aws-sdk-kms 1.25.0 → 1.26.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -47,6 +47,8 @@ module Aws::KMS
47
47
  CustomKeyStoreNotFoundException = Shapes::StructureShape.new(name: 'CustomKeyStoreNotFoundException')
48
48
  CustomKeyStoresList = Shapes::ListShape.new(name: 'CustomKeyStoresList')
49
49
  CustomKeyStoresListEntry = Shapes::StructureShape.new(name: 'CustomKeyStoresListEntry')
50
+ CustomerMasterKeySpec = Shapes::StringShape.new(name: 'CustomerMasterKeySpec')
51
+ DataKeyPairSpec = Shapes::StringShape.new(name: 'DataKeyPairSpec')
50
52
  DataKeySpec = Shapes::StringShape.new(name: 'DataKeySpec')
51
53
  DateType = Shapes::TimestampShape.new(name: 'DateType')
52
54
  DecryptRequest = Shapes::StructureShape.new(name: 'DecryptRequest')
@@ -70,12 +72,18 @@ module Aws::KMS
70
72
  EnableKeyRotationRequest = Shapes::StructureShape.new(name: 'EnableKeyRotationRequest')
71
73
  EncryptRequest = Shapes::StructureShape.new(name: 'EncryptRequest')
72
74
  EncryptResponse = Shapes::StructureShape.new(name: 'EncryptResponse')
75
+ EncryptionAlgorithmSpec = Shapes::StringShape.new(name: 'EncryptionAlgorithmSpec')
76
+ EncryptionAlgorithmSpecList = Shapes::ListShape.new(name: 'EncryptionAlgorithmSpecList')
73
77
  EncryptionContextKey = Shapes::StringShape.new(name: 'EncryptionContextKey')
74
78
  EncryptionContextType = Shapes::MapShape.new(name: 'EncryptionContextType')
75
79
  EncryptionContextValue = Shapes::StringShape.new(name: 'EncryptionContextValue')
76
80
  ErrorMessageType = Shapes::StringShape.new(name: 'ErrorMessageType')
77
81
  ExpirationModelType = Shapes::StringShape.new(name: 'ExpirationModelType')
78
82
  ExpiredImportTokenException = Shapes::StructureShape.new(name: 'ExpiredImportTokenException')
83
+ GenerateDataKeyPairRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyPairRequest')
84
+ GenerateDataKeyPairResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyPairResponse')
85
+ GenerateDataKeyPairWithoutPlaintextRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyPairWithoutPlaintextRequest')
86
+ GenerateDataKeyPairWithoutPlaintextResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyPairWithoutPlaintextResponse')
79
87
  GenerateDataKeyRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyRequest')
80
88
  GenerateDataKeyResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyResponse')
81
89
  GenerateDataKeyWithoutPlaintextRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyWithoutPlaintextRequest')
@@ -88,6 +96,8 @@ module Aws::KMS
88
96
  GetKeyRotationStatusResponse = Shapes::StructureShape.new(name: 'GetKeyRotationStatusResponse')
89
97
  GetParametersForImportRequest = Shapes::StructureShape.new(name: 'GetParametersForImportRequest')
90
98
  GetParametersForImportResponse = Shapes::StructureShape.new(name: 'GetParametersForImportResponse')
99
+ GetPublicKeyRequest = Shapes::StructureShape.new(name: 'GetPublicKeyRequest')
100
+ GetPublicKeyResponse = Shapes::StructureShape.new(name: 'GetPublicKeyResponse')
91
101
  GrantConstraints = Shapes::StructureShape.new(name: 'GrantConstraints')
92
102
  GrantIdType = Shapes::StringShape.new(name: 'GrantIdType')
93
103
  GrantList = Shapes::ListShape.new(name: 'GrantList')
@@ -99,6 +109,7 @@ module Aws::KMS
99
109
  GrantTokenType = Shapes::StringShape.new(name: 'GrantTokenType')
100
110
  ImportKeyMaterialRequest = Shapes::StructureShape.new(name: 'ImportKeyMaterialRequest')
101
111
  ImportKeyMaterialResponse = Shapes::StructureShape.new(name: 'ImportKeyMaterialResponse')
112
+ IncorrectKeyException = Shapes::StructureShape.new(name: 'IncorrectKeyException')
102
113
  IncorrectKeyMaterialException = Shapes::StructureShape.new(name: 'IncorrectKeyMaterialException')
103
114
  IncorrectTrustAnchorException = Shapes::StructureShape.new(name: 'IncorrectTrustAnchorException')
104
115
  InvalidAliasNameException = Shapes::StructureShape.new(name: 'InvalidAliasNameException')
@@ -135,6 +146,7 @@ module Aws::KMS
135
146
  ListRetirableGrantsRequest = Shapes::StructureShape.new(name: 'ListRetirableGrantsRequest')
136
147
  MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
137
148
  MarkerType = Shapes::StringShape.new(name: 'MarkerType')
149
+ MessageType = Shapes::StringShape.new(name: 'MessageType')
138
150
  NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
139
151
  NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
140
152
  OriginType = Shapes::StringShape.new(name: 'OriginType')
@@ -144,6 +156,7 @@ module Aws::KMS
144
156
  PolicyNameType = Shapes::StringShape.new(name: 'PolicyNameType')
145
157
  PolicyType = Shapes::StringShape.new(name: 'PolicyType')
146
158
  PrincipalIdType = Shapes::StringShape.new(name: 'PrincipalIdType')
159
+ PublicKeyType = Shapes::BlobShape.new(name: 'PublicKeyType')
147
160
  PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
148
161
  ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
149
162
  ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
@@ -151,6 +164,10 @@ module Aws::KMS
151
164
  RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
152
165
  ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
153
166
  ScheduleKeyDeletionResponse = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionResponse')
167
+ SignRequest = Shapes::StructureShape.new(name: 'SignRequest')
168
+ SignResponse = Shapes::StructureShape.new(name: 'SignResponse')
169
+ SigningAlgorithmSpec = Shapes::StringShape.new(name: 'SigningAlgorithmSpec')
170
+ SigningAlgorithmSpecList = Shapes::ListShape.new(name: 'SigningAlgorithmSpecList')
154
171
  Tag = Shapes::StructureShape.new(name: 'Tag')
155
172
  TagException = Shapes::StructureShape.new(name: 'TagException')
156
173
  TagKeyList = Shapes::ListShape.new(name: 'TagKeyList')
@@ -165,6 +182,8 @@ module Aws::KMS
165
182
  UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
166
183
  UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
167
184
  UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
185
+ VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
186
+ VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
168
187
  WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
169
188
 
170
189
  AliasList.member = Shapes::ShapeRef.new(shape: AliasListEntry)
@@ -232,6 +251,7 @@ module Aws::KMS
232
251
  CreateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
233
252
  CreateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
234
253
  CreateKeyRequest.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
254
+ CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
235
255
  CreateKeyRequest.add_member(:origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "Origin"))
236
256
  CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
237
257
  CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
@@ -267,10 +287,13 @@ module Aws::KMS
267
287
  DecryptRequest.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "CiphertextBlob"))
268
288
  DecryptRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
269
289
  DecryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
290
+ DecryptRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
291
+ DecryptRequest.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
270
292
  DecryptRequest.struct_class = Types::DecryptRequest
271
293
 
272
294
  DecryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
273
295
  DecryptResponse.add_member(:plaintext, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "Plaintext"))
296
+ DecryptResponse.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
274
297
  DecryptResponse.struct_class = Types::DecryptResponse
275
298
 
276
299
  DeleteAliasRequest.add_member(:alias_name, Shapes::ShapeRef.new(shape: AliasNameType, required: true, location_name: "AliasName"))
@@ -329,18 +352,47 @@ module Aws::KMS
329
352
  EncryptRequest.add_member(:plaintext, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Plaintext"))
330
353
  EncryptRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
331
354
  EncryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
355
+ EncryptRequest.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
332
356
  EncryptRequest.struct_class = Types::EncryptRequest
333
357
 
334
358
  EncryptResponse.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextBlob"))
335
359
  EncryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
360
+ EncryptResponse.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
336
361
  EncryptResponse.struct_class = Types::EncryptResponse
337
362
 
363
+ EncryptionAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec)
364
+
338
365
  EncryptionContextType.key = Shapes::ShapeRef.new(shape: EncryptionContextKey)
339
366
  EncryptionContextType.value = Shapes::ShapeRef.new(shape: EncryptionContextValue)
340
367
 
341
368
  ExpiredImportTokenException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
342
369
  ExpiredImportTokenException.struct_class = Types::ExpiredImportTokenException
343
370
 
371
+ GenerateDataKeyPairRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
372
+ GenerateDataKeyPairRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
373
+ GenerateDataKeyPairRequest.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, required: true, location_name: "KeyPairSpec"))
374
+ GenerateDataKeyPairRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
375
+ GenerateDataKeyPairRequest.struct_class = Types::GenerateDataKeyPairRequest
376
+
377
+ GenerateDataKeyPairResponse.add_member(:private_key_ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "PrivateKeyCiphertextBlob"))
378
+ GenerateDataKeyPairResponse.add_member(:private_key_plaintext, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "PrivateKeyPlaintext"))
379
+ GenerateDataKeyPairResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
380
+ GenerateDataKeyPairResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
381
+ GenerateDataKeyPairResponse.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, location_name: "KeyPairSpec"))
382
+ GenerateDataKeyPairResponse.struct_class = Types::GenerateDataKeyPairResponse
383
+
384
+ GenerateDataKeyPairWithoutPlaintextRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
385
+ GenerateDataKeyPairWithoutPlaintextRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
386
+ GenerateDataKeyPairWithoutPlaintextRequest.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, required: true, location_name: "KeyPairSpec"))
387
+ GenerateDataKeyPairWithoutPlaintextRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
388
+ GenerateDataKeyPairWithoutPlaintextRequest.struct_class = Types::GenerateDataKeyPairWithoutPlaintextRequest
389
+
390
+ GenerateDataKeyPairWithoutPlaintextResponse.add_member(:private_key_ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "PrivateKeyCiphertextBlob"))
391
+ GenerateDataKeyPairWithoutPlaintextResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
392
+ GenerateDataKeyPairWithoutPlaintextResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
393
+ GenerateDataKeyPairWithoutPlaintextResponse.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, location_name: "KeyPairSpec"))
394
+ GenerateDataKeyPairWithoutPlaintextResponse.struct_class = Types::GenerateDataKeyPairWithoutPlaintextResponse
395
+
344
396
  GenerateDataKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
345
397
  GenerateDataKeyRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
346
398
  GenerateDataKeyRequest.add_member(:number_of_bytes, Shapes::ShapeRef.new(shape: NumberOfBytesType, location_name: "NumberOfBytes"))
@@ -395,6 +447,18 @@ module Aws::KMS
395
447
  GetParametersForImportResponse.add_member(:parameters_valid_to, Shapes::ShapeRef.new(shape: DateType, location_name: "ParametersValidTo"))
396
448
  GetParametersForImportResponse.struct_class = Types::GetParametersForImportResponse
397
449
 
450
+ GetPublicKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
451
+ GetPublicKeyRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
452
+ GetPublicKeyRequest.struct_class = Types::GetPublicKeyRequest
453
+
454
+ GetPublicKeyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
455
+ GetPublicKeyResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
456
+ GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
457
+ GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
458
+ GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
459
+ GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
460
+ GetPublicKeyResponse.struct_class = Types::GetPublicKeyResponse
461
+
398
462
  GrantConstraints.add_member(:encryption_context_subset, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextSubset"))
399
463
  GrantConstraints.add_member(:encryption_context_equals, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextEquals"))
400
464
  GrantConstraints.struct_class = Types::GrantConstraints
@@ -425,6 +489,9 @@ module Aws::KMS
425
489
 
426
490
  ImportKeyMaterialResponse.struct_class = Types::ImportKeyMaterialResponse
427
491
 
492
+ IncorrectKeyException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
493
+ IncorrectKeyException.struct_class = Types::IncorrectKeyException
494
+
428
495
  IncorrectKeyMaterialException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
429
496
  IncorrectKeyMaterialException.struct_class = Types::IncorrectKeyMaterialException
430
497
 
@@ -482,6 +549,9 @@ module Aws::KMS
482
549
  KeyMetadata.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
483
550
  KeyMetadata.add_member(:expiration_model, Shapes::ShapeRef.new(shape: ExpirationModelType, location_name: "ExpirationModel"))
484
551
  KeyMetadata.add_member(:key_manager, Shapes::ShapeRef.new(shape: KeyManagerType, location_name: "KeyManager"))
552
+ KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
553
+ KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
554
+ KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
485
555
  KeyMetadata.struct_class = Types::KeyMetadata
486
556
 
487
557
  KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
@@ -560,14 +630,19 @@ module Aws::KMS
560
630
 
561
631
  ReEncryptRequest.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "CiphertextBlob"))
562
632
  ReEncryptRequest.add_member(:source_encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "SourceEncryptionContext"))
633
+ ReEncryptRequest.add_member(:source_key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "SourceKeyId"))
563
634
  ReEncryptRequest.add_member(:destination_key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "DestinationKeyId"))
564
635
  ReEncryptRequest.add_member(:destination_encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "DestinationEncryptionContext"))
636
+ ReEncryptRequest.add_member(:source_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "SourceEncryptionAlgorithm"))
637
+ ReEncryptRequest.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
565
638
  ReEncryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
566
639
  ReEncryptRequest.struct_class = Types::ReEncryptRequest
567
640
 
568
641
  ReEncryptResponse.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextBlob"))
569
642
  ReEncryptResponse.add_member(:source_key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "SourceKeyId"))
570
643
  ReEncryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
644
+ ReEncryptResponse.add_member(:source_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "SourceEncryptionAlgorithm"))
645
+ ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
571
646
  ReEncryptResponse.struct_class = Types::ReEncryptResponse
572
647
 
573
648
  RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
@@ -587,6 +662,20 @@ module Aws::KMS
587
662
  ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
588
663
  ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
589
664
 
665
+ SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
666
+ SignRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
667
+ SignRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
668
+ SignRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
669
+ SignRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, required: true, location_name: "SigningAlgorithm"))
670
+ SignRequest.struct_class = Types::SignRequest
671
+
672
+ SignResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
673
+ SignResponse.add_member(:signature, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "Signature"))
674
+ SignResponse.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, location_name: "SigningAlgorithm"))
675
+ SignResponse.struct_class = Types::SignResponse
676
+
677
+ SigningAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: SigningAlgorithmSpec)
678
+
590
679
  Tag.add_member(:tag_key, Shapes::ShapeRef.new(shape: TagKeyType, required: true, location_name: "TagKey"))
591
680
  Tag.add_member(:tag_value, Shapes::ShapeRef.new(shape: TagValueType, required: true, location_name: "TagValue"))
592
681
  Tag.struct_class = Types::Tag
@@ -625,6 +714,19 @@ module Aws::KMS
625
714
  UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
626
715
  UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
627
716
 
717
+ VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
718
+ VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
719
+ VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
720
+ VerifyRequest.add_member(:signature, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "Signature"))
721
+ VerifyRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, required: true, location_name: "SigningAlgorithm"))
722
+ VerifyRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
723
+ VerifyRequest.struct_class = Types::VerifyRequest
724
+
725
+ VerifyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
726
+ VerifyResponse.add_member(:signature_valid, Shapes::ShapeRef.new(shape: BooleanType, location_name: "SignatureValid"))
727
+ VerifyResponse.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, location_name: "SigningAlgorithm"))
728
+ VerifyResponse.struct_class = Types::VerifyResponse
729
+
628
730
 
629
731
  # @api private
630
732
  API = Seahorse::Model::Api.new.tap do |api|
@@ -744,6 +846,8 @@ module Aws::KMS
744
846
  o.errors << Shapes::ShapeRef.new(shape: DisabledException)
745
847
  o.errors << Shapes::ShapeRef.new(shape: InvalidCiphertextException)
746
848
  o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
849
+ o.errors << Shapes::ShapeRef.new(shape: IncorrectKeyException)
850
+ o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
747
851
  o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
748
852
  o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
749
853
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
@@ -910,6 +1014,38 @@ module Aws::KMS
910
1014
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
911
1015
  end)
912
1016
 
1017
+ api.add_operation(:generate_data_key_pair, Seahorse::Model::Operation.new.tap do |o|
1018
+ o.name = "GenerateDataKeyPair"
1019
+ o.http_method = "POST"
1020
+ o.http_request_uri = "/"
1021
+ o.input = Shapes::ShapeRef.new(shape: GenerateDataKeyPairRequest)
1022
+ o.output = Shapes::ShapeRef.new(shape: GenerateDataKeyPairResponse)
1023
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1024
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1025
+ o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
1026
+ o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1027
+ o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1028
+ o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1029
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1030
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1031
+ end)
1032
+
1033
+ api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
1034
+ o.name = "GenerateDataKeyPairWithoutPlaintext"
1035
+ o.http_method = "POST"
1036
+ o.http_request_uri = "/"
1037
+ o.input = Shapes::ShapeRef.new(shape: GenerateDataKeyPairWithoutPlaintextRequest)
1038
+ o.output = Shapes::ShapeRef.new(shape: GenerateDataKeyPairWithoutPlaintextResponse)
1039
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1040
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1041
+ o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
1042
+ o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1043
+ o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1044
+ o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1045
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1046
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1047
+ end)
1048
+
913
1049
  api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
914
1050
  o.name = "GenerateDataKeyWithoutPlaintext"
915
1051
  o.http_method = "POST"
@@ -979,6 +1115,24 @@ module Aws::KMS
979
1115
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
980
1116
  end)
981
1117
 
1118
+ api.add_operation(:get_public_key, Seahorse::Model::Operation.new.tap do |o|
1119
+ o.name = "GetPublicKey"
1120
+ o.http_method = "POST"
1121
+ o.http_request_uri = "/"
1122
+ o.input = Shapes::ShapeRef.new(shape: GetPublicKeyRequest)
1123
+ o.output = Shapes::ShapeRef.new(shape: GetPublicKeyResponse)
1124
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1125
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1126
+ o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
1127
+ o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1128
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1129
+ o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
1130
+ o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1131
+ o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1132
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1133
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1134
+ end)
1135
+
982
1136
  api.add_operation(:import_key_material, Seahorse::Model::Operation.new.tap do |o|
983
1137
  o.name = "ImportKeyMaterial"
984
1138
  o.http_method = "POST"
@@ -1127,6 +1281,7 @@ module Aws::KMS
1127
1281
  o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1128
1282
  o.errors << Shapes::ShapeRef.new(shape: InvalidCiphertextException)
1129
1283
  o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
1284
+ o.errors << Shapes::ShapeRef.new(shape: IncorrectKeyException)
1130
1285
  o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1131
1286
  o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1132
1287
  o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
@@ -1176,6 +1331,21 @@ module Aws::KMS
1176
1331
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1177
1332
  end)
1178
1333
 
1334
+ api.add_operation(:sign, Seahorse::Model::Operation.new.tap do |o|
1335
+ o.name = "Sign"
1336
+ o.http_method = "POST"
1337
+ o.http_request_uri = "/"
1338
+ o.input = Shapes::ShapeRef.new(shape: SignRequest)
1339
+ o.output = Shapes::ShapeRef.new(shape: SignResponse)
1340
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1341
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1342
+ o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
1343
+ o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1344
+ o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1345
+ o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1346
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1347
+ end)
1348
+
1179
1349
  api.add_operation(:tag_resource, Seahorse::Model::Operation.new.tap do |o|
1180
1350
  o.name = "TagResource"
1181
1351
  o.http_method = "POST"
@@ -1222,6 +1392,7 @@ module Aws::KMS
1222
1392
  o.input = Shapes::ShapeRef.new(shape: UpdateCustomKeyStoreRequest)
1223
1393
  o.output = Shapes::ShapeRef.new(shape: UpdateCustomKeyStoreResponse)
1224
1394
  o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
1395
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNameInUseException)
1225
1396
  o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotFoundException)
1226
1397
  o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotRelatedException)
1227
1398
  o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
@@ -1242,6 +1413,21 @@ module Aws::KMS
1242
1413
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1243
1414
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1244
1415
  end)
1416
+
1417
+ api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
1418
+ o.name = "Verify"
1419
+ o.http_method = "POST"
1420
+ o.http_request_uri = "/"
1421
+ o.input = Shapes::ShapeRef.new(shape: VerifyRequest)
1422
+ o.output = Shapes::ShapeRef.new(shape: VerifyResponse)
1423
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1424
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1425
+ o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
1426
+ o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1427
+ o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1428
+ o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1429
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1430
+ end)
1245
1431
  end
1246
1432
 
1247
1433
  end
@@ -218,6 +218,22 @@ module Aws::KMS
218
218
 
219
219
  end
220
220
 
221
+ class IncorrectKeyException < ServiceError
222
+
223
+ # @param [Seahorse::Client::RequestContext] context
224
+ # @param [String] message
225
+ # @param [Aws::KMS::Types::IncorrectKeyException] data
226
+ def initialize(context, message, data = Aws::EmptyStructure.new)
227
+ super(context, message, data)
228
+ end
229
+
230
+ # @return [String]
231
+ def message
232
+ @message || @data[:message]
233
+ end
234
+
235
+ end
236
+
221
237
  class IncorrectKeyMaterialException < ServiceError
222
238
 
223
239
  # @param [Seahorse::Client::RequestContext] context
@@ -360,7 +360,7 @@ module Aws::KMS
360
360
  # key_id: "KeyIdType", # required
361
361
  # grantee_principal: "PrincipalIdType", # required
362
362
  # retiring_principal: "PrincipalIdType",
363
- # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
363
+ # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
364
364
  # constraints: {
365
365
  # encryption_context_subset: {
366
366
  # "EncryptionContextKey" => "EncryptionContextValue",
@@ -515,7 +515,8 @@ module Aws::KMS
515
515
  # {
516
516
  # policy: "PolicyType",
517
517
  # description: "DescriptionType",
518
- # key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
518
+ # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
519
+ # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
519
520
  # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
520
521
  # custom_key_store_id: "CustomKeyStoreIdType",
521
522
  # bypass_policy_lockout_safety_check: false,
@@ -571,28 +572,91 @@ module Aws::KMS
571
572
  # @return [String]
572
573
  #
573
574
  # @!attribute [rw] key_usage
574
- # The cryptographic operations for which you can use the CMK. The only
575
- # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
576
- # encrypt and decrypt data.
575
+ # Determines the cryptographic operations for which you can use the
576
+ # CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
577
+ # required only for asymmetric CMKs. You can't change the `KeyUsage`
578
+ # value after the CMK is created.
579
+ #
580
+ # Select only one valid value.
581
+ #
582
+ # * For symmetric CMKs, omit the parameter or specify
583
+ # `ENCRYPT_DECRYPT`.
584
+ #
585
+ # * For asymmetric CMKs with RSA key material, specify
586
+ # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
587
+ #
588
+ # * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
589
+ # @return [String]
590
+ #
591
+ # @!attribute [rw] customer_master_key_spec
592
+ # Specifies the type of CMK to create. The `CustomerMasterKeySpec`
593
+ # determines whether the CMK contains a symmetric key or an asymmetric
594
+ # key pair. It also determines the encryption algorithms or signing
595
+ # algorithms that the CMK supports. You can't change the
596
+ # `CustomerMasterKeySpec` after the CMK is created. To further
597
+ # restrict the algorithms that can be used with the CMK, use its key
598
+ # policy or IAM policy.
599
+ #
600
+ # For help with choosing a key spec for your CMK, see [Selecting a
601
+ # Customer Master Key Spec][1] in the *AWS Key Management Service
602
+ # Developer Guide*.
603
+ #
604
+ # The default value, `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit
605
+ # symmetric key.
606
+ #
607
+ # AWS KMS supports the following key specs for CMKs:
608
+ #
609
+ # * Symmetric key (default)
610
+ #
611
+ # * `SYMMETRIC_DEFAULT` (AES-256-GCM)
612
+ #
613
+ # ^
614
+ #
615
+ # * Asymmetric RSA key pairs
616
+ #
617
+ # * `RSA_2048`
618
+ #
619
+ # * `RSA_3072`
620
+ #
621
+ # * `RSA_4096`
622
+ #
623
+ # * Asymmetric NIST-recommended elliptic curve key pairs
624
+ #
625
+ # * `ECC_NIST_P256` (secp256r1)
626
+ #
627
+ # * `ECC_NIST_P384` (secp384r1)
628
+ #
629
+ # * `ECC_NIST_P521` (secp521r1)
630
+ #
631
+ # * Other asymmetric elliptic curve key pairs
632
+ #
633
+ # * `ECC_SECG_P256K1` (secp256k1), commonly used for
634
+ # cryptocurrencies.
635
+ #
636
+ # ^
637
+ #
638
+ #
639
+ #
640
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#cmk-key-spec
577
641
  # @return [String]
578
642
  #
579
643
  # @!attribute [rw] origin
580
644
  # The source of the key material for the CMK. You cannot change the
581
- # origin after you create the CMK.
582
- #
583
- # The default is `AWS_KMS`, which means AWS KMS creates the key
584
- # material in its own key store.
645
+ # origin after you create the CMK. The default is `AWS_KMS`, which
646
+ # means AWS KMS creates the key material.
585
647
  #
586
648
  # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
587
649
  # without key material so that you can import key material from your
588
650
  # existing key management infrastructure. For more information about
589
651
  # importing key material into AWS KMS, see [Importing Key Material][1]
590
- # in the *AWS Key Management Service Developer Guide*.
652
+ # in the *AWS Key Management Service Developer Guide*. This value is
653
+ # valid only for symmetric CMKs.
591
654
  #
592
655
  # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
593
656
  # in an AWS KMS [custom key store][2] and creates its key material in
594
657
  # the associated AWS CloudHSM cluster. You must also use the
595
- # `CustomKeyStoreId` parameter to identify the custom key store.
658
+ # `CustomKeyStoreId` parameter to identify the custom key store. This
659
+ # value is valid only for symmetric CMKs.
596
660
  #
597
661
  #
598
662
  #
@@ -608,6 +672,9 @@ module Aws::KMS
608
672
  # associated with the custom key store must have at least two active
609
673
  # HSMs, each in a different Availability Zone in the Region.
610
674
  #
675
+ # This parameter is valid only for symmetric CMKs. You cannot create
676
+ # an asymmetric CMK in a custom key store.
677
+ #
611
678
  # To find the ID of a custom key store, use the
612
679
  # DescribeCustomKeyStores operation.
613
680
  #
@@ -648,12 +715,20 @@ module Aws::KMS
648
715
  #
649
716
  # @!attribute [rw] tags
650
717
  # One or more tags. Each tag consists of a tag key and a tag value.
651
- # Tag keys and tag values are both required, but tag values can be
652
- # empty (null) strings.
718
+ # Both the tag key and the tag value are required, but the tag value
719
+ # can be an empty (null) string.
720
+ #
721
+ # When you add tags to an AWS resource, AWS generates a cost
722
+ # allocation report with usage and costs aggregated by tags. For
723
+ # information about adding, changing, deleting and listing tags for
724
+ # CMKs, see [Tagging Keys][1].
725
+ #
726
+ # Use this parameter to tag the CMK when it is created. To add tags to
727
+ # an existing CMK, use the TagResource operation.
728
+ #
729
+ #
653
730
  #
654
- # Use this parameter to tag the CMK when it is created. Alternately,
655
- # you can omit this parameter and instead tag the CMK after it is
656
- # created using TagResource.
731
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
657
732
  # @return [Array<Types::Tag>]
658
733
  #
659
734
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
@@ -662,6 +737,7 @@ module Aws::KMS
662
737
  :policy,
663
738
  :description,
664
739
  :key_usage,
740
+ :customer_master_key_spec,
665
741
  :origin,
666
742
  :custom_key_store_id,
667
743
  :bypass_policy_lockout_safety_check,
@@ -862,6 +938,8 @@ module Aws::KMS
862
938
  # "EncryptionContextKey" => "EncryptionContextValue",
863
939
  # },
864
940
  # grant_tokens: ["GrantTokenType"],
941
+ # key_id: "KeyIdType",
942
+ # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
865
943
  # }
866
944
  #
867
945
  # @!attribute [rw] ciphertext_blob
@@ -869,9 +947,20 @@ module Aws::KMS
869
947
  # @return [String]
870
948
  #
871
949
  # @!attribute [rw] encryption_context
872
- # The encryption context. If this was specified in the Encrypt
873
- # function, it must be specified here or the decryption operation will
874
- # fail. For more information, see [Encryption Context][1].
950
+ # Specifies the encryption context to use when decrypting the data. An
951
+ # encryption context is valid only for cryptographic operations with a
952
+ # symmetric CMK. The standard asymmetric encryption algorithms that
953
+ # AWS KMS uses do not support an encryption context.
954
+ #
955
+ # An *encryption context* is a collection of non-secret key-value
956
+ # pairs that represents additional authenticated data. When you use an
957
+ # encryption context to encrypt data, you must specify the same (an
958
+ # exact case-sensitive match) encryption context to decrypt the data.
959
+ # An encryption context is optional when encrypting with a symmetric
960
+ # CMK, but it is highly recommended.
961
+ #
962
+ # For more information, see [Encryption Context][1] in the *AWS Key
963
+ # Management Service Developer Guide*.
875
964
  #
876
965
  #
877
966
  #
@@ -889,30 +978,83 @@ module Aws::KMS
889
978
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
890
979
  # @return [Array<String>]
891
980
  #
981
+ # @!attribute [rw] key_id
982
+ # Specifies the customer master key (CMK) that AWS KMS will use to
983
+ # decrypt the ciphertext. Enter a key ID of the CMK that was used to
984
+ # encrypt the ciphertext.
985
+ #
986
+ # If you specify a `KeyId` value, the `Decrypt` operation succeeds
987
+ # only if the specified CMK was used to encrypt the ciphertext.
988
+ #
989
+ # This parameter is required only when the ciphertext was encrypted
990
+ # under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that
991
+ # it adds to the ciphertext blob to determine which CMK was used to
992
+ # encrypt the ciphertext. However, you can use this parameter to
993
+ # ensure that a particular CMK (of any kind) is used to decrypt the
994
+ # ciphertext.
995
+ #
996
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
997
+ # name, or alias ARN. When using an alias name, prefix it with
998
+ # `"alias/"`.
999
+ #
1000
+ # For example:
1001
+ #
1002
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1003
+ #
1004
+ # * Key ARN:
1005
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1006
+ #
1007
+ # * Alias name: `alias/ExampleAlias`
1008
+ #
1009
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1010
+ #
1011
+ # To get the key ID and key ARN for a CMK, use ListKeys or
1012
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1013
+ # @return [String]
1014
+ #
1015
+ # @!attribute [rw] encryption_algorithm
1016
+ # Specifies the encryption algorithm that will be used to decrypt the
1017
+ # ciphertext. Specify the same algorithm that was used to encrypt the
1018
+ # data. If you specify a different algorithm, the `Decrypt` operation
1019
+ # fails.
1020
+ #
1021
+ # This parameter is required only when the ciphertext was encrypted
1022
+ # under an asymmetric CMK. The default value, `SYMMETRIC_DEFAULT`,
1023
+ # represents the only supported algorithm that is valid for symmetric
1024
+ # CMKs.
1025
+ # @return [String]
1026
+ #
892
1027
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
893
1028
  #
894
1029
  class DecryptRequest < Struct.new(
895
1030
  :ciphertext_blob,
896
1031
  :encryption_context,
897
- :grant_tokens)
1032
+ :grant_tokens,
1033
+ :key_id,
1034
+ :encryption_algorithm)
898
1035
  include Aws::Structure
899
1036
  end
900
1037
 
901
1038
  # @!attribute [rw] key_id
902
- # ARN of the key used to perform the decryption. This value is
903
- # returned if no errors are encountered during the operation.
1039
+ # The ARN of the customer master key that was used to perform the
1040
+ # decryption.
904
1041
  # @return [String]
905
1042
  #
906
1043
  # @!attribute [rw] plaintext
907
1044
  # Decrypted plaintext data. When you use the HTTP API or the AWS CLI,
908
- # the value is Base64-encoded. Otherwise, it is not encoded.
1045
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1046
+ # @return [String]
1047
+ #
1048
+ # @!attribute [rw] encryption_algorithm
1049
+ # The encryption algorithm that was used to decrypt the ciphertext.
909
1050
  # @return [String]
910
1051
  #
911
1052
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
912
1053
  #
913
1054
  class DecryptResponse < Struct.new(
914
1055
  :key_id,
915
- :plaintext)
1056
+ :plaintext,
1057
+ :encryption_algorithm)
916
1058
  include Aws::Structure
917
1059
  end
918
1060
 
@@ -1186,7 +1328,9 @@ module Aws::KMS
1186
1328
  # }
1187
1329
  #
1188
1330
  # @!attribute [rw] key_id
1189
- # A unique identifier for the customer master key (CMK).
1331
+ # Identifies a symmetric customer master key (CMK). You cannot enable
1332
+ # automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
1333
+ # material][2], or CMKs in a [custom key store][3].
1190
1334
  #
1191
1335
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1192
1336
  #
@@ -1199,6 +1343,12 @@ module Aws::KMS
1199
1343
  #
1200
1344
  # To get the key ID and key ARN for a CMK, use ListKeys or
1201
1345
  # DescribeKey.
1346
+ #
1347
+ #
1348
+ #
1349
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
1350
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1351
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1202
1352
  # @return [String]
1203
1353
  #
1204
1354
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
@@ -1282,7 +1432,9 @@ module Aws::KMS
1282
1432
  # }
1283
1433
  #
1284
1434
  # @!attribute [rw] key_id
1285
- # A unique identifier for the customer master key (CMK).
1435
+ # Identifies a symmetric customer master key (CMK). You cannot enable
1436
+ # automatic rotation of asymmetric CMKs, CMKs with imported key
1437
+ # material, or CMKs in a [custom key store][1].
1286
1438
  #
1287
1439
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1288
1440
  #
@@ -1295,6 +1447,10 @@ module Aws::KMS
1295
1447
  #
1296
1448
  # To get the key ID and key ARN for a CMK, use ListKeys or
1297
1449
  # DescribeKey.
1450
+ #
1451
+ #
1452
+ #
1453
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1298
1454
  # @return [String]
1299
1455
  #
1300
1456
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1314,6 +1470,7 @@ module Aws::KMS
1314
1470
  # "EncryptionContextKey" => "EncryptionContextValue",
1315
1471
  # },
1316
1472
  # grant_tokens: ["GrantTokenType"],
1473
+ # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
1317
1474
  # }
1318
1475
  #
1319
1476
  # @!attribute [rw] key_id
@@ -1344,10 +1501,20 @@ module Aws::KMS
1344
1501
  # @return [String]
1345
1502
  #
1346
1503
  # @!attribute [rw] encryption_context
1347
- # Name-value pair that specifies the encryption context to be used for
1348
- # authenticated encryption. If used here, the same value must be
1349
- # supplied to the `Decrypt` API or decryption will fail. For more
1350
- # information, see [Encryption Context][1].
1504
+ # Specifies the encryption context that will be used to encrypt the
1505
+ # data. An encryption context is valid only for cryptographic
1506
+ # operations with a symmetric CMK. The standard asymmetric encryption
1507
+ # algorithms that AWS KMS uses do not support an encryption context.
1508
+ #
1509
+ # An *encryption context* is a collection of non-secret key-value
1510
+ # pairs that represents additional authenticated data. When you use an
1511
+ # encryption context to encrypt data, you must specify the same (an
1512
+ # exact case-sensitive match) encryption context to decrypt the data.
1513
+ # An encryption context is optional when encrypting with a symmetric
1514
+ # CMK, but it is highly recommended.
1515
+ #
1516
+ # For more information, see [Encryption Context][1] in the *AWS Key
1517
+ # Management Service Developer Guide*.
1351
1518
  #
1352
1519
  #
1353
1520
  #
@@ -1365,37 +1532,54 @@ module Aws::KMS
1365
1532
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1366
1533
  # @return [Array<String>]
1367
1534
  #
1535
+ # @!attribute [rw] encryption_algorithm
1536
+ # Specifies the encryption algorithm that AWS KMS will use to encrypt
1537
+ # the plaintext message. The algorithm must be compatible with the CMK
1538
+ # that you specify.
1539
+ #
1540
+ # This parameter is required only for asymmetric CMKs. The default
1541
+ # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
1542
+ # CMKs. If you are using an asymmetric CMK, we recommend
1543
+ # RSAES\_OAEP\_SHA\_256.
1544
+ # @return [String]
1545
+ #
1368
1546
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
1369
1547
  #
1370
1548
  class EncryptRequest < Struct.new(
1371
1549
  :key_id,
1372
1550
  :plaintext,
1373
1551
  :encryption_context,
1374
- :grant_tokens)
1552
+ :grant_tokens,
1553
+ :encryption_algorithm)
1375
1554
  include Aws::Structure
1376
1555
  end
1377
1556
 
1378
1557
  # @!attribute [rw] ciphertext_blob
1379
1558
  # The encrypted plaintext. When you use the HTTP API or the AWS CLI,
1380
- # the value is Base64-encoded. Otherwise, it is not encoded.
1559
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1381
1560
  # @return [String]
1382
1561
  #
1383
1562
  # @!attribute [rw] key_id
1384
1563
  # The ID of the key used during encryption.
1385
1564
  # @return [String]
1386
1565
  #
1566
+ # @!attribute [rw] encryption_algorithm
1567
+ # The encryption algorithm that was used to encrypt the plaintext.
1568
+ # @return [String]
1569
+ #
1387
1570
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptResponse AWS API Documentation
1388
1571
  #
1389
1572
  class EncryptResponse < Struct.new(
1390
1573
  :ciphertext_blob,
1391
- :key_id)
1574
+ :key_id,
1575
+ :encryption_algorithm)
1392
1576
  include Aws::Structure
1393
1577
  end
1394
1578
 
1395
- # The request was rejected because the provided import token is expired.
1396
- # Use GetParametersForImport to get a new import token and public key,
1397
- # use the new public key to encrypt the key material, and then try the
1398
- # request again.
1579
+ # The request was rejected because the specified import token is
1580
+ # expired. Use GetParametersForImport to get a new import token and
1581
+ # public key, use the new public key to encrypt the key material, and
1582
+ # then try the request again.
1399
1583
  #
1400
1584
  # @!attribute [rw] message
1401
1585
  # @return [String]
@@ -1407,6 +1591,259 @@ module Aws::KMS
1407
1591
  include Aws::Structure
1408
1592
  end
1409
1593
 
1594
+ # @note When making an API call, you may pass GenerateDataKeyPairRequest
1595
+ # data as a hash:
1596
+ #
1597
+ # {
1598
+ # encryption_context: {
1599
+ # "EncryptionContextKey" => "EncryptionContextValue",
1600
+ # },
1601
+ # key_id: "KeyIdType", # required
1602
+ # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
1603
+ # grant_tokens: ["GrantTokenType"],
1604
+ # }
1605
+ #
1606
+ # @!attribute [rw] encryption_context
1607
+ # Specifies the encryption context that will be used when encrypting
1608
+ # the private key in the data key pair.
1609
+ #
1610
+ # An *encryption context* is a collection of non-secret key-value
1611
+ # pairs that represents additional authenticated data. When you use an
1612
+ # encryption context to encrypt data, you must specify the same (an
1613
+ # exact case-sensitive match) encryption context to decrypt the data.
1614
+ # An encryption context is optional when encrypting with a symmetric
1615
+ # CMK, but it is highly recommended.
1616
+ #
1617
+ # For more information, see [Encryption Context][1] in the *AWS Key
1618
+ # Management Service Developer Guide*.
1619
+ #
1620
+ #
1621
+ #
1622
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1623
+ # @return [Hash<String,String>]
1624
+ #
1625
+ # @!attribute [rw] key_id
1626
+ # Specifies the symmetric CMK that encrypts the private key in the
1627
+ # data key pair. You cannot specify an asymmetric CMKs.
1628
+ #
1629
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1630
+ # name, or alias ARN. When using an alias name, prefix it with
1631
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
1632
+ # use the key ARN or alias ARN.
1633
+ #
1634
+ # For example:
1635
+ #
1636
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1637
+ #
1638
+ # * Key ARN:
1639
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1640
+ #
1641
+ # * Alias name: `alias/ExampleAlias`
1642
+ #
1643
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1644
+ #
1645
+ # To get the key ID and key ARN for a CMK, use ListKeys or
1646
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1647
+ # @return [String]
1648
+ #
1649
+ # @!attribute [rw] key_pair_spec
1650
+ # Determines the type of data key pair that is generated.
1651
+ #
1652
+ # The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
1653
+ # encrypt and decrypt or to sign and verify (but not both), and the
1654
+ # rule that permits you to use ECC CMKs only to sign and verify, are
1655
+ # not effective outside of AWS KMS.
1656
+ # @return [String]
1657
+ #
1658
+ # @!attribute [rw] grant_tokens
1659
+ # A list of grant tokens.
1660
+ #
1661
+ # For more information, see [Grant Tokens][1] in the *AWS Key
1662
+ # Management Service Developer Guide*.
1663
+ #
1664
+ #
1665
+ #
1666
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1667
+ # @return [Array<String>]
1668
+ #
1669
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
1670
+ #
1671
+ class GenerateDataKeyPairRequest < Struct.new(
1672
+ :encryption_context,
1673
+ :key_id,
1674
+ :key_pair_spec,
1675
+ :grant_tokens)
1676
+ include Aws::Structure
1677
+ end
1678
+
1679
+ # @!attribute [rw] private_key_ciphertext_blob
1680
+ # The encrypted copy of the private key. When you use the HTTP API or
1681
+ # the AWS CLI, the value is Base64-encoded. Otherwise, it is not
1682
+ # Base64-encoded.
1683
+ # @return [String]
1684
+ #
1685
+ # @!attribute [rw] private_key_plaintext
1686
+ # The plaintext copy of the private key. When you use the HTTP API or
1687
+ # the AWS CLI, the value is Base64-encoded. Otherwise, it is not
1688
+ # Base64-encoded.
1689
+ # @return [String]
1690
+ #
1691
+ # @!attribute [rw] public_key
1692
+ # The public key (in plaintext).
1693
+ # @return [String]
1694
+ #
1695
+ # @!attribute [rw] key_id
1696
+ # The identifier of the CMK that encrypted the private key.
1697
+ # @return [String]
1698
+ #
1699
+ # @!attribute [rw] key_pair_spec
1700
+ # The type of data key pair that was generated.
1701
+ # @return [String]
1702
+ #
1703
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
1704
+ #
1705
+ class GenerateDataKeyPairResponse < Struct.new(
1706
+ :private_key_ciphertext_blob,
1707
+ :private_key_plaintext,
1708
+ :public_key,
1709
+ :key_id,
1710
+ :key_pair_spec)
1711
+ include Aws::Structure
1712
+ end
1713
+
1714
+ # @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
1715
+ # data as a hash:
1716
+ #
1717
+ # {
1718
+ # encryption_context: {
1719
+ # "EncryptionContextKey" => "EncryptionContextValue",
1720
+ # },
1721
+ # key_id: "KeyIdType", # required
1722
+ # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
1723
+ # grant_tokens: ["GrantTokenType"],
1724
+ # }
1725
+ #
1726
+ # @!attribute [rw] encryption_context
1727
+ # Specifies the encryption context that will be used when encrypting
1728
+ # the private key in the data key pair.
1729
+ #
1730
+ # An *encryption context* is a collection of non-secret key-value
1731
+ # pairs that represents additional authenticated data. When you use an
1732
+ # encryption context to encrypt data, you must specify the same (an
1733
+ # exact case-sensitive match) encryption context to decrypt the data.
1734
+ # An encryption context is optional when encrypting with a symmetric
1735
+ # CMK, but it is highly recommended.
1736
+ #
1737
+ # For more information, see [Encryption Context][1] in the *AWS Key
1738
+ # Management Service Developer Guide*.
1739
+ #
1740
+ #
1741
+ #
1742
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1743
+ # @return [Hash<String,String>]
1744
+ #
1745
+ # @!attribute [rw] key_id
1746
+ # Specifies the CMK that encrypts the private key in the data key
1747
+ # pair. You must specify a symmetric CMK. You cannot use an asymmetric
1748
+ # CMK.
1749
+ #
1750
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1751
+ # name, or alias ARN. When using an alias name, prefix it with
1752
+ # `"alias/"`.
1753
+ #
1754
+ # For example:
1755
+ #
1756
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1757
+ #
1758
+ # * Key ARN:
1759
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1760
+ #
1761
+ # * Alias name: `alias/ExampleAlias`
1762
+ #
1763
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1764
+ #
1765
+ # To get the key ID and key ARN for a CMK, use ListKeys or
1766
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1767
+ # @return [String]
1768
+ #
1769
+ # @!attribute [rw] key_pair_spec
1770
+ # Determines the type of data key pair that is generated.
1771
+ #
1772
+ # The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
1773
+ # encrypt and decrypt or to sign and verify (but not both), and the
1774
+ # rule that permits you to use ECC CMKs only to sign and verify, are
1775
+ # not effective outside of AWS KMS.
1776
+ # @return [String]
1777
+ #
1778
+ # @!attribute [rw] grant_tokens
1779
+ # A list of grant tokens.
1780
+ #
1781
+ # For more information, see [Grant Tokens][1] in the *AWS Key
1782
+ # Management Service Developer Guide*.
1783
+ #
1784
+ #
1785
+ #
1786
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1787
+ # @return [Array<String>]
1788
+ #
1789
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
1790
+ #
1791
+ class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
1792
+ :encryption_context,
1793
+ :key_id,
1794
+ :key_pair_spec,
1795
+ :grant_tokens)
1796
+ include Aws::Structure
1797
+ end
1798
+
1799
+ # @!attribute [rw] private_key_ciphertext_blob
1800
+ # The encrypted copy of the private key. When you use the HTTP API or
1801
+ # the AWS CLI, the value is Base64-encoded. Otherwise, it is not
1802
+ # Base64-encoded.
1803
+ # @return [String]
1804
+ #
1805
+ # @!attribute [rw] public_key
1806
+ # The public key (in plaintext).
1807
+ # @return [String]
1808
+ #
1809
+ # @!attribute [rw] key_id
1810
+ # Specifies the CMK that encrypted the private key in the data key
1811
+ # pair. You must specify a symmetric CMK. You cannot use an asymmetric
1812
+ # CMK.
1813
+ #
1814
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1815
+ # name, or alias ARN. When using an alias name, prefix it with
1816
+ # `"alias/"`.
1817
+ #
1818
+ # For example:
1819
+ #
1820
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1821
+ #
1822
+ # * Key ARN:
1823
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1824
+ #
1825
+ # * Alias name: `alias/ExampleAlias`
1826
+ #
1827
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1828
+ #
1829
+ # To get the key ID and key ARN for a CMK, use ListKeys or
1830
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1831
+ # @return [String]
1832
+ #
1833
+ # @!attribute [rw] key_pair_spec
1834
+ # The type of data key pair that was generated.
1835
+ # @return [String]
1836
+ #
1837
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextResponse AWS API Documentation
1838
+ #
1839
+ class GenerateDataKeyPairWithoutPlaintextResponse < Struct.new(
1840
+ :private_key_ciphertext_blob,
1841
+ :public_key,
1842
+ :key_id,
1843
+ :key_pair_spec)
1844
+ include Aws::Structure
1845
+ end
1846
+
1410
1847
  # @note When making an API call, you may pass GenerateDataKeyRequest
1411
1848
  # data as a hash:
1412
1849
  #
@@ -1421,7 +1858,7 @@ module Aws::KMS
1421
1858
  # }
1422
1859
  #
1423
1860
  # @!attribute [rw] key_id
1424
- # An identifier for the CMK that encrypts the data key.
1861
+ # Identifies the symmetric CMK that encrypts the data key.
1425
1862
  #
1426
1863
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1427
1864
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1444,8 +1881,15 @@ module Aws::KMS
1444
1881
  # @return [String]
1445
1882
  #
1446
1883
  # @!attribute [rw] encryption_context
1447
- # A set of key-value pairs that represents additional authenticated
1448
- # data.
1884
+ # Specifies the encryption context that will be used when encrypting
1885
+ # the data key.
1886
+ #
1887
+ # An *encryption context* is a collection of non-secret key-value
1888
+ # pairs that represents additional authenticated data. When you use an
1889
+ # encryption context to encrypt data, you must specify the same (an
1890
+ # exact case-sensitive match) encryption context to decrypt the data.
1891
+ # An encryption context is optional when encrypting with a symmetric
1892
+ # CMK, but it is highly recommended.
1449
1893
  #
1450
1894
  # For more information, see [Encryption Context][1] in the *AWS Key
1451
1895
  # Management Service Developer Guide*.
@@ -1456,15 +1900,22 @@ module Aws::KMS
1456
1900
  # @return [Hash<String,String>]
1457
1901
  #
1458
1902
  # @!attribute [rw] number_of_bytes
1459
- # The length of the data key in bytes. For example, use the value 64
1460
- # to generate a 512-bit data key (64 bytes is 512 bits). For common
1461
- # key lengths (128-bit and 256-bit symmetric keys), we recommend that
1462
- # you use the `KeySpec` field instead of this one.
1903
+ # Specifies the length of the data key in bytes. For example, use the
1904
+ # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1905
+ # 128-bit (16-byte) and 256-bit (32-byte) data keys, use the `KeySpec`
1906
+ # parameter.
1907
+ #
1908
+ # You must specify either the `KeySpec` or the `NumberOfBytes`
1909
+ # parameter (but not both) in every `GenerateDataKey` request.
1463
1910
  # @return [Integer]
1464
1911
  #
1465
1912
  # @!attribute [rw] key_spec
1466
- # The length of the data key. Use `AES_128` to generate a 128-bit
1467
- # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
1913
+ # Specifies the length of the data key. Use `AES_128` to generate a
1914
+ # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1915
+ # key.
1916
+ #
1917
+ # You must specify either the `KeySpec` or the `NumberOfBytes`
1918
+ # parameter (but not both) in every `GenerateDataKey` request.
1468
1919
  # @return [String]
1469
1920
  #
1470
1921
  # @!attribute [rw] grant_tokens
@@ -1491,14 +1942,15 @@ module Aws::KMS
1491
1942
 
1492
1943
  # @!attribute [rw] ciphertext_blob
1493
1944
  # The encrypted copy of the data key. When you use the HTTP API or the
1494
- # AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.
1945
+ # AWS CLI, the value is Base64-encoded. Otherwise, it is not
1946
+ # Base64-encoded.
1495
1947
  # @return [String]
1496
1948
  #
1497
1949
  # @!attribute [rw] plaintext
1498
1950
  # The plaintext data key. When you use the HTTP API or the AWS CLI,
1499
- # the value is Base64-encoded. Otherwise, it is not encoded. Use this
1500
- # data key to encrypt your data outside of KMS. Then, remove it from
1501
- # memory as soon as possible.
1951
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1952
+ # Use this data key to encrypt your data outside of KMS. Then, remove
1953
+ # it from memory as soon as possible.
1502
1954
  # @return [String]
1503
1955
  #
1504
1956
  # @!attribute [rw] key_id
@@ -1528,8 +1980,8 @@ module Aws::KMS
1528
1980
  # }
1529
1981
  #
1530
1982
  # @!attribute [rw] key_id
1531
- # The identifier of the customer master key (CMK) that encrypts the
1532
- # data key.
1983
+ # The identifier of the symmetric customer master key (CMK) that
1984
+ # encrypts the data key.
1533
1985
  #
1534
1986
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1535
1987
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1552,8 +2004,15 @@ module Aws::KMS
1552
2004
  # @return [String]
1553
2005
  #
1554
2006
  # @!attribute [rw] encryption_context
1555
- # A set of key-value pairs that represents additional authenticated
1556
- # data.
2007
+ # Specifies the encryption context that will be used when encrypting
2008
+ # the data key.
2009
+ #
2010
+ # An *encryption context* is a collection of non-secret key-value
2011
+ # pairs that represents additional authenticated data. When you use an
2012
+ # encryption context to encrypt data, you must specify the same (an
2013
+ # exact case-sensitive match) encryption context to decrypt the data.
2014
+ # An encryption context is optional when encrypting with a symmetric
2015
+ # CMK, but it is highly recommended.
1557
2016
  #
1558
2017
  # For more information, see [Encryption Context][1] in the *AWS Key
1559
2018
  # Management Service Developer Guide*.
@@ -1599,7 +2058,7 @@ module Aws::KMS
1599
2058
 
1600
2059
  # @!attribute [rw] ciphertext_blob
1601
2060
  # The encrypted data key. When you use the HTTP API or the AWS CLI,
1602
- # the value is Base64-encoded. Otherwise, it is not encoded.
2061
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1603
2062
  # @return [String]
1604
2063
  #
1605
2064
  # @!attribute [rw] key_id
@@ -1646,7 +2105,7 @@ module Aws::KMS
1646
2105
 
1647
2106
  # @!attribute [rw] plaintext
1648
2107
  # The random byte string. When you use the HTTP API or the AWS CLI,
1649
- # the value is Base64-encoded. Otherwise, it is not encoded.
2108
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1650
2109
  # @return [String]
1651
2110
  #
1652
2111
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -1756,8 +2215,8 @@ module Aws::KMS
1756
2215
  # }
1757
2216
  #
1758
2217
  # @!attribute [rw] key_id
1759
- # The identifier of the CMK into which you will import key material.
1760
- # The CMK's `Origin` must be `EXTERNAL`.
2218
+ # The identifier of the symmetric CMK into which you will import key
2219
+ # material. The `Origin` of the CMK must be `EXTERNAL`.
1761
2220
  #
1762
2221
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1763
2222
  #
@@ -1788,44 +2247,155 @@ module Aws::KMS
1788
2247
  # Only 2048-bit RSA public keys are supported.
1789
2248
  # @return [String]
1790
2249
  #
1791
- # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
2250
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
2251
+ #
2252
+ class GetParametersForImportRequest < Struct.new(
2253
+ :key_id,
2254
+ :wrapping_algorithm,
2255
+ :wrapping_key_spec)
2256
+ include Aws::Structure
2257
+ end
2258
+
2259
+ # @!attribute [rw] key_id
2260
+ # The identifier of the CMK to use in a subsequent ImportKeyMaterial
2261
+ # request. This is the same CMK specified in the
2262
+ # `GetParametersForImport` request.
2263
+ # @return [String]
2264
+ #
2265
+ # @!attribute [rw] import_token
2266
+ # The import token to send in a subsequent ImportKeyMaterial request.
2267
+ # @return [String]
2268
+ #
2269
+ # @!attribute [rw] public_key
2270
+ # The public key to use to encrypt the key material before importing
2271
+ # it with ImportKeyMaterial.
2272
+ # @return [String]
2273
+ #
2274
+ # @!attribute [rw] parameters_valid_to
2275
+ # The time at which the import token and public key are no longer
2276
+ # valid. After this time, you cannot use them to make an
2277
+ # ImportKeyMaterial request and you must send another
2278
+ # `GetParametersForImport` request to get new ones.
2279
+ # @return [Time]
2280
+ #
2281
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportResponse AWS API Documentation
2282
+ #
2283
+ class GetParametersForImportResponse < Struct.new(
2284
+ :key_id,
2285
+ :import_token,
2286
+ :public_key,
2287
+ :parameters_valid_to)
2288
+ include Aws::Structure
2289
+ end
2290
+
2291
+ # @note When making an API call, you may pass GetPublicKeyRequest
2292
+ # data as a hash:
2293
+ #
2294
+ # {
2295
+ # key_id: "KeyIdType", # required
2296
+ # grant_tokens: ["GrantTokenType"],
2297
+ # }
2298
+ #
2299
+ # @!attribute [rw] key_id
2300
+ # Identifies the asymmetric CMK that includes the public key.
2301
+ #
2302
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2303
+ # name, or alias ARN. When using an alias name, prefix it with
2304
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
2305
+ # use the key ARN or alias ARN.
2306
+ #
2307
+ # For example:
2308
+ #
2309
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
2310
+ #
2311
+ # * Key ARN:
2312
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
2313
+ #
2314
+ # * Alias name: `alias/ExampleAlias`
2315
+ #
2316
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
2317
+ #
2318
+ # To get the key ID and key ARN for a CMK, use ListKeys or
2319
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
2320
+ # @return [String]
2321
+ #
2322
+ # @!attribute [rw] grant_tokens
2323
+ # A list of grant tokens.
2324
+ #
2325
+ # For more information, see [Grant Tokens][1] in the *AWS Key
2326
+ # Management Service Developer Guide*.
2327
+ #
2328
+ #
2329
+ #
2330
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2331
+ # @return [Array<String>]
1792
2332
  #
1793
- class GetParametersForImportRequest < Struct.new(
2333
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
2334
+ #
2335
+ class GetPublicKeyRequest < Struct.new(
1794
2336
  :key_id,
1795
- :wrapping_algorithm,
1796
- :wrapping_key_spec)
2337
+ :grant_tokens)
1797
2338
  include Aws::Structure
1798
2339
  end
1799
2340
 
1800
2341
  # @!attribute [rw] key_id
1801
- # The identifier of the CMK to use in a subsequent ImportKeyMaterial
1802
- # request. This is the same CMK specified in the
1803
- # `GetParametersForImport` request.
2342
+ # The identifier of the asymmetric CMK from which the public key was
2343
+ # downloaded.
1804
2344
  # @return [String]
1805
2345
  #
1806
- # @!attribute [rw] import_token
1807
- # The import token to send in a subsequent ImportKeyMaterial request.
2346
+ # @!attribute [rw] public_key
2347
+ # The exported public key.
2348
+ #
2349
+ # This value is returned as a binary [Distinguished Encoding Rules][1]
2350
+ # (DER)-encoded object. To decode it, use an ASN.1 parsing tool, such
2351
+ # as [OpenSSL asn1parse][2].
2352
+ #
2353
+ #
2354
+ #
2355
+ # [1]: https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
2356
+ # [2]: https://www.openssl.org/docs/man1.0.2/man1/asn1parse.html
1808
2357
  # @return [String]
1809
2358
  #
1810
- # @!attribute [rw] public_key
1811
- # The public key to use to encrypt the key material before importing
1812
- # it with ImportKeyMaterial.
2359
+ # @!attribute [rw] customer_master_key_spec
2360
+ # The type of the of the public key that was downloaded.
1813
2361
  # @return [String]
1814
2362
  #
1815
- # @!attribute [rw] parameters_valid_to
1816
- # The time at which the import token and public key are no longer
1817
- # valid. After this time, you cannot use them to make an
1818
- # ImportKeyMaterial request and you must send another
1819
- # `GetParametersForImport` request to get new ones.
1820
- # @return [Time]
2363
+ # @!attribute [rw] key_usage
2364
+ # The permitted use of the public key. Valid values are
2365
+ # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
1821
2366
  #
1822
- # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportResponse AWS API Documentation
2367
+ # This information is critical. If a public key with `SIGN_VERIFY` key
2368
+ # usage encrypts data outside of AWS KMS, the ciphertext cannot be
2369
+ # decrypted.
2370
+ # @return [String]
1823
2371
  #
1824
- class GetParametersForImportResponse < Struct.new(
2372
+ # @!attribute [rw] encryption_algorithms
2373
+ # The encryption algorithms that AWS KMS supports for this key.
2374
+ #
2375
+ # This information is critical. If a public key encrypts data outside
2376
+ # of AWS KMS by using an unsupported encryption algorithm, the
2377
+ # ciphertext cannot be decrypted.
2378
+ #
2379
+ # This field appears in the response only when the `KeyUsage` of the
2380
+ # public key is `ENCRYPT_DECRYPT`.
2381
+ # @return [Array<String>]
2382
+ #
2383
+ # @!attribute [rw] signing_algorithms
2384
+ # The signing algorithms that AWS KMS supports for this key.
2385
+ #
2386
+ # This field appears in the response only when the `KeyUsage` of the
2387
+ # public key is `SIGN_VERIFY`.
2388
+ # @return [Array<String>]
2389
+ #
2390
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
2391
+ #
2392
+ class GetPublicKeyResponse < Struct.new(
1825
2393
  :key_id,
1826
- :import_token,
1827
2394
  :public_key,
1828
- :parameters_valid_to)
2395
+ :customer_master_key_spec,
2396
+ :key_usage,
2397
+ :encryption_algorithms,
2398
+ :signing_algorithms)
1829
2399
  include Aws::Structure
1830
2400
  end
1831
2401
 
@@ -1974,8 +2544,10 @@ module Aws::KMS
1974
2544
  # }
1975
2545
  #
1976
2546
  # @!attribute [rw] key_id
1977
- # The identifier of the CMK to import the key material into. The
1978
- # CMK's `Origin` must be `EXTERNAL`.
2547
+ # The identifier of the symmetric CMK that receives the imported key
2548
+ # material. The CMK's `Origin` must be `EXTERNAL`. This must be the
2549
+ # same CMK specified in the `KeyID` parameter of the corresponding
2550
+ # GetParametersForImport request.
1979
2551
  #
1980
2552
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1981
2553
  #
@@ -1998,10 +2570,10 @@ module Aws::KMS
1998
2570
  # @return [String]
1999
2571
  #
2000
2572
  # @!attribute [rw] encrypted_key_material
2001
- # The encrypted key material to import. It must be encrypted with the
2002
- # public key that you received in the response to a previous
2003
- # GetParametersForImport request, using the wrapping algorithm that
2004
- # you specified in that request.
2573
+ # The encrypted key material to import. The key material must be
2574
+ # encrypted with the public wrapping key that GetParametersForImport
2575
+ # returned, using the wrapping algorithm that you specified in the
2576
+ # same `GetParametersForImport` request.
2005
2577
  # @return [String]
2006
2578
  #
2007
2579
  # @!attribute [rw] valid_to
@@ -2035,9 +2607,24 @@ module Aws::KMS
2035
2607
  #
2036
2608
  class ImportKeyMaterialResponse < Aws::EmptyStructure; end
2037
2609
 
2038
- # The request was rejected because the provided key material is invalid
2039
- # or is not the same key material that was previously imported into this
2040
- # customer master key (CMK).
2610
+ # The request was rejected because the specified CMK cannot decrypt the
2611
+ # data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
2612
+ # ReEncrypt request must identify the same CMK that was used to encrypt
2613
+ # the ciphertext.
2614
+ #
2615
+ # @!attribute [rw] message
2616
+ # @return [String]
2617
+ #
2618
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/IncorrectKeyException AWS API Documentation
2619
+ #
2620
+ class IncorrectKeyException < Struct.new(
2621
+ :message)
2622
+ include Aws::Structure
2623
+ end
2624
+
2625
+ # The request was rejected because the key material in the request is,
2626
+ # expired, invalid, or is not the same key material that was previously
2627
+ # imported into this customer master key (CMK).
2041
2628
  #
2042
2629
  # @!attribute [rw] message
2043
2630
  # @return [String]
@@ -2096,10 +2683,13 @@ module Aws::KMS
2096
2683
  include Aws::Structure
2097
2684
  end
2098
2685
 
2099
- # The request was rejected because the specified ciphertext, or
2100
- # additional authenticated data incorporated into the ciphertext, such
2101
- # as the encryption context, is corrupted, missing, or otherwise
2102
- # invalid.
2686
+ # From the Decrypt or ReEncrypt operation, the request was rejected
2687
+ # because the specified ciphertext, or additional authenticated data
2688
+ # incorporated into the ciphertext, such as the encryption context, is
2689
+ # corrupted, missing, or otherwise invalid.
2690
+ #
2691
+ # From the ImportKeyMaterial operation, the request was rejected because
2692
+ # AWS KMS could not decrypt the encrypted (wrapped) key material.
2103
2693
  #
2104
2694
  # @!attribute [rw] message
2105
2695
  # @return [String]
@@ -2149,8 +2739,22 @@ module Aws::KMS
2149
2739
  include Aws::Structure
2150
2740
  end
2151
2741
 
2152
- # The request was rejected because the specified `KeySpec` value is not
2153
- # valid.
2742
+ # The request was rejected for one of the following reasons:
2743
+ #
2744
+ # * The `KeyUsage` value of the CMK is incompatible with the API
2745
+ # operation.
2746
+ #
2747
+ # * The encryption algorithm or signing algorithm specified for the
2748
+ # operation is incompatible with the type of key material in the CMK
2749
+ # `(CustomerMasterKeySpec`).
2750
+ #
2751
+ # For encrypting, decrypting, re-encrypting, and generating data keys,
2752
+ # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
2753
+ # the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK,
2754
+ # use the DescribeKey operation.
2755
+ #
2756
+ # To find the encryption or signing algorithms supported for a
2757
+ # particular CMK, use the DescribeKey operation.
2154
2758
  #
2155
2759
  # @!attribute [rw] message
2156
2760
  # @return [String]
@@ -2192,8 +2796,8 @@ module Aws::KMS
2192
2796
  # is not valid for this request.
2193
2797
  #
2194
2798
  # For more information about how key state affects the use of a CMK, see
2195
- # [How Key State Affects Use of a Customer Master Key][1] in the *AWS
2196
- # Key Management Service Developer Guide*.
2799
+ # [How Key State Affects Use of a Customer Master Key][1] in the <i>
2800
+ # <i>AWS Key Management Service Developer Guide</i> </i>.
2197
2801
  #
2198
2802
  #
2199
2803
  #
@@ -2264,9 +2868,7 @@ module Aws::KMS
2264
2868
  # @return [String]
2265
2869
  #
2266
2870
  # @!attribute [rw] key_usage
2267
- # The cryptographic operations for which you can use the CMK. The only
2268
- # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
2269
- # encrypt and decrypt data.
2871
+ # The cryptographic operations for which you can use the CMK.
2270
2872
  # @return [String]
2271
2873
  #
2272
2874
  # @!attribute [rw] key_state
@@ -2342,6 +2944,26 @@ module Aws::KMS
2342
2944
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
2343
2945
  # @return [String]
2344
2946
  #
2947
+ # @!attribute [rw] customer_master_key_spec
2948
+ # Describes the type of key material in the CMK.
2949
+ # @return [String]
2950
+ #
2951
+ # @!attribute [rw] encryption_algorithms
2952
+ # A list of encryption algorithms that the CMK supports. You cannot
2953
+ # use the CMK with other encryption algorithms within AWS KMS.
2954
+ #
2955
+ # This field appears only when the `KeyUsage` of the CMK is
2956
+ # `ENCRYPT_DECRYPT`.
2957
+ # @return [Array<String>]
2958
+ #
2959
+ # @!attribute [rw] signing_algorithms
2960
+ # A list of signing algorithms that the CMK supports. You cannot use
2961
+ # the CMK with other signing algorithms within AWS KMS.
2962
+ #
2963
+ # This field appears only when the `KeyUsage` of the CMK is
2964
+ # `SIGN_VERIFY`.
2965
+ # @return [Array<String>]
2966
+ #
2345
2967
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
2346
2968
  #
2347
2969
  class KeyMetadata < Struct.new(
@@ -2359,12 +2981,15 @@ module Aws::KMS
2359
2981
  :custom_key_store_id,
2360
2982
  :cloud_hsm_cluster_id,
2361
2983
  :expiration_model,
2362
- :key_manager)
2984
+ :key_manager,
2985
+ :customer_master_key_spec,
2986
+ :encryption_algorithms,
2987
+ :signing_algorithms)
2363
2988
  include Aws::Structure
2364
2989
  end
2365
2990
 
2366
2991
  # The request was rejected because the specified CMK was not available.
2367
- # The request can be retried.
2992
+ # You can retry the request.
2368
2993
  #
2369
2994
  # @!attribute [rw] message
2370
2995
  # @return [String]
@@ -2929,10 +3554,13 @@ module Aws::KMS
2929
3554
  # source_encryption_context: {
2930
3555
  # "EncryptionContextKey" => "EncryptionContextValue",
2931
3556
  # },
3557
+ # source_key_id: "KeyIdType",
2932
3558
  # destination_key_id: "KeyIdType", # required
2933
3559
  # destination_encryption_context: {
2934
3560
  # "EncryptionContextKey" => "EncryptionContextValue",
2935
3561
  # },
3562
+ # source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
3563
+ # destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
2936
3564
  # grant_tokens: ["GrantTokenType"],
2937
3565
  # }
2938
3566
  #
@@ -2941,12 +3569,64 @@ module Aws::KMS
2941
3569
  # @return [String]
2942
3570
  #
2943
3571
  # @!attribute [rw] source_encryption_context
2944
- # Encryption context used to encrypt and decrypt the data specified in
2945
- # the `CiphertextBlob` parameter.
3572
+ # Specifies the encryption context to use to decrypt the ciphertext.
3573
+ # Enter the same encryption context that was used to encrypt the
3574
+ # ciphertext.
3575
+ #
3576
+ # An *encryption context* is a collection of non-secret key-value
3577
+ # pairs that represents additional authenticated data. When you use an
3578
+ # encryption context to encrypt data, you must specify the same (an
3579
+ # exact case-sensitive match) encryption context to decrypt the data.
3580
+ # An encryption context is optional when encrypting with a symmetric
3581
+ # CMK, but it is highly recommended.
3582
+ #
3583
+ # For more information, see [Encryption Context][1] in the *AWS Key
3584
+ # Management Service Developer Guide*.
3585
+ #
3586
+ #
3587
+ #
3588
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2946
3589
  # @return [Hash<String,String>]
2947
3590
  #
3591
+ # @!attribute [rw] source_key_id
3592
+ # A unique identifier for the CMK that is used to decrypt the
3593
+ # ciphertext before it reencrypts it using the destination CMK.
3594
+ #
3595
+ # This parameter is required only when the ciphertext was encrypted
3596
+ # under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that
3597
+ # it adds to the ciphertext blob to determine which CMK was used to
3598
+ # encrypt the ciphertext. However, you can use this parameter to
3599
+ # ensure that a particular CMK (of any kind) is used to decrypt the
3600
+ # ciphertext before it is reencrypted.
3601
+ #
3602
+ # If you specify a `KeyId` value, the decrypt part of the `ReEncrypt`
3603
+ # operation succeeds only if the specified CMK was used to encrypt the
3604
+ # ciphertext.
3605
+ #
3606
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3607
+ # name, or alias ARN. When using an alias name, prefix it with
3608
+ # `"alias/"`.
3609
+ #
3610
+ # For example:
3611
+ #
3612
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
3613
+ #
3614
+ # * Key ARN:
3615
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
3616
+ #
3617
+ # * Alias name: `alias/ExampleAlias`
3618
+ #
3619
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
3620
+ #
3621
+ # To get the key ID and key ARN for a CMK, use ListKeys or
3622
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
3623
+ # @return [String]
3624
+ #
2948
3625
  # @!attribute [rw] destination_key_id
2949
3626
  # A unique identifier for the CMK that is used to reencrypt the data.
3627
+ # Specify a symmetric or asymmetric CMK with a `KeyUsage` value of
3628
+ # `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
3629
+ # DescribeKey operation.
2950
3630
  #
2951
3631
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2952
3632
  # name, or alias ARN. When using an alias name, prefix it with
@@ -2969,9 +3649,51 @@ module Aws::KMS
2969
3649
  # @return [String]
2970
3650
  #
2971
3651
  # @!attribute [rw] destination_encryption_context
2972
- # Encryption context to use when the data is reencrypted.
3652
+ # Specifies that encryption context to use when the reencrypting the
3653
+ # data.
3654
+ #
3655
+ # A destination encryption context is valid only when the destination
3656
+ # CMK is a symmetric CMK. The standard ciphertext format for
3657
+ # asymmetric CMKs does not include fields for metadata.
3658
+ #
3659
+ # An *encryption context* is a collection of non-secret key-value
3660
+ # pairs that represents additional authenticated data. When you use an
3661
+ # encryption context to encrypt data, you must specify the same (an
3662
+ # exact case-sensitive match) encryption context to decrypt the data.
3663
+ # An encryption context is optional when encrypting with a symmetric
3664
+ # CMK, but it is highly recommended.
3665
+ #
3666
+ # For more information, see [Encryption Context][1] in the *AWS Key
3667
+ # Management Service Developer Guide*.
3668
+ #
3669
+ #
3670
+ #
3671
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2973
3672
  # @return [Hash<String,String>]
2974
3673
  #
3674
+ # @!attribute [rw] source_encryption_algorithm
3675
+ # Specifies the encryption algorithm that AWS KMS will use to decrypt
3676
+ # the ciphertext before it is reencrypted. The default value,
3677
+ # `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
3678
+ # CMKs.
3679
+ #
3680
+ # Specify the same algorithm that was used to encrypt the ciphertext.
3681
+ # If you specify a different algorithm, the decrypt attempt fails.
3682
+ #
3683
+ # This parameter is required only when the ciphertext was encrypted
3684
+ # under an asymmetric CMK.
3685
+ # @return [String]
3686
+ #
3687
+ # @!attribute [rw] destination_encryption_algorithm
3688
+ # Specifies the encryption algorithm that AWS KMS will use to reecrypt
3689
+ # the data after it has decrypted it. The default value,
3690
+ # `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
3691
+ # symmetric CMKs.
3692
+ #
3693
+ # This parameter is required only when the destination CMK is an
3694
+ # asymmetric CMK.
3695
+ # @return [String]
3696
+ #
2975
3697
  # @!attribute [rw] grant_tokens
2976
3698
  # A list of grant tokens.
2977
3699
  #
@@ -2988,15 +3710,18 @@ module Aws::KMS
2988
3710
  class ReEncryptRequest < Struct.new(
2989
3711
  :ciphertext_blob,
2990
3712
  :source_encryption_context,
3713
+ :source_key_id,
2991
3714
  :destination_key_id,
2992
3715
  :destination_encryption_context,
3716
+ :source_encryption_algorithm,
3717
+ :destination_encryption_algorithm,
2993
3718
  :grant_tokens)
2994
3719
  include Aws::Structure
2995
3720
  end
2996
3721
 
2997
3722
  # @!attribute [rw] ciphertext_blob
2998
3723
  # The reencrypted data. When you use the HTTP API or the AWS CLI, the
2999
- # value is Base64-encoded. Otherwise, it is not encoded.
3724
+ # value is Base64-encoded. Otherwise, it is not Base64-encoded.
3000
3725
  # @return [String]
3001
3726
  #
3002
3727
  # @!attribute [rw] source_key_id
@@ -3007,12 +3732,23 @@ module Aws::KMS
3007
3732
  # Unique identifier of the CMK used to reencrypt the data.
3008
3733
  # @return [String]
3009
3734
  #
3735
+ # @!attribute [rw] source_encryption_algorithm
3736
+ # The encryption algorithm that was used to decrypt the ciphertext
3737
+ # before it was reencrypted.
3738
+ # @return [String]
3739
+ #
3740
+ # @!attribute [rw] destination_encryption_algorithm
3741
+ # The encryption algorithm that was used to reencrypt the data.
3742
+ # @return [String]
3743
+ #
3010
3744
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptResponse AWS API Documentation
3011
3745
  #
3012
3746
  class ReEncryptResponse < Struct.new(
3013
3747
  :ciphertext_blob,
3014
3748
  :source_key_id,
3015
- :key_id)
3749
+ :key_id,
3750
+ :source_encryption_algorithm,
3751
+ :destination_encryption_algorithm)
3016
3752
  include Aws::Structure
3017
3753
  end
3018
3754
 
@@ -3151,6 +3887,108 @@ module Aws::KMS
3151
3887
  include Aws::Structure
3152
3888
  end
3153
3889
 
3890
+ # @note When making an API call, you may pass SignRequest
3891
+ # data as a hash:
3892
+ #
3893
+ # {
3894
+ # key_id: "KeyIdType", # required
3895
+ # message: "data", # required
3896
+ # message_type: "RAW", # accepts RAW, DIGEST
3897
+ # grant_tokens: ["GrantTokenType"],
3898
+ # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
3899
+ # }
3900
+ #
3901
+ # @!attribute [rw] key_id
3902
+ # Identifies an asymmetric CMK. AWS KMS uses the private key in the
3903
+ # asymmetric CMK to sign the message. The `KeyUsage` type of the CMK
3904
+ # must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
3905
+ # DescribeKey operation.
3906
+ #
3907
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3908
+ # name, or alias ARN. When using an alias name, prefix it with
3909
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
3910
+ # use the key ARN or alias ARN.
3911
+ #
3912
+ # For example:
3913
+ #
3914
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
3915
+ #
3916
+ # * Key ARN:
3917
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
3918
+ #
3919
+ # * Alias name: `alias/ExampleAlias`
3920
+ #
3921
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
3922
+ #
3923
+ # To get the key ID and key ARN for a CMK, use ListKeys or
3924
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
3925
+ # @return [String]
3926
+ #
3927
+ # @!attribute [rw] message
3928
+ # Specifies the message or message digest to sign. Messages can be
3929
+ # 0-4096 bytes. To sign a larger message, provide the message digest.
3930
+ #
3931
+ # If you provide a message, AWS KMS generates a hash digest of the
3932
+ # message and then signs it.
3933
+ # @return [String]
3934
+ #
3935
+ # @!attribute [rw] message_type
3936
+ # Tells AWS KMS whether the value of the `Message` parameter is a
3937
+ # message or message digest. To indicate a message, enter `RAW`. To
3938
+ # indicate a message digest, enter `DIGEST`.
3939
+ # @return [String]
3940
+ #
3941
+ # @!attribute [rw] grant_tokens
3942
+ # A list of grant tokens.
3943
+ #
3944
+ # For more information, see [Grant Tokens][1] in the *AWS Key
3945
+ # Management Service Developer Guide*.
3946
+ #
3947
+ #
3948
+ #
3949
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
3950
+ # @return [Array<String>]
3951
+ #
3952
+ # @!attribute [rw] signing_algorithm
3953
+ # Specifies the signing algorithm to use when signing the message.
3954
+ #
3955
+ # Choose an algorithm that is compatible with the type and size of the
3956
+ # specified asymmetric CMK.
3957
+ # @return [String]
3958
+ #
3959
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
3960
+ #
3961
+ class SignRequest < Struct.new(
3962
+ :key_id,
3963
+ :message,
3964
+ :message_type,
3965
+ :grant_tokens,
3966
+ :signing_algorithm)
3967
+ include Aws::Structure
3968
+ end
3969
+
3970
+ # @!attribute [rw] key_id
3971
+ # The Amazon Resource Name (ARN) of the asymmetric CMK that was used
3972
+ # to sign the message.
3973
+ # @return [String]
3974
+ #
3975
+ # @!attribute [rw] signature
3976
+ # The cryptographic signature that was generated for the message.
3977
+ # @return [String]
3978
+ #
3979
+ # @!attribute [rw] signing_algorithm
3980
+ # The signing algorithm that was used to sign the message.
3981
+ # @return [String]
3982
+ #
3983
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignResponse AWS API Documentation
3984
+ #
3985
+ class SignResponse < Struct.new(
3986
+ :key_id,
3987
+ :signature,
3988
+ :signing_algorithm)
3989
+ include Aws::Structure
3990
+ end
3991
+
3154
3992
  # A key-value pair. A tag consists of a tag key and a tag value. Tag
3155
3993
  # keys and tag values are both required, but tag values can be empty
3156
3994
  # (null) strings.
@@ -3298,15 +4136,20 @@ module Aws::KMS
3298
4136
  # }
3299
4137
  #
3300
4138
  # @!attribute [rw] alias_name
3301
- # Specifies the name of the alias to change. This value must begin
4139
+ # Identifies the alias that is changing its CMK. This value must begin
3302
4140
  # with `alias/` followed by the alias name, such as
3303
- # `alias/ExampleAlias`.
4141
+ # `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
4142
+ # name.
3304
4143
  # @return [String]
3305
4144
  #
3306
4145
  # @!attribute [rw] target_key_id
3307
- # Unique identifier of the customer master key (CMK) to be mapped to
3308
- # the alias. When the update operation completes, the alias will point
3309
- # to this CMK.
4146
+ # Identifies the CMK to associate with the alias. When the update
4147
+ # operation completes, the alias will point to this CMK.
4148
+ #
4149
+ # The CMK must be in the same AWS account and Region as the alias.
4150
+ # Also, the new target CMK must be the same type as the current target
4151
+ # CMK (both symmetric or both asymmetric) and they must have the same
4152
+ # key usage.
3310
4153
  #
3311
4154
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3312
4155
  #
@@ -3431,5 +4274,118 @@ module Aws::KMS
3431
4274
  include Aws::Structure
3432
4275
  end
3433
4276
 
4277
+ # @note When making an API call, you may pass VerifyRequest
4278
+ # data as a hash:
4279
+ #
4280
+ # {
4281
+ # key_id: "KeyIdType", # required
4282
+ # message: "data", # required
4283
+ # message_type: "RAW", # accepts RAW, DIGEST
4284
+ # signature: "data", # required
4285
+ # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
4286
+ # grant_tokens: ["GrantTokenType"],
4287
+ # }
4288
+ #
4289
+ # @!attribute [rw] key_id
4290
+ # Identifies the asymmetric CMK that will be used to verify the
4291
+ # signature. This must be the same CMK that was used to generate the
4292
+ # signature. If you specify a different CMK, the value of the
4293
+ # `SignatureValid` field in the response will be `False`.
4294
+ #
4295
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4296
+ # name, or alias ARN. When using an alias name, prefix it with
4297
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
4298
+ # use the key ARN or alias ARN.
4299
+ #
4300
+ # For example:
4301
+ #
4302
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
4303
+ #
4304
+ # * Key ARN:
4305
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4306
+ #
4307
+ # * Alias name: `alias/ExampleAlias`
4308
+ #
4309
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
4310
+ #
4311
+ # To get the key ID and key ARN for a CMK, use ListKeys or
4312
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
4313
+ # @return [String]
4314
+ #
4315
+ # @!attribute [rw] message
4316
+ # Specifies the message that was signed, or a hash digest of that
4317
+ # message. Messages can be 0-4096 bytes. To verify a larger message,
4318
+ # provide a hash digest of the message.
4319
+ #
4320
+ # If the digest of the message specified here is different from the
4321
+ # message digest that was signed, the `SignatureValid` value in the
4322
+ # response will be `False`.
4323
+ # @return [String]
4324
+ #
4325
+ # @!attribute [rw] message_type
4326
+ # Tells AWS KMS whether the value of the `Message` parameter is a
4327
+ # message or message digest. To indicate a message, enter `RAW`. To
4328
+ # indicate a message digest, enter `DIGEST`.
4329
+ # @return [String]
4330
+ #
4331
+ # @!attribute [rw] signature
4332
+ # The signature that the `Sign` operation generated.
4333
+ # @return [String]
4334
+ #
4335
+ # @!attribute [rw] signing_algorithm
4336
+ # The signing algorithm that was used to sign the message. If you
4337
+ # submit a different algorithm, the value of the `SignatureValid`
4338
+ # field in the response will be `False`.
4339
+ # @return [String]
4340
+ #
4341
+ # @!attribute [rw] grant_tokens
4342
+ # A list of grant tokens.
4343
+ #
4344
+ # For more information, see [Grant Tokens][1] in the *AWS Key
4345
+ # Management Service Developer Guide*.
4346
+ #
4347
+ #
4348
+ #
4349
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
4350
+ # @return [Array<String>]
4351
+ #
4352
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
4353
+ #
4354
+ class VerifyRequest < Struct.new(
4355
+ :key_id,
4356
+ :message,
4357
+ :message_type,
4358
+ :signature,
4359
+ :signing_algorithm,
4360
+ :grant_tokens)
4361
+ include Aws::Structure
4362
+ end
4363
+
4364
+ # @!attribute [rw] key_id
4365
+ # The unique identifier for the asymmetric CMK that was used to verify
4366
+ # the signature.
4367
+ # @return [String]
4368
+ #
4369
+ # @!attribute [rw] signature_valid
4370
+ # A Boolean value that indicates whether the signature was verified. A
4371
+ # value of True indicates that the `Signature` was produced by signing
4372
+ # the `Message` with the specified KeyID and `SigningAlgorithm.` A
4373
+ # value of False indicates that the message, the algorithm, or the key
4374
+ # changed since the message was signed.
4375
+ # @return [Boolean]
4376
+ #
4377
+ # @!attribute [rw] signing_algorithm
4378
+ # The signing algorithm that was used to verify the signature.
4379
+ # @return [String]
4380
+ #
4381
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyResponse AWS API Documentation
4382
+ #
4383
+ class VerifyResponse < Struct.new(
4384
+ :key_id,
4385
+ :signature_valid,
4386
+ :signing_algorithm)
4387
+ include Aws::Structure
4388
+ end
4389
+
3434
4390
  end
3435
4391
  end