Setting up copybara to copy ObjC code.

PiperOrigin-RevId: 188377796 GitOrigin-RevId: 673bd60bff3312c7d9911a36a9438ba3bb4a9240

Setting up copybara to copy ObjC code.
PiperOrigin-RevId: 188377796 GitOrigin-RevId: 673bd60bff3312c7d9911a36a9438ba3bb4a9240
ed38efb4 · Tink Team · Thai Duong · 528d8eba · ed38efb4 · ed38efb4
Commit ed38efb4 authored 7 years ago by Tink Team Committed by Thai Duong 7 years ago
--- a/cc/subtle/ecdsa_sign_boringssl.cc
+++ b/cc/subtle/ecdsa_sign_boringssl.cc
@@ -82,32 +82,20 @@ util::StatusOr<std::string> EcdsaSignBoringSsl::Sign(
  // Compute the digest.
  unsigned int digest_size;
  uint8_t digest[EVP_MAX_MD_SIZE];
-  bssl::UniquePtr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create());
-  if (!EVP_DigestInit_ex(mdctx.get(), hash_, nullptr)) {
-    return util::Status(util::error::INTERNAL, "Could not compute digest.");
-  }
-  if (!EVP_DigestUpdate(mdctx.get(), data.data(), data.size())) {
-    return util::Status(util::error::INTERNAL, "Could not compute digest.");
-  }
-  if (!EVP_DigestFinal_ex(mdctx.get(), digest, &digest_size)) {
+  if (1 != EVP_Digest(data.data(), data.size(), digest, &digest_size, hash_,
+                  nullptr)) {
    return util::Status(util::error::INTERNAL, "Could not compute digest.");
  }

  // Compute the signature.
-  bssl::UniquePtr<ECDSA_SIG> signature(ECDSA_do_sign(
-      digest, digest_size, key_.get()));
-  if (signature == nullptr) {
+  std::vector<uint8_t> buffer(ECDSA_size(key_.get()));
+  unsigned int sig_length;
+  if (1 != ECDSA_sign(0 /* unused */, digest, digest_size, buffer.data(),
+                  &sig_length, key_.get())) {
    return util::Status(util::error::INTERNAL, "Signing failed.");
  }

-  // Get DER-encoding of the signature.
-  const size_t buffer_size = i2d_ECDSA_SIG(signature.get(), nullptr);
-  std::vector<uint8_t> buffer(buffer_size);
-  uint8_t* ptr = &buffer[0];
-  const size_t sig_length = i2d_ECDSA_SIG(signature.get(), &ptr);
-  std::string der_signature;
-  der_signature.assign(reinterpret_cast<char*>(&buffer[0]), sig_length);
-  return der_signature;
+  return std::string(reinterpret_cast<char*>(buffer.data()), sig_length);
 }

 }  // namespace subtle

--- a/cc/subtle/ecdsa_verify_boringssl.cc
+++ b/cc/subtle/ecdsa_verify_boringssl.cc
@@ -70,34 +70,20 @@ util::Status EcdsaVerifyBoringSsl::Verify(
  // Compute the digest.
  unsigned int digest_size;
  uint8_t digest[EVP_MAX_MD_SIZE];
-  bssl::UniquePtr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create());
-  if (!EVP_DigestInit_ex(mdctx.get(), hash_, nullptr)) {
-    return util::Status(util::error::INTERNAL, "Could not compute digest.");
-  }
-  if (!EVP_DigestUpdate(mdctx.get(), data.data(), data.size())) {
-    return util::Status(util::error::INTERNAL, "Could not compute digest.");
-  }
-  if (!EVP_DigestFinal_ex(mdctx.get(), digest, &digest_size)) {
+  if (1 != EVP_Digest(data.data(), data.size(), digest, &digest_size, hash_,
+                  nullptr)) {
    return util::Status(util::error::INTERNAL, "Could not compute digest.");
  }

  // Verify the signature.
-  const uint8_t* ptr = reinterpret_cast<const uint8_t*>(signature.data());
-  bssl::UniquePtr<ECDSA_SIG> sig(
-      d2i_ECDSA_SIG(nullptr, &ptr, signature.length()));
-  int status = ECDSA_do_verify(digest, digest_size, sig.get(), key_.get());
-  if (status == 1) {
-    // signature is valid
-    return util::Status::OK;
-  } else if (status == 0) {
+  if (1 != ECDSA_verify(0 /* unused */, digest, digest_size,
+                    reinterpret_cast<const uint8_t*>(signature.data()),
+                    signature.size(), key_.get())) {
    // signature is invalid
-    return util::Status(util::error::UNKNOWN,
-                        "Signature is not valid.");
-  } else {
-    // an error occurred during the verification
-    return util::Status(util::error::INTERNAL,
-                        "An error occured during verification.");
+    return util::Status(util::error::UNKNOWN, "Signature is not valid.");
  }
+  // signature is valid
+  return util::Status::OK;
 }

 }  // namespace subtle

--- a/cc/subtle/ecdsa_verify_boringssl_test.cc
+++ b/cc/subtle/ecdsa_verify_boringssl_test.cc
@@ -53,6 +53,9 @@ TEST_F(EcdsaSignBoringSslTest, testBasicSigning) {
  auto status = verifier->Verify(signature, message);
  EXPECT_TRUE(status.ok()) << status;

+  status = verifier->Verify(signature + "some trailing data", message);
+  EXPECT_FALSE(status.ok()) << status;
+
  status = verifier->Verify("some bad signature", message);
  EXPECT_FALSE(status.ok());


--- a/doc/CPP-HOWTO.md
+++ b/doc/CPP-HOWTO.md
@@ -13,7 +13,7 @@ For example, if you want to use all implementations of all primitives in Tink
 1.1.0, the initialization would look as follows:

 ```cpp
-   #include third_party/tink/cc/config/tink_config.h
+   #include "cc/config/tink_config.h"

   // ...
   auto status = TinkConfig::Init();

--- a/objc/BUILD.bazel
+++ b/objc/BUILD.bazel
@@ -21,18 +21,8 @@ objc_library(

 objc_library(
    name = "aead",
-    srcs = ["TINKAead.mm"],
-    hdrs = [
-        "TINKAead.h",
-        "TINKAead_Internal.h",
-    ],
+    hdrs = ["TINKAead.h"],
    visibility = ["//visibility:public"],
-    deps = [
-        "//cc:aead",
-        "//objc/util:errors",
-        "//objc/util:strings",
-        "@com_google_absl//absl/strings",
-    ],
 )

 objc_library(
@@ -48,6 +38,7 @@ objc_library(
        ":keyset_reader",
        "//cc:keyset_handle",
        "//cc/util:status",
+        "//objc/aead:aead_internal",
        "//objc/util:errors",
        "//objc/util:strings",
        "//proto:all_objc_proto",
@@ -134,6 +125,84 @@ objc_library(
    ],
 )

+objc_library(
+    name = "config",
+    srcs = ["core/TINKConfig.mm"],
+    hdrs = [
+        "TINKConfig.h",
+    ],
+    visibility = ["//visibility:public"],
+    deps = [
+        ":registry_config",
+        "//cc:config",
+        "//objc/util:errors",
+        "//objc/util:strings",
+        "//proto:all_objc_proto",
+    ],
+)
+
+objc_library(
+    name = "version",
+    srcs = [],
+    hdrs = [
+        "TINKVersion.h",
+    ],
+    visibility = ["//visibility:public"],
+)
+
+objc_library(
+    name = "all_config",
+    srcs = ["core/TINKAllConfig.mm"],
+    hdrs = [
+        "TINKAllConfig.h",
+    ],
+    visibility = ["//visibility:public"],
+    deps = [
+        ":registry_config",
+        "//cc/config:tink_config",
+        "//cc/util:errors",
+        "//objc:version",
+        "//objc/util:errors",
+        "//objc/util:strings",
+        "//proto:all_objc_proto",
+    ],
+)
+
+objc_library(
+    name = "registry_config",
+    srcs = ["core/TINKRegistryConfig.mm"],
+    hdrs = [
+        "TINKRegistryConfig.h",
+        "core/TINKRegistryConfig_Internal.h",
+    ],
+    visibility = ["//visibility:public"],
+    deps = [
+        ":config_pb",
+        ":version",
+    ],
+)
+
+cc_library(
+    name = "aes_gcm_pb",
+    deps = [
+        "//proto:aes_gcm_cc_proto",
+    ],
+)
+
+cc_library(
+    name = "config_pb",
+    deps = [
+        "//proto:config_cc_proto",
+    ],
+)
+
+cc_library(
+    name = "tink_pb",
+    deps = [
+        "//proto:tink_cc_proto",
+    ],
+)
+
 ############################
 #         Tests            #
 ############################
@@ -158,10 +227,25 @@ objc_library(
    ]),
    deps = [
        ":aead",
+        ":aes_gcm_pb",
+        ":all_config",
        ":binary_keyset_reader",
        ":cleartext_keyset_handle",
-        ":keyset_handle",
+        ":config",
+        ":registry_config",
+        ":tink_pb",
+        ":version",
+        "//cc:aead",
+        "//cc:crypto_format",
+        "//cc:keyset_handle",
+        "//cc/aead:aead_config",
+        "//cc/aead:aead_factory",
+        "//cc/aead:aes_gcm_key_manager",
+        "//cc/util:status",
        "//cc/util:test_util",
+        "//objc/aead:aead_config",
+        "//objc/aead:aead_factory",
+        "//objc/aead:aead_internal",
        "//objc/util:strings",
        "//proto:all_objc_proto",
    ],

--- a/objc/TINKAead.h
+++ b/objc/TINKAead.h
@@ -18,16 +18,15 @@

 #import <Foundation/Foundation.h>

+NS_ASSUME_NONNULL_BEGIN
+
 /**
 * The interface for authenticated encryption with additional authenticated data. Implementations of
 * this interface are secure against adaptive chosen ciphertext attacks. Encryption with additional
 * data ensures authenticity and integrity of that data, but not its secrecy. (see RFC 5116,
 * https://tools.ietf.org/html/rfc5116)
 */
-@interface TINKAead : NSObject
-
-/** Use TINKAeadFactory to get an instance of TINKAead. */
- (nullable instancetype)init NS_UNAVAILABLE;
+@protocol TINKAead <NSObject>

 /**
 * Encrypts @c plaintext with @c additionalData as additional authenticated data, and returns the
@@ -38,9 +37,9 @@
 * @param additionalData  Additional authenticated data.
 * @return                The encrypted data on success; nil in case of error.
 */
- (nullable NSData *)encrypt:(nonnull NSData *)plaintext
-          withAdditionalData:(nonnull NSData *)additionalData
-                       error:(NSError *_Nullable *_Nonnull)error;
+- (nullable NSData *)encrypt:(NSData *)plaintext
+          withAdditionalData:(NSData *)additionalData
+                       error:(NSError **)error;

 /**
 * Decrypts @c ciphertext with @c additionalData as additional authenticated data, and returns the
@@ -51,8 +50,10 @@
 * @param additionalData  Additional authenticated data.
 * @return                The decrypted data on success; nil in case of error.
 */
- (nullable NSData *)decrypt:(nonnull NSData *)ciphertext
-          withAdditionalData:(nonnull NSData *)additionalData
-                       error:(NSError *_Nullable *_Nonnull)error;
+- (nullable NSData *)decrypt:(NSData *)ciphertext
+          withAdditionalData:(NSData *)additionalData
+                       error:(NSError **)error;

 @end
+
+NS_ASSUME_NONNULL_END
--- a/objc/TINKAllConfig.h
+++ b/objc/TINKAllConfig.h
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "objc/TINKRegistryConfig.h"
+#import "objc/TINKVersion.h"
+
+/**
+ * Static methods for registering with the Registry all instances of Tink key types supported in a
+ * particular release of Tink. To register all Tink key types provided in Tink release 1.1.0 one can
+ * do:
+ *
+ * NSError *error = nil;
+ * TINKAllConfig *allConfig = [[TINKAllConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+ * if (error || !allConfig) {
+ *   // handle error.
+ * }
+ *
+ * if (![TINKConfig registerConfig:allConfig error:&error]) {
+ *   // handle error.
+ * }
+ */
+@interface TINKAllConfig : TINKRegistryConfig
+
+/** Use initWithVersion:error: to get an instance of TINKAllConfig. */
+- (nullable instancetype)init NS_UNAVAILABLE;
+
+- (instancetype)initWithVersion:(TINKVersion)version
+                          error:(NSError **)error NS_DESIGNATED_INITIALIZER;
+
+@end
--- a/objc/TINKConfig.h
+++ b/objc/TINKConfig.h
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+@class TINKRegistryConfig;
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * Static methods for handling of Tink configurations.
+ *
+ * Configurations, i.e., collections of key types and their corresponding key managers supported by
+ * a specific run-time environment enable control of Tink setup via JSON-formatted config files that
+ * determine which key types are supported, and provide a mechanism for deprecation of
+ * obsolete/outdated cryptographic schemes (see tink/proto/config.proto for more info).
+ *
+ * Example usage:
+ *
+ * NSError *error = nil;
+ * TINKAllConfig *config = [[TINKAllConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+ * if (!config || error) {
+ *   // handle error.
+ * }
+ *
+ * if (![TINKConfig registerConfig:config error:&error]) {
+ *   // handle error.
+ * }
+ */
+@interface TINKConfig : NSObject
+
+/* Registers key managers according to the specification in @c config. */
+ (BOOL)registerConfig:(TINKRegistryConfig *)config error:(NSError **)error;
+
+@end
+
+NS_ASSUME_NONNULL_END
--- a/objc/TINKKeysetHandle.h
+++ b/objc/TINKKeysetHandle.h
@@ -18,9 +18,9 @@

 #import <Foundation/Foundation.h>

-#import "objc/TINKAead.h"
-#import "objc/TINKKeysetReader.h"
-#import "proto/Tink.pbobjc.h"
+@class TINKKeysetReader;
+@class TINKPBKeyTemplate;
+@protocol TINKAead;

 NS_ASSUME_NONNULL_BEGIN

@@ -46,7 +46,7 @@ NS_ASSUME_NONNULL_BEGIN
 * @return        A TINKKeysetHandle, or nil in case of error.
 */
 - (nullable instancetype)initWithKeysetReader:(TINKKeysetReader *)reader
-                                       andKey:(TINKAead *)aeadKey
+                                       andKey:(id<TINKAead>)aeadKey
                                        error:(NSError **)error;

 /**
@@ -63,3 +63,4 @@ NS_ASSUME_NONNULL_BEGIN
 @end

 NS_ASSUME_NONNULL_END
+
--- a/objc/TINKRegistryConfig.h
+++ b/objc/TINKRegistryConfig.h
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "objc/TINKVersion.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * Wrapper class that holds configration options used by TINKConfig. This is the base/parent class
+ * that is subclassed by all the TINKXYZConfig classes.
+ *
+ * To create an instance of this class you need to use one of the subclasses: TINKAllConfig,
+ * TINKAeadConfig etc.
+ */
+@interface TINKRegistryConfig : NSObject
+
+/**
+ * This class is not meant to be instantiated directly; instead use one of the subclasses
+ * (TINKAeadConfig, TINKAllConfig etc.) to get an instance.
+ */
+- (nullable instancetype)init NS_UNAVAILABLE;
+
+- (instancetype)initWithVersion:(TINKVersion)version
+                          error:(NSError **)error NS_DESIGNATED_INITIALIZER;
+
+@end
+
+NS_ASSUME_NONNULL_END
--- a/objc/TINKAead_Internal.h
+++ b/objc/TINKAead_Internal.h
@@ -16,14 +16,8 @@
 **************************************************************************
 */

-#import "objc/TINKAead.h"
+#import <Foundation/Foundation.h>

-#include "cc/aead.h"
-
-@interface TINKAead ()
-@property(nonatomic, nonnull, readonly) crypto::tink::Aead *primitive;
-
- (nullable instancetype)initWithPrimitive:(nonnull crypto::tink::Aead *)primitive
-    NS_DESIGNATED_INITIALIZER;
-
-@end
+typedef NS_ENUM(NSInteger, TINKVersion) {
+  TINKVersion1_1_0 = 0x110,
+};
--- a/objc/Tests/UnitTests/aead/TINKAeadConfigTest.mm
+++ b/objc/Tests/UnitTests/aead/TINKAeadConfigTest.mm
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/aead/TINKAeadConfig.h"
+
+#import <XCTest/XCTest.h>
+
+#import "objc/TINKConfig.h"
+#import "objc/TINKRegistryConfig.h"
+#import "objc/core/TINKRegistryConfig_Internal.h"
+
+#include "cc/aead/aead_config.h"
+#include "proto/config.pb.h"
+
+@interface TINKAeadConfigTest : XCTestCase
+@end
+
+@implementation TINKAeadConfigTest
+
+- (void)testConfigContents {
+  std::string aes_ctr_hmac_aead_key_type = "type.googleapis.com/google.crypto.tink.AesCtrHmacAeadKey";
+  std::string aes_gcm_key_type = "type.googleapis.com/google.crypto.tink.AesGcmKey";
+  std::string hmac_key_type = "type.googleapis.com/google.crypto.tink.HmacKey";
+
+  NSError *error = nil;
+  TINKAeadConfig *aeadConfig =
+      [[TINKAeadConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+  XCTAssertNotNil(aeadConfig);
+  XCTAssertNil(error);
+
+  google::crypto::tink::RegistryConfig config = aeadConfig.ccConfig;
+  XCTAssertTrue(config.entry_size() == 3);
+
+  XCTAssertTrue("TinkMac" == config.entry(0).catalogue_name());
+  XCTAssertTrue("Mac" == config.entry(0).primitive_name());
+  XCTAssertTrue(hmac_key_type == config.entry(0).type_url());
+  XCTAssertTrue(config.entry(0).new_key_allowed());
+  XCTAssertTrue(0 == config.entry(0).key_manager_version());
+
+  XCTAssertTrue("TinkAead" == config.entry(1).catalogue_name());
+  XCTAssertTrue("Aead" == config.entry(1).primitive_name());
+  XCTAssertTrue(aes_ctr_hmac_aead_key_type == config.entry(1).type_url());
+  XCTAssertTrue(config.entry(1).new_key_allowed());
+  XCTAssertTrue(0 == config.entry(1).key_manager_version());
+
+  XCTAssertTrue("TinkAead" == config.entry(2).catalogue_name());
+  XCTAssertTrue("Aead" == config.entry(2).primitive_name());
+  XCTAssertTrue(aes_gcm_key_type == config.entry(2).type_url());
+  XCTAssertTrue(config.entry(2).new_key_allowed());
+  XCTAssertTrue(0 == config.entry(2).key_manager_version());
+
+  // Registration of standard key types works.
+  error = nil;
+  XCTAssertTrue([TINKConfig registerConfig:aeadConfig error:&error]);
+  XCTAssertNil(error);
+}
+
+@end
--- a/objc/Tests/UnitTests/aead/TINKAeadFactoryTest.mm
+++ b/objc/Tests/UnitTests/aead/TINKAeadFactoryTest.mm
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/aead/TINKAeadFactory.h"
+
+#import <XCTest/XCTest.h>
+
+#import "objc/TINKAead.h"
+#import "objc/TINKKeysetHandle.h"
+#import "objc/aead/TINKAeadConfig.h"
+#import "objc/aead/TINKAeadFactory.h"
+#import "objc/core/TINKKeysetHandle_Internal.h"
+#import "objc/util/TINKStrings.h"
+
+#include "cc/aead.h"
+#include "cc/aead/aead_config.h"
+#include "cc/aead/aes_gcm_key_manager.h"
+#include "cc/crypto_format.h"
+#include "cc/keyset_handle.h"
+#include "cc/util/status.h"
+#include "cc/util/test_util.h"
+#include "proto/aes_gcm.pb.h"
+#include "proto/tink.pb.h"
+
+using crypto::tink::AesGcmKeyManager;
+using crypto::tink::KeyFactory;
+using crypto::tink::test::AddRawKey;
+using crypto::tink::test::AddTinkKey;
+using crypto::tink::test::GetKeysetHandle;
+using google::crypto::tink::AesGcmKeyFormat;
+using google::crypto::tink::KeyData;
+using google::crypto::tink::Keyset;
+using google::crypto::tink::KeyStatusType;
+
+namespace util = crypto::tink::util;
+
+@interface TINKAeadFactoryTest : XCTestCase
+@end
+
+@implementation TINKAeadFactoryTest
+
+- (void)testEmptyKeyset {
+  Keyset keyset;
+  TINKKeysetHandle *handle =
+      [[TINKKeysetHandle alloc] initWithCCKeysetHandle:GetKeysetHandle(keyset)];
+  XCTAssertNotNil(handle);
+
+  NSError *error = nil;
+  id<TINKAead> aead = [TINKAeadFactory primitiveWithKeysetHandle:handle error:&error];
+  XCTAssertNil(aead);
+  XCTAssertNotNil(error);
+  XCTAssertTrue(error.code == util::error::INVALID_ARGUMENT);
+  XCTAssertTrue([error.localizedFailureReason containsString:@"at least one key"]);
+}
+
+- (void)testPrimitive {
+  // Prepare a template for generating keys for a Keyset.
+  AesGcmKeyManager key_manager;
+  const KeyFactory &key_factory = key_manager.get_key_factory();
+  std::string key_type = key_manager.get_key_type();
+
+  AesGcmKeyFormat key_format;
+  key_format.set_key_size(16);
+
+  // Prepare a Keyset.
+  Keyset keyset;
+  uint32_t key_id_1 = 1234543;
+  auto new_key = std::move(key_factory.NewKey(key_format).ValueOrDie());
+  AddTinkKey(key_type, key_id_1, *new_key, KeyStatusType::ENABLED, KeyData::SYMMETRIC, &keyset);
+
+  uint32_t key_id_2 = 726329;
+  new_key = std::move(key_factory.NewKey(key_format).ValueOrDie());
+  AddRawKey(key_type, key_id_2, *new_key, KeyStatusType::ENABLED, KeyData::SYMMETRIC, &keyset);
+
+  uint32_t key_id_3 = 7213743;
+  new_key = std::move(key_factory.NewKey(key_format).ValueOrDie());
+  AddTinkKey(key_type, key_id_3, *new_key, KeyStatusType::ENABLED, KeyData::SYMMETRIC, &keyset);
+
+  keyset.set_primary_key_id(key_id_3);
+
+  NSError *error = nil;
+  TINKAeadConfig *aeadConfig =
+      [[TINKAeadConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+  XCTAssertNotNil(aeadConfig);
+  XCTAssertNil(error);
+
+  TINKKeysetHandle *handle =
+      [[TINKKeysetHandle alloc] initWithCCKeysetHandle:GetKeysetHandle(keyset)];
+  XCTAssertNotNil(handle);
+
+  id<TINKAead> aead = [TINKAeadFactory primitiveWithKeysetHandle:handle error:&error];
+  XCTAssertNotNil(aead);
+  XCTAssertNil(error);
+
+  // Test the Aead primitive.
+  NSData *plaintext = [@"some_plaintext" dataUsingEncoding:NSUTF8StringEncoding];
+  NSData *aad = [@"some_aad" dataUsingEncoding:NSUTF8StringEncoding];
+  NSData *ciphertext = [aead encrypt:plaintext withAdditionalData:aad error:&error];
+  XCTAssertNil(error);
+  XCTAssertNotNil(ciphertext);
+
+  NSData *decrypted = [aead decrypt:ciphertext withAdditionalData:aad error:&error];
+  XCTAssertNil(error);
+  XCTAssertTrue([plaintext isEqual:decrypted]);
+
+  // Create raw ciphertext with 2nd key, and decrypt with Aead-instance.
+  auto raw_aead = std::move(key_manager.GetPrimitive(keyset.key(1).key_data()).ValueOrDie());
+  std::string raw_ciphertext =
+      raw_aead->Encrypt(absl::string_view("some_plaintext"), absl::string_view("some_aad"))
+          .ValueOrDie();
+  ciphertext = TINKStringToNSData(raw_ciphertext);
+
+  decrypted = [aead decrypt:ciphertext withAdditionalData:aad error:&error];
+  XCTAssertNil(error);
+  XCTAssertTrue([plaintext isEqual:decrypted]);
+}
+
+@end
+
--- a/objc/Tests/UnitTests/core/TINKAllConfigTest.mm
+++ b/objc/Tests/UnitTests/core/TINKAllConfigTest.mm
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKAllConfig.h"
+
+#import <XCTest/XCTest.h>
+
+#include "proto/config.pb.h"
+
+#import "objc/TINKConfig.h"
+#import "objc/TINKRegistryConfig.h"
+#import "objc/TINKVersion.h"
+#import "objc/core/TINKRegistryConfig_Internal.h"
+#import "objc/util/TINKStrings.h"
+#import "proto/Config.pbobjc.h"
+
+@interface TINKAllConfigTest : XCTestCase
+@end
+
+@implementation TINKAllConfigTest
+
+- (void)testConfigContents {
+  NSString *publicKeySignKeyType = @"type.googleapis.com/google.crypto.tink.EcdsaPrivateKey";
+  NSString *publicKeyVerifyKeyType = @"type.googleapis.com/google.crypto.tink.EcdsaPublicKey";
+  NSString *hybridEncryptKeyType = @"type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey";
+  NSString *hybridDecryptKeyType =
+      @"type.googleapis.com/google.crypto.tink.EciesAeadHkdfPrivateKey";
+  NSString *aesCtrHmacAeadKeyType = @"type.googleapis.com/google.crypto.tink.AesCtrHmacAeadKey";
+  NSString *aesGcmKeyType = @"type.googleapis.com/google.crypto.tink.AesGcmKey";
+  NSString *hmacKeyType = @"type.googleapis.com/google.crypto.tink.HmacKey";
+
+  NSError *error = nil;
+  TINKAllConfig *allConfig = [[TINKAllConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+  XCTAssertNotNil(allConfig);
+  XCTAssertNil(error);
+
+  google::crypto::tink::RegistryConfig ccConfig = allConfig.ccConfig;
+  std::string serializedConfig;
+  XCTAssertTrue(ccConfig.SerializeToString(&serializedConfig));
+
+  NSError *parseError = nil;
+  TINKPBRegistryConfig *config =
+      [TINKPBRegistryConfig parseFromData:TINKStringToNSData(serializedConfig) error:&parseError];
+  XCTAssertNil(parseError);
+  XCTAssertNotNil(config);
+
+  XCTAssertTrue([config.entryArray[0].catalogueName isEqualToString:@"TinkMac"]);
+  XCTAssertTrue([config.entryArray[0].primitiveName isEqualToString:@"Mac"]);
+  XCTAssertTrue([config.entryArray[0].typeURL isEqualToString:hmacKeyType]);
+  XCTAssertTrue(config.entryArray[0].newKeyAllowed);
+  XCTAssertEqual(config.entryArray[0].keyManagerVersion, 0);
+
+  XCTAssertTrue([config.entryArray[1].catalogueName isEqualToString:@"TinkAead"]);
+  XCTAssertTrue([config.entryArray[1].primitiveName isEqualToString:@"Aead"]);
+  XCTAssertTrue([config.entryArray[1].typeURL isEqualToString:aesCtrHmacAeadKeyType]);
+  XCTAssertTrue(config.entryArray[1].newKeyAllowed);
+  XCTAssertEqual(config.entryArray[1].keyManagerVersion, 0);
+
+  XCTAssertTrue([config.entryArray[2].catalogueName isEqualToString:@"TinkAead"]);
+  XCTAssertTrue([config.entryArray[2].primitiveName isEqualToString:@"Aead"]);
+  XCTAssertTrue([config.entryArray[2].typeURL isEqualToString:aesGcmKeyType]);
+  XCTAssertTrue(config.entryArray[2].newKeyAllowed);
+  XCTAssertEqual(config.entryArray[2].keyManagerVersion, 0);
+
+  XCTAssertTrue([config.entryArray[3].catalogueName isEqualToString:@"TinkHybridEncrypt"]);
+  XCTAssertTrue([config.entryArray[3].primitiveName isEqualToString:@"HybridEncrypt"]);
+  XCTAssertTrue([config.entryArray[3].typeURL isEqualToString:hybridEncryptKeyType]);
+  XCTAssertTrue(config.entryArray[3].newKeyAllowed);
+  XCTAssertEqual(config.entryArray[3].keyManagerVersion, 0);
+
+  XCTAssertTrue([config.entryArray[4].catalogueName isEqualToString:@"TinkHybridDecrypt"]);
+  XCTAssertTrue([config.entryArray[4].primitiveName isEqualToString:@"HybridDecrypt"]);
+  XCTAssertTrue([config.entryArray[4].typeURL isEqualToString:hybridDecryptKeyType]);
+  XCTAssertTrue(config.entryArray[4].newKeyAllowed);
+  XCTAssertEqual(config.entryArray[4].keyManagerVersion, 0);
+
+  XCTAssertTrue([config.entryArray[5].catalogueName isEqualToString:@"TinkPublicKeySign"]);
+  XCTAssertTrue([config.entryArray[5].primitiveName isEqualToString:@"PublicKeySign"]);
+  XCTAssertTrue([config.entryArray[5].typeURL isEqualToString:publicKeySignKeyType]);
+  XCTAssertTrue(config.entryArray[5].newKeyAllowed);
+  XCTAssertEqual(config.entryArray[5].keyManagerVersion, 0);
+
+  XCTAssertTrue([config.entryArray[6].catalogueName isEqualToString:@"TinkPublicKeyVerify"]);
+  XCTAssertTrue([config.entryArray[6].primitiveName isEqualToString:@"PublicKeyVerify"]);
+  XCTAssertTrue([config.entryArray[6].typeURL isEqualToString:publicKeyVerifyKeyType]);
+  XCTAssertTrue(config.entryArray[6].newKeyAllowed);
+  XCTAssertEqual(config.entryArray[6].keyManagerVersion, 0);
+}
+
+- (void)testConfigRegistration {
+  NSError *error = nil;
+  TINKAllConfig *config = [[TINKAllConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+  XCTAssertNotNil(config);
+  XCTAssertNil(error);
+
+  XCTAssertTrue([TINKConfig registerConfig:config error:&error]);
+  XCTAssertNil(error);
+}
+
+@end
--- a/objc/Tests/UnitTests/core/TINKBinaryKeysetReaderTest.mm
+++ b/objc/Tests/UnitTests/core/TINKBinaryKeysetReaderTest.mm
@@ -85,7 +85,7 @@ static NSData *gGoodSerializedEncryptedKeyset;
 }

 - (void)testReadFromString {
-  // Good string.
+  // Good std::string.
  NSError *error = nil;
  TINKBinaryKeysetReader *reader =
      [[TINKBinaryKeysetReader alloc] initWithSerializedKeyset:gGoodSerializedKeyset error:&error];
@@ -97,7 +97,7 @@ static NSData *gGoodSerializedEncryptedKeyset;
  XCTAssertNotNil(readResult);
  XCTAssertTrue([gGoodSerializedKeyset isEqualToData:readResult.data]);

-  // Bad string.
+  // Bad std::string.
  error = nil;
  TINKBinaryKeysetReader *badReader =
      [[TINKBinaryKeysetReader alloc] initWithSerializedKeyset:gBadSerializedKeyset error:&error];
@@ -111,7 +111,7 @@ static NSData *gGoodSerializedEncryptedKeyset;
 }

 - (void)testReadEncryptedFromString {
-  // Good string.
+  // Good std::string.
  NSError *error = nil;
  TINKBinaryKeysetReader *reader =
      [[TINKBinaryKeysetReader alloc] initWithSerializedKeyset:gGoodSerializedEncryptedKeyset
@@ -124,7 +124,7 @@ static NSData *gGoodSerializedEncryptedKeyset;
  XCTAssertNotNil(readResult);
  XCTAssertTrue([gGoodSerializedEncryptedKeyset isEqualToData:readResult.data]);

-  // Bad string.
+  // Bad std::string.
  error = nil;
  TINKBinaryKeysetReader *badReader =
      [[TINKBinaryKeysetReader alloc] initWithSerializedKeyset:gBadSerializedKeyset error:&error];

--- a/objc/Tests/UnitTests/core/TINKKeysetHandleTest.mm
+++ b/objc/Tests/UnitTests/core/TINKKeysetHandleTest.mm
@@ -22,8 +22,8 @@
 #import <XCTest/XCTest.h>

 #import "objc/TINKAead.h"
-#import "objc/TINKAead_Internal.h"
 #import "objc/TINKBinaryKeysetReader.h"
+#import "objc/aead/TINKAeadInternal.h"
 #import "objc/util/TINKStrings.h"
 #import "proto/Tink.pbobjc.h"

@@ -60,8 +60,9 @@ static TINKPBKeyset *gKeyset;
 }

 - (void)testGoodEncryptedKeyset_Binary {
-  crypto::tink::test::DummyAead *ccAead = new crypto::tink::test::DummyAead("dummy aead 42");
-  TINKAead *aead = [[TINKAead alloc] initWithPrimitive:ccAead];
+  auto ccAead =
+      std::unique_ptr<crypto::tink::Aead>(new crypto::tink::test::DummyAead("dummy aead 42"));
+  TINKAeadInternal *aead = [[TINKAeadInternal alloc] initWithCCAead:std::move(ccAead)];

  NSData *keysetCiphertext = [aead encrypt:gKeyset.data withAdditionalData:[NSData data] error:nil];

@@ -84,8 +85,9 @@ static TINKPBKeyset *gKeyset;
 }

 - (void)testWrongAead_Binary {
-  crypto::tink::test::DummyAead *ccAead = new crypto::tink::test::DummyAead("dummy aead 42");
-  TINKAead *aead = [[TINKAead alloc] initWithPrimitive:ccAead];
+  auto ccAead =
+      std::unique_ptr<crypto::tink::Aead>(new crypto::tink::test::DummyAead("dummy aead 42"));
+  TINKAeadInternal *aead = [[TINKAeadInternal alloc] initWithCCAead:std::move(ccAead)];

  NSData *keysetCiphertext = [aead encrypt:gKeyset.data withAdditionalData:[NSData data] error:nil];

@@ -95,8 +97,9 @@ static TINKPBKeyset *gKeyset;
  TINKBinaryKeysetReader *reader =
      [[TINKBinaryKeysetReader alloc] initWithSerializedKeyset:encryptedKeyset.data error:nil];

-  crypto::tink::test::DummyAead *ccWrongAead = new crypto::tink::test::DummyAead("wrong aead");
-  TINKAead *wrongAead = [[TINKAead alloc] initWithPrimitive:ccWrongAead];
+  auto ccWrongAead =
+      std::unique_ptr<crypto::tink::Aead>(new crypto::tink::test::DummyAead("wrong aead"));
+  TINKAeadInternal *wrongAead = [[TINKAeadInternal alloc] initWithCCAead:std::move(ccWrongAead)];

  NSError *error = nil;
  TINKKeysetHandle *handle =
@@ -106,8 +109,9 @@ static TINKPBKeyset *gKeyset;
 }

 - (void)testNoKeysetInCiphertext_Binary {
-  crypto::tink::test::DummyAead *ccAead = new crypto::tink::test::DummyAead("dummy aead 42");
-  TINKAead *aead = [[TINKAead alloc] initWithPrimitive:ccAead];
+  auto ccAead =
+      std::unique_ptr<crypto::tink::Aead>(new crypto::tink::test::DummyAead("dummy aead 42"));
+  TINKAeadInternal *aead = [[TINKAeadInternal alloc] initWithCCAead:std::move(ccAead)];
  NSData *keysetCiphertext =
      [aead encrypt:[@"not a serialized keyset" dataUsingEncoding:NSUTF8StringEncoding]
          withAdditionalData:[NSData data]
@@ -124,8 +128,9 @@ static TINKPBKeyset *gKeyset;
 }

 - (void)testWrongCiphertext_Binary {
-  crypto::tink::test::DummyAead *ccAead = new crypto::tink::test::DummyAead("dummy aead 42");
-  TINKAead *aead = [[TINKAead alloc] initWithPrimitive:ccAead];
+  auto ccAead =
+      std::unique_ptr<crypto::tink::Aead>(new crypto::tink::test::DummyAead("dummy aead 42"));
+  TINKAeadInternal *aead = [[TINKAeadInternal alloc] initWithCCAead:std::move(ccAead)];
  NSString *keysetCiphertext = @"totally wrong ciphertext";

  TINKPBEncryptedKeyset *encryptedKeyset = [[TINKPBEncryptedKeyset alloc] init];
@@ -152,3 +157,4 @@ static TINKPBKeyset *gKeyset;
 }

 @end
+
--- a/objc/aead/BUILD.bazel
+++ b/objc/aead/BUILD.bazel
@@ -7,7 +7,9 @@ objc_library(
    srcs = ["TINKAeadFactory.mm"],
    hdrs = ["TINKAeadFactory.h"],
    deps = [
+        ":aead_internal",
        "//cc/aead:aead_factory",
+        "//cc:keyset_handle",
        "//cc/util:status",
        "//cc/util:statusor",
        "//objc:aead",
@@ -24,5 +26,24 @@ objc_library(
    hdrs = ["TINKAeadConfig.h"],
    deps = [
        "//cc/aead:aead_config",
+        "//cc/util:errors",
+        "//objc:registry_config",
+        "//objc:version",
+        "//objc/util:errors",
+        "//objc/util:strings",
+        "//proto:all_objc_proto",
+    ],
+)
+
+objc_library(
+    name = "aead_internal",
+    srcs = ["TINKAeadInternal.mm"],
+    hdrs = ["TINKAeadInternal.h"],
+    deps = [
+        "//cc:aead",
+        "//objc:aead",
+        "//objc/util:errors",
+        "//objc/util:strings",
+        "@com_google_absl//absl/strings",
    ],
 )
--- a/objc/aead/TINKAeadConfig.h
+++ b/objc/aead/TINKAeadConfig.h
@@ -18,29 +18,39 @@

 #import <Foundation/Foundation.h>

+#import "objc/TINKRegistryConfig.h"
+#import "objc/TINKVersion.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
 /**
- * TINKAeadConfig offers convenience methods for initializing TINKAeadFactory
- * and the underlying Registry.INSTANCE. In particular, it  allows for
- * initalizing the Registry with native key types and their managers
- * that Tink supports out of the box. These key types are divided in
- * two groups:
+ * This class is used for registering with the Registry all instances of Aead key types supported in
+ * a particular release of Tink.
 *
- *  - standard: secure and safe to use in new code. Over time, with
- *    new developments in cryptanalysis and computing power, some
- *    standard key types might become legacy.
+ * To register all Aead key types provided in Tink release 1.1.0 one can do:
 *
- *  - legacy: deprecated and insecure or obsolete, should not be used
- *    in new code. Existing users should upgrade to one of the standard
- *    key types.
+ * NSError *error = nil;
+ * TINKAeadConfig *aeadConfig = [TINKAeadConfig alloc] initWithVersion:TINKVersion1_1_0
+ *                                                               error:&error];
+ * if (!aeadConfig || error) {
+ *   // handle error.
+ * }
 *
- * This divison allows for gradual retiring insecure or obsolete key types.
+ * if (![TINKConfig registerConfig:aeadConfig error:&error]) {
+ *   // handle error.
+ * }
 *
- * For more information on how to obtain and use Aead primitives
- * see TINKAeadFactory.
+ * For more information on the creation and usage of TINKAead instances see TINKAeadFactory.
 */
-@interface TINKAeadConfig : NSObject
+@interface TINKAeadConfig : TINKRegistryConfig

-/** Registers standard Aead key types and their managers with the Registry. */
-+ (BOOL)registerStandardKeyTypes;
+/* Use initWithVersion:error: to get an instance of TINKAeadConfig. */
+- (nullable instancetype)init NS_UNAVAILABLE;
+
+/* Returns config of Aead implementations supported in given @c version of Tink. */
+- (nullable instancetype)initWithVersion:(TINKVersion)version
+                                   error:(NSError **)error NS_DESIGNATED_INITIALIZER;

 @end
+
+NS_ASSUME_NONNULL_END
--- a/objc/aead/TINKAeadConfig.mm
+++ b/objc/aead/TINKAeadConfig.mm
@@ -16,14 +16,42 @@
 **************************************************************************
 */

-#import "TINKAeadConfig.h"
+#import "objc/aead/TINKAeadConfig.h"
+
+#import "objc/TINKRegistryConfig.h"
+#import "objc/TINKVersion.h"
+#import "objc/core/TINKRegistryConfig_Internal.h"
+#import "objc/util/TINKErrors.h"

 #include "cc/aead/aead_config.h"
+#include "cc/util/status.h"
+#include "proto/config.pb.h"

 @implementation TINKAeadConfig

-+ (BOOL)registerStandardKeyTypes {
-  return crypto::tink::AeadConfig::RegisterStandardKeyTypes().ok();
+- (instancetype)initWithVersion:(TINKVersion)version error:(NSError **)error {
+  auto st = crypto::tink::AeadConfig::Init();
+  if (!st.ok()) {
+    if (error) {
+      *error = TINKStatusToError(st);
+    }
+    return nil;
+  }
+
+  google::crypto::tink::RegistryConfig ccConfig;
+  switch (version) {
+    case TINKVersion1_1_0:
+      ccConfig = crypto::tink::AeadConfig::Tink_1_1_0();
+      break;
+    default:
+      if (error) {
+        *error = TINKStatusToError(crypto::tink::util::Status(
+            crypto::tink::util::error::INVALID_ARGUMENT, "Unsupported Tink version."));
+      }
+      return nil;
+  }
+
+  return (self = [super initWithCcConfig:ccConfig]);
 }

 @end
--- a/objc/aead/TINKAeadFactory.h
+++ b/objc/aead/TINKAeadFactory.h
@@ -18,57 +18,45 @@

 #import <Foundation/Foundation.h>

-@class TINKAead;
 @class TINKKeysetHandle;
+@protocol TINKAead;
+
+NS_ASSUME_NONNULL_BEGIN;

 /**
- * TINKAeadFactory allows obtaining a primitive from a TINKKeysetHandle.
- *
- * TINKAeadFactory gets primitives from the Registry. The factory allows initalizing the Registry
- * with native key types and their managers that Tink supports out of the box. These key types are
- * divided in two groups:
- *
- *  - standard: secure and safe to use in new code. Over time, with new developments in
- *    cryptanalysis and computing power, some standard key types might become legacy.
- *
- *  - legacy: deprecated and insecure or obsolete, should not be used in new code. Existing users
- *    should upgrade to one of the standard key types.
+ * TINKAeadFactory allows for obtaining a TINKAead primitive from a TINKKeysetHandle.
 *
- * This divison allows for gradual retiring insecure or obsolete key types.
- *
- * For example, here is how one can obtain and use an Aead primitive:
+ * TINKAeadFactory gets primitives from the Registry, which can be initialized via convenience
+ * methods from TINKAeadConfig. Here is an example how one can obtain and use a TINKAead primitive:
 *
 * NSError *error = nil;
- * [TINKAeadConfig registerStandardKeyTypes];
- * TINKKeysetHandle *handle = [TINKKeysetHandle initWithKeyset:keyset];
- * TINKAead *aead = [TINKAeadFactory primitiveWithKeysetHandle:handle error:&error];
- * if (error) {
- *   // handle error
+ * TINKAeadConfig *aeadConfig = [TINKAeadConfig alloc] initWithVersion:TINKVersion1_1_0
+ *                                                               error:&error];
+ * if (!aeadConfig || error) {
+ *   // handle error.
+ * }
+ *
+ * if (![TINKConfig registerConfig:aeadConfig error:&error]) {
+ *   // handle error.
 * }
 *
- * NSString *plaintext = ...;
- * NSString *data = ...;
- * error = nil;
- * NSString *ciphertext = [aead encrypt:plaintext withAdditionalData:data error:&error];
- * if (error) {
- *   // handle error
+ * TINKKeysetHandle keysetHandle = ...;
+ * id<TINKAead> aead = [TINKAeadFactory primitiveWithKeysetHandle:keysetHandle error:&error];
+ * if (!aead || error) {
+ *   // handle error.
 * }
+ *
+ * NSData *plaintext = ...;
+ * NSData *additionalData = ...;
+ * NSData *ciphertext = [aead encrypt:plaintext withAdditionalData:additionalData error:&error];
 */
 @interface TINKAeadFactory : NSObject
-
 /**
- * Returns an Aead-primitive that uses key material from the keyset specified via @c keysetHandle.
+ * Returns an object that conforms to the TINKAead protocol. It uses key material from the keyset
+ * specified via @c keysetHandle.
 */
-+ (nullable TINKAead *)primitiveWithKeysetHandle:(nonnull TINKKeysetHandle *)keysetHandle
-                                           error:(NSError *_Nullable *_Nonnull)error;
-
-/**
- * Returns an Aead-primitive that uses key material from the keyset specified via @c keysetHandle
- * and is instantiated by the given @c customKeyManager (instead of the key manager from the
- * Registry).
- */
-+ (nullable TINKAead *)primitiveWithKeysetHandle:(nonnull TINKKeysetHandle *)keysetHandle
-                                   andKeyManager:(nullable NSObject *)keyManager
-                                           error:(NSError *_Nullable *_Nonnull)error NS_UNAVAILABLE;
-
+ (nullable id<TINKAead>)primitiveWithKeysetHandle:(TINKKeysetHandle *)keysetHandle
+                                             error:(NSError **)error;
 @end
+
+NS_ASSUME_NONNULL_END;