNew(SignatureKeyTemplates.ED25519);

While poking around trying to understand this more it appears that the Ed25519Constants.class is simply missing from the build?

$ unzip -ll tink-HEAD-SNAPSHOT.jar | grep Ed255 | awk '{print $8}' com/google/crypto/tink/subtle/Ed25519Verify.class com/google/crypto/tink/subtle/Ed25519Sign.class com/google/crypto/tink/subtle/Ed25519Sign$KeyPair.class com/google/crypto/tink/subtle/Ed25519.class com/google/crypto/tink/subtle/Ed25519$XYZT.class com/google/crypto/tink/subtle/Ed25519$XYZ.class com/google/crypto/tink/subtle/Ed25519$PartialXYZT.class com/google/crypto/tink/subtle/Ed25519$CachedXYZT.class com/google/crypto/tink/subtle/Ed25519$CachedXYT.class com/google/crypto/tink/signature/Ed25519PublicKeyManager.class com/google/crypto/tink/signature/Ed25519PrivateKeyManager.class com/google/crypto/tink/proto/Ed25519PublicKeyOrBuilder.class com/google/crypto/tink/proto/Ed25519PublicKey.class com/google/crypto/tink/proto/Ed25519PublicKey$Builder.class com/google/crypto/tink/proto/Ed25519PublicKey$1.class com/google/crypto/tink/proto/Ed25519PrivateKeyOrBuilder.class com/google/crypto/tink/proto/Ed25519PrivateKey.class com/google/crypto/tink/proto/Ed25519PrivateKey$Builder.class com/google/crypto/tink/proto/Ed25519PrivateKey$1.class com/google/crypto/tink/proto/Ed25519.class com/google/crypto/tink/proto/Ed25519$1.class

This issue is present in the build on March 5th and also the build on Friday, March 9th (the most current as of this moment).

Can be implemented as a wrapper for openssl and soduim or by porting ring, which is based on boringssl.

Issue by jclinton
Thursday Aug 14, 2014 at 21:09 GMT
Originally opened as https://github.com/jclinton/K2/issues/1

Per Daniel:

"Generics are missing. Learning the purpose of a key, primitive, etc. helps a lot to make the code readable and allows to define contracts on the respective interfaces. It can also help to catch misconfigurations earlier."

We have had some internal discussions about this and we all agree that using generics to make code more auditable is desirable.

Currently, it appears that this commit wanted to change the location of proto go files, and therefore changed all the packages.

However, the package file locations themselves were not changed, which breaks both go get as well as the files themselves.

b22b69140fcbd623a84384680f8aa1085dceb9e2

It would be nice if there was a similar module to the Java Google Pay module. However, since Go Tink is still in active development, this is just a feature request.

I'm working on a steganography tool, and am using Tink to encrypt data. I've been scouring the Java-HOWTO and did a couple Google searches, but I have not found any way to generate keys from a source other than the templates.

I don't know much about cryptography in general, so pardon my ignorance, but from my perspective the only way to use Tink would be to embed the key in the image, which defeats the purpose of having a key in the first place, since it can be recovered with ease, as it would have to be stored without any protection.

Is there any way I could generate a key based on user input, so that the key would not have to be stored alongside the encrypted data, but would not be easily recoverable? I know in essence this is akin to having two passwords, one for generating the key and one for decrypting the data, but leaving the key unprotected and easily recoverable seems to me like a bad idea.

Thank you.

Issue by jclinton
Thursday Aug 14, 2014 at 21:20 GMT
Originally opened as https://github.com/jclinton/K2/issues/3

Per Daniel:

"RSAKeys also AESKey is a class that makes no sense at all. Depending on the encryption mode a key needs additional parameters (tag size, feedback size, iv size, ...). The requirement for the key material depends on the encryption mode, e.g. XTS needs twice the key size. The security properties are different (some encryption modes include an integrity check (e.g. CCM, EAX), others don't."

The documentation at https://github.com/google/tink/blob/master/doc/TINKEY.md points to https://github.com/google/tink/tree/master/examples/keytemplates which does not exist at the moment.

Did you forget to publish those? Or are they still WIP?

I submitted this issue earlier today and I guess after editing it several times to fix formatting so that it was easier for you to read someone decided to flag my account and delete the issue? I'm not a bot. This is a real bug with the build. And hopefully my formatting is correct the first try.

We have an application that was working properly against tink 1.0. We're trying to migrate to the snapshots of 1.1 (for streaming aead) in anticipation of the 1.1 release and we're running into trouble with our old code.

When I kick off tests they now fail with:

crypto.SignedPrincipalTests > crossedValidityTimesInvalidatePrincipal FAILED java.lang.NoClassDefFoundError: com/google/crypto/tink/subtle/Ed25519Constants at com.google.crypto.tink.subtle.Ed25519.select(Ed25519.java:545) at com.google.crypto.tink.subtle.Ed25519.scalarMultWithBase(Ed25519.java:601) at com.google.crypto.tink.subtle.Ed25519.scalarMultWithBaseToBytes(Ed25519.java:638) at com.google.crypto.tink.subtle.Ed25519Sign$KeyPair.newKeyPair(Ed25519Sign.java:88) at com.google.crypto.tink.signature.Ed25519PrivateKeyManager.newKey(Ed25519PrivateKeyManager.java:187) at com.google.crypto.tink.signature.Ed25519PrivateKeyManager.newKeyData(Ed25519PrivateKeyManager.java:78) at com.google.crypto.tink.Registry.newKeyData(Registry.java:243) at com.google.crypto.tink.KeysetManager.newKey(KeysetManager.java:215) at com.google.crypto.tink.KeysetManager.rotate(KeysetManager.java:66) at com.google.crypto.tink.KeysetHandle.generateNew(KeysetHandle.java:73)

I've truncated the stacktrace where it enters my code. The line of code that triggers this is simply:

KeysetHandle.generateNew(SignatureKeyTemplates.ED25519);

While poking around trying to understand this more it appears that the Ed25519Constants.class is simply missing from the build?

$ unzip -ll tink-HEAD-SNAPSHOT.jar | grep Ed255 | awk '{print $8}' com/google/crypto/tink/subtle/Ed25519Verify.class com/google/crypto/tink/subtle/Ed25519Sign.class com/google/crypto/tink/subtle/Ed25519Sign$KeyPair.class com/google/crypto/tink/subtle/Ed25519.class com/google/crypto/tink/subtle/Ed25519$XYZT.class com/google/crypto/tink/subtle/Ed25519$XYZ.class com/google/crypto/tink/subtle/Ed25519$PartialXYZT.class com/google/crypto/tink/subtle/Ed25519$CachedXYZT.class com/google/crypto/tink/subtle/Ed25519$CachedXYT.class com/google/crypto/tink/signature/Ed25519PublicKeyManager.class com/google/crypto/tink/signature/Ed25519PrivateKeyManager.class com/google/crypto/tink/proto/Ed25519PublicKeyOrBuilder.class com/google/crypto/tink/proto/Ed25519PublicKey.class com/google/crypto/tink/proto/Ed25519PublicKey$Builder.class com/google/crypto/tink/proto/Ed25519PublicKey$1.class com/google/crypto/tink/proto/Ed25519PrivateKeyOrBuilder.class com/google/crypto/tink/proto/Ed25519PrivateKey.class com/google/crypto/tink/proto/Ed25519PrivateKey$Builder.class com/google/crypto/tink/proto/Ed25519PrivateKey$1.class com/google/crypto/tink/proto/Ed25519.class com/google/crypto/tink/proto/Ed25519$1.class

This issue is present in the build on March 5th and also the build on Friday, March 9th (the most current as of this moment).

Surely this is a bad idea?

https://github.com/google/tink/blob/master/cc/core/crypto_format.cc#L47

Issue by jclinton
Thursday Aug 14, 2014 at 21:30 GMT
Originally opened as https://github.com/jclinton/K2/issues/10

Per Daniel:

"The use of URIs for key storage is not understandable. It might encourage to download keys via "http:""

Issue by jclinton
Thursday Aug 14, 2014 at 21:28 GMT
Originally opened as https://github.com/jclinton/K2/issues/8

Per Daniel:

"KeyBuilder is badly designed. First it misses the generic type. Setting parameters such as padding, key size(s) etc should not be in the base class. These are properties of each individual key type. Factories where a key is constructed with one single call and a corresponding parameter list are preferable. That way the caller knows what the choices are to specify the key. It also seems easier to implement as an immutable class."

Issue by jclinton
Thursday Aug 14, 2014 at 21:26 GMT
Originally opened as https://github.com/jclinton/K2/issues/7

Per Daniel:

"thread safety is not take seriously enough. Instead of requesting whether some class is thread safe or not we should just require that the class is thread safe by making it immutable."

Daryl noted that there are a few classes which are not immutable which can be made so.

Issue by jclinton
Thursday Aug 14, 2014 at 21:11 GMT
Originally opened as https://github.com/jclinton/K2/issues/2

Per Daniel:

"There should be no AsymmetricKey since mixing encryption and signatures is dangerous. Keys should have one purpose only and the purpose should be reflected in the class."

We had a brief discussion about this today and we seemed to agree that this needs to be addressed.

I intend to follow this up with a pull request.

Would the Tink team be interested in a PHP implementation of the same API? Obtensibly it would wrap both the openssl and sodium extensions.

Hi,

It seems that the java library implements NaCl via NaClCrypto but it is not interoperable with NaCl in Golang, mainly because the chosen output format for cipher text in this library varies.

It would be a great help if interop was considered for this library since this is one of the major issues developers face while implementing crypto across server and client, especially for Android.

Looking forward to the Golang source being updated to mirror the java source.

Thanks for the good work

Any plans to support .NET Standard 2.0? I will take this on and submit a PR for it.

Issue by jclinton
Thursday Aug 14, 2014 at 21:21 GMT
Originally opened as https://github.com/jclinton/K2/issues/4

Per Daniel:

"The UML diagram also doesn't include additional authenticated data for symmetric keys. Allowing to bind the ciphertext to a context should be standard for data at rest."

Hi there,

I have been experimenting with Tink's Ed25519 support for signing data, and ran into an issue where the 1.0.0 release of the library has a bug that prevents reuse of PublicKeySign instances (fixed back in Sept 2017 on this PR). Switching to a head snapshot fixes the problem, but I'd rather not ship code that is built against a moving target. Is there a plan for when the 1.1.0 release will be cut? Is there anything I can do to help get 1.1.0 out?

When trying to decrypt previously encrypted file getting Exception in thread "main" java.security.GeneralSecurityException: decryption failed

This works fine (kotlin code):

    Config.register(AeadConfig.TINK_1_0_0)
    val dir = System.getProperty("user.dir") + "/src/test/resources"
    val keySetHandle = KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM)
    val aead = AeadFactory.getPrimitive(keySetHandle)
    var fis = FileInputStream("$dir/users.txt")
    val plainText: ByteArray = fis.readBytes()
    fis.close()
    val encrypted = aead.encrypt(plainText, "123".toByteArray())
    var fos = FileOutputStream("$dir/encr.txt")
    fos.write(encrypted)
    fos.close()
    fis = FileInputStream("$dir/encr.txt")
    val decrtptedText: ByteArray = fis.readBytes()
    fis.close()
    val decrptd = aead.decrypt(decrtptedText, "123".toByteArray())
    println(decrptd.toString(Charset.defaultCharset()))

But if I try to decrypt previously created encr.txt - getting aforementioned exception:

    Config.register(AeadConfig.TINK_1_0_0)
    val dir = System.getProperty("user.dir") + "/src/test/resources"
    val keySetHandle = KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM)
    val aead = AeadFactory.getPrimitive(keySetHandle)
    fis = FileInputStream("$dir/encr.txt")
    val decrtptedText: ByteArray = fis.readBytes()
    fis.close()
    val decrptd = aead.decrypt(decrtptedText, "123".toByteArray())
    println(decrptd.toString(Charset.defaultCharset()))

Hi,

I want to know how to get and print public key with KeysetHandle for show log cat.
I tried to use keysetHandle.getPublicKeysetHandle() but log cat not show.

Thank

--
Gee

It would be nice if tink put the pb.go files in the repo. This would allow Go projects to use Tink without also requiring them to also become Basil projects.

Deterministic Encryption in the Go library would be great.

Hi.

I was playing around with the tinkey tool and it appears disable-key and enable-key operations call the same code:

https://github.com/google/tink/blob/master/tools/tinkey/src/main/java/com/google/crypto/tink/tinkey/TinkeyUtil.java#L140-L145

Thanks for open sourcing this work! :)

Use of SecureRandom in Java can be a major source of lock contention. I strongly recommend replacing your private static final SecureRandom with a private static final ThreadLocal<SecureRandom>, which will reduce this lock contention.

All,

I believe JsonKeysetReader::read() should be idempotent.

A JsonKeysetReader instantiated with by its constructor that takes a JsonObject is, but everything else is not due to the InputStream.

I just ran into this issue when i was rolling the version form 1.0.0 to latest and was curious if this is something that should get fixed or is this desired behavior?

This is the commit that caused it to stop being idempotent

Thanks.

Unfortunately I do not have the references in front of me to link (I'll try to find them), however I have absolutely seen evidence and graphs which imply that the standard constant-time byte-comparison algorithm when written in Java is not actually constant time in the JVM and may produce a usable signal.

Out of an excess of caution, I would recommend replacing Bytes.equal() with an implementation which first calculates the HMAC of each input value (under a random key) and then compares the MACs for equality. (This second test may or may not be constant time.) It is a performance trade off if you'd prefer to generate a random HMAC key once per application (as a private static final) or freshly for each comparison.

Schnorr signature is not malleable and is simpler (no inverse operations) than the widespread ECDSA. Some popular cryptocurries like Monero (and other CryptoNight clones) use Schnorr signature, and Zilliqa. Bitcoin Schnorr signature is being actively researched and a BIP is being worked on. I believe it's a good time to add Schnorr signature implementation for NIST & Ed25519 elliptic curves.

Some references:

• https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/topics-and-advance-readings/Schnorr-Signatures--An-Overview.md
• https://monero.org/monero-technological-superiority/
• https://docs.zilliqa.com/whitepaper.pdf
• https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki

Thank you!

Came to check this out by reference of OWASP Top 10 proactive controls project. Trying the Java Hello World example ($mvn clean package) ...

On Mac OS X, I get

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile (default-compile) on project helloworld: Compilation failure
[ERROR] Bad service configuration file, or exception thrown while constructing Processor object: javax.annotation.processing.Processor: com.google.auto.service.processor.AutoServiceProcessor Unable to get public no-arg constructor

...

$ java -version
java version "10.0.1" 2018-04-17
Java(TM) SE Runtime Environment 18.3 (build 10.0.1+10)
Java HotSpot(TM) 64-Bit Server VM 18.3 (build 10.0.1+10, mixed mode)

Thought it might be the Java version, but also unable to build on Debian with OpenJDK v. 1.8.0_171

[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] Bad service configuration file, or exception thrown while constructing Processor object: javax.annotation.processing.Processor: Provider com.google.auto.service.processor.AutoServiceProcessor could not be instantiated: java.lang.NoClassDefFoundError: com/google/common/collect/Multimap

It looks like the current implementation of Curve25519 in tink represents the field elements using 10 digits in base 2^25.5. This representation usually works well on 32-bit processors, since each digit can fit in a 32-bit register.

On 64-bit processors, it's possible, and usually faster, to encode field elements as 5 digits in base 2^51 (I've written about this here), fitting each digit in a single 64-bit register.

If this approach has already been considered and rejected, I apologize for the noise :)

Per Daniel:

• "Using an enum here, means that third parties have difficulties to extend this to new types."
• (related) "I'm wondering how a third party would add some non-mainstream encryption mode (e.g. AES-EAX') to the library. I.e. some mode that should not make it into the main library."

Per Daniel:
"I don't like this. Splitting key material into core and non-core adds a lot of complexity for seemingly little benefit i.e. key hashing. It also adds an eternal dependency to protocol buffers. Just using key identifiers seems preferable to me."

Issue by jclinton
Thursday Aug 14, 2014 at 21:25 GMT
Originally opened as https://github.com/jclinton/K2/issues/6

Per Daniel:

"My original design contained multiple interface level. I don't see this reflected in the design. There are always some developers that for example want to use the primitve, e.g. because they just don't want to use the underlying library (i.e. openSSL) directly, but don't want to use the formatting, key storage etc. The lack of lower level interfaces has lead to a number of confusing additions to the keymaster interface. I want to avoid this."

There may be some synergies with the Android roadmap here as well.

The NaCl variant of ChaCha20-Poly1305 that was present in v1.0.0 (marked as Alpha and since removed as far as I can tell) only included the ciphertext in the Poly1305 MAC input and not the associated data.

See https://github.com/google/tink/blob/v1.0.0/java/src/main/java/com/google/crypto/tink/subtle/DjbCipherPoly1305.java#L89

I know that code was marked as Alpha and not reachable except by directly calling com.google.crypto.tink.subtle.DjbCipherPoly1305#constructXSalsa20Poly1305Nacl but there is a small chance that somebody might be doing exactly that, so I wanted to flag it up as I couldn't see any existing issue for it.

Issue by jclinton
Thursday Aug 14, 2014 at 21:23 GMT
Originally opened as https://github.com/jclinton/K2/issues/5

Per Daniel:

"A distinction between keys (key material etc) and the cryptographic primitive implemented with a key is missing."

John's design doc addresses some of these issues but is still in the "ideas" phase.

I read a big part of the doc (and a bit of the code) and still struggle to understand if Tink can help me for what I need. I mainly would like to use tink to retrieve key from a KMS (mainly RSA ones) and then use it with an SSH library to connect to a server by SSH.

From what I understood from my readings, I assume it's not possible "get" the private key itself as Tink doesn't expose it for security reasons. Am I wrong?

I also read about the possibility to implement primitives but I still don't understand if it can fit my use case. I currently use SSHJ to connect a client application to a server but it could be any other SSH lib in the future or for some algorithms that this one doesn't support. On that connection, I need to run commands and get their output in a non-blocking way (SSHJ does it with InputStreams).

Is there a proper way to use Tink to get the private key required to connect to a specific SSH server from a KMS and use it with a non-Tink crypto-library like SSHJ and what is it then? SSHJ takes the keys as String or their location as String as input to initiate the connection. It also requires the known_hosts as a Java File. Could a primitive implementation help me to join both libraries? I feel like it's for a completely different purpose but I prefer to ask in order to be sure if Tink can help in my use case or not.

Thank you really much in advance!

The link in the Project wiki page has a link to https://github.com/google/tink/tree/master/doc but it should be https://github.com/google/tink/tree/master/docs (with an "s" at the end).

https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-library.html

Any plans to support it as another KMS provider? Only asking because I'm currently evaluating frameworks that would make integration with CloudHSM v2 easier and tink seems like a decent choice to try out.

If there are no plans, I'll consider adding a PR once the work is completed, but figured I'd ask first.

Thanks!

Hi There,

I am seeing " GeneralSecurityException: Failed to fetch keys !" while decryption. I am using tink in my java code for decryption. I used maven think dependency and created war file and deployed Jboss. Please let me know will the TINK work if its integrated with code which runs in server which don't have any internet connection . Kindly help.

Thanks
Ramakanth

In AwsKmsAead.decrypt() it is important to check the returned KeyId against the one previously configured. If you don't do this, the possibility exists for the ciphertext to be replaced by one under a key you don't control/expect, but do have decrypt permissions on.

(Yes, this can be prevented by proper policies on the caller, but people sometimes get that wrong).

Note: Aliases or short key-ids (rather than ARNs) will break this logic on decrypt.

I'm curious to know if Tink is being released to any Maven repository? I've been unable to find it at the usual suspects. I realize the project is brand new but I was hoping to poke at it a bit for a project I'm working on.

https://cr.yp.to/ecdh.html#validate lists 12 "banned" public keys if you wish to do validation. Tink Java does perform this validation and rejects 7 of these. For the remaining 5 examples (e.g. "2(2^255-19)-1"), Tink does not reject them up front but performs masking (as per RFC 7748) to transform them into harmless values.

This is different from both NaCl (which does not reject any points) and libsodium (which rejects all 12). It would be nice from a compatibility and fingerprinting point of view if Tink implemented one of the two existing behaviours.

In AesGcmHkdfStreaming.java, we can verify the integrity of the segments individually but we cannot verify the integrity of the file as a whole: header || seg1 || seg2 || ... || seg_n. An integrity attack could be using a segment from another file to replace a segment of that file, assuming that the attacker can obtain 2 files encrypted by the same key.
I would suggest having a mode where we can check this as well, for example, a file can look like header || seg1 || seg2 || ... || seg_n || footer. Where footer is the collection of all the GCM integrity tags of the segments, and also being authenticated, so footer might look like: IV_f || tag1 || tag2 || ... || tag_n || tag_footer.
Now, if one wants to verify the integrity of the file, he collects the gcm tags from the segments and computes a tag to compare with tag_footer, this can only be done if he is the owner of the file with the proper key.

I have an AWS-KMS Key that I can show using aws cli:

aws kms describe-key --key-id "<arn>"

However, when I do the following with tinkey, it fails:

./tinkey create-keyset --key-template AES256_GCM --out ~/Desktop/encrypted-keyset.cfg --master-key-uri "aws-kms://<arn>"

Exception in thread "main" java.security.GeneralSecurityException: encryption failed
	at com.google.crypto.tink.integration.awskms.AwsKmsAead.encrypt(AwsKmsAead.java:59)
	at com.google.crypto.tink.KeysetHandle.encrypt(KeysetHandle.java:107)
	at com.google.crypto.tink.KeysetHandle.write(KeysetHandle.java:98)
	at com.google.crypto.tink.tinkey.TinkeyUtil.writeKeyset(TinkeyUtil.java:204)
	at com.google.crypto.tink.tinkey.TinkeyUtil.createKeyset(TinkeyUtil.java:116)
	at com.google.crypto.tink.tinkey.CreateKeysetCommand.create(CreateKeysetCommand.java:48)
	at com.google.crypto.tink.tinkey.CreateKeysetCommand.run(CreateKeysetCommand.java:31)
	at com.google.crypto.tink.tinkey.Tinkey.main(Tinkey.java:42)
Caused by: com.amazonaws.services.kms.model.NotFoundException: Invalid arn (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request ID: xxx)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1587)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1257)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1029)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:741)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:715)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:697)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:665)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:647)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:511)
	at com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:3036)
	at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:3012)
	at com.amazonaws.services.kms.AWSKMSClient.executeEncrypt(AWSKMSClient.java:1366)
	at com.amazonaws.services.kms.AWSKMSClient.encrypt(AWSKMSClient.java:1342)
	at com.google.crypto.tink.integration.awskms.AwsKmsAead.encrypt(AwsKmsAead.java:57)
	... 7 more

What am I doing wrong?

edit:
I did the same using the Tink Java Library, and I think the problem is the included aws client tries to call https://kms.us-east-1.amazonaws.com/, although my key is located in eu-central-1. Can I tell tink to try eu-central-1?