...
The plan is to have 3 interfaces in three sub-directories under pkg/plugins, one for PackerJWEBuilder to Serialize/Unserialize a JWE, another for Crypto and the other for KMS. Crypto and KMS interfaces will serve as wrapper to Tink operations like Encrypt(), Decrypt(), Sign(), Verify(), etc. While Packer JWEBuilder will use the other two to build a JWE envelope by offering a Seal (serialize) and Open (unserialize) functions.
The introduction of Tink begins with Crypto interface for which an implementation will use Tink primitives for the crypto operations. Tink will need to be updated to use a custom AEAD cipher with key wrapping using ECDH-1PU. The implementation will somewhat resemble the Hybrid AEAD one in Tink with the difference in the key derivation function differs in 1PU (here) than the conventional and standardized ES HKDF (example here and defined here) mode.
In Tink, operations are isolated in a distinguished interface grouped by the type of crypto used. There are interfaces for deterministic aead (payload re encryptions yield the same output, this implementation is not recommend), aead (direct mode, no key wrapping), hybrid aead (with key wrapping including key derivation defined as ECDH-ES), signatures and MAC hashing. Our interfaces will be similar to the following: