aws-sdk-kms 1.26.0 → 1.27.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: d59aaf932f27931fc311148bfc796c86df64701d
4
- data.tar.gz: ac1dad7855119f6cddf454fc003e119c2df422dd
3
+ metadata.gz: 6a983aaa03a80ed7188f61a1bab13d7bcddf5701
4
+ data.tar.gz: 155fd553e0ddd8cb820d3f1b4e8f051177446d1f
5
5
  SHA512:
6
- metadata.gz: 39eee3a7813574221e57b7a80147d10ee1fdc3ef79cf1d8969b743167de96c63aa934085091f13e62040ec765cdd217815d4be3dc4f31d8aaccc0f9f8e148434
7
- data.tar.gz: 872bbe01e8a2ea47976706e4c8e0177b778ef80b85945aca05fbcdd30bf036c345c129d07fa50a28b7000875f957efc4076c84886275bd1adcc12ed268b841c2
6
+ metadata.gz: 39eb4bc0cfd2bb7b6cd062d5b1b54052edf5868d720bae9f20359a75b8c84721b676e20444e4454b446b576ea5009ff5d5b3259094d82a0d8eb758abd27af195
7
+ data.tar.gz: 0fd429e969b0ba7461822783be9b7ea9e77239e021ff189bdeb729327ff2179b887009eacdd77d237f32ae622851fd483cb539fe69717f9d670799e779731741
@@ -42,6 +42,6 @@ require_relative 'aws-sdk-kms/customizations'
42
42
  # @service
43
43
  module Aws::KMS
44
44
 
45
- GEM_VERSION = '1.26.0'
45
+ GEM_VERSION = '1.27.0'
46
46
 
47
47
  end
@@ -3215,19 +3215,18 @@ module Aws::KMS
3215
3215
  # authorization, and logging that are part of every AWS KMS operation.
3216
3216
  # You also reduce of risk of encrypting data that cannot be decrypted.
3217
3217
  # These features are not effective outside of AWS KMS. For details, see
3218
- # [Special Considerations for Downloading Public
3219
- # Keys](kms/latest/developerguide/get-public-key.html#get-public-key-considerations).
3218
+ # [Special Considerations for Downloading Public Keys][2].
3220
3219
  #
3221
3220
  # To help you use the public key safely outside of AWS KMS,
3222
3221
  # `GetPublicKey` returns important information about the public key in
3223
3222
  # the response, including:
3224
3223
  #
3225
- # * [CustomerMasterKeySpec][2]\: The type of key material in the public
3224
+ # * [CustomerMasterKeySpec][3]\: The type of key material in the public
3226
3225
  # key, such as `RSA_4096` or `ECC_NIST_P521`.
3227
3226
  #
3228
- # * [KeyUsage][3]\: Whether the key is used for encryption or signing.
3227
+ # * [KeyUsage][4]\: Whether the key is used for encryption or signing.
3229
3228
  #
3230
- # * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]\: A list of the
3229
+ # * [EncryptionAlgorithms][5] or [SigningAlgorithms][6]\: A list of the
3231
3230
  # encryption algorithms or the signing algorithms for the key.
3232
3231
  #
3233
3232
  # Although AWS KMS cannot enforce these restrictions on external
@@ -3240,16 +3239,17 @@ module Aws::KMS
3240
3239
  #
3241
3240
  # The CMK that you use for this operation must be in a compatible key
3242
3241
  # state. For details, see [How Key State Affects Use of a Customer
3243
- # Master Key][6] in the *AWS Key Management Service Developer Guide*.
3242
+ # Master Key][7] in the *AWS Key Management Service Developer Guide*.
3244
3243
  #
3245
3244
  #
3246
3245
  #
3247
3246
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
3248
- # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec
3249
- # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
3250
- # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
3251
- # [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms
3252
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3247
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations
3248
+ # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec
3249
+ # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
3250
+ # [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
3251
+ # [6]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms
3252
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3253
3253
  #
3254
3254
  # @option params [required, String] :key_id
3255
3255
  # Identifies the asymmetric CMK that includes the public key.
@@ -4208,10 +4208,9 @@ module Aws::KMS
4208
4208
 
4209
4209
  # Decrypts ciphertext and then reencrypts it entirely within AWS KMS.
4210
4210
  # You can use this operation to change the customer master key (CMK)
4211
- # under which data is encrypted, such as when you [manually
4212
- # rotate](kms/latest/developerguide/rotate-keys.html#rotate-keys-manually)
4213
- # a CMK or change the CMK that protects a ciphertext. You can also use
4214
- # it to reencrypt ciphertext under the same CMK, such as to change the
4211
+ # under which data is encrypted, such as when you [manually rotate][1] a
4212
+ # CMK or change the CMK that protects a ciphertext. You can also use it
4213
+ # to reencrypt ciphertext under the same CMK, such as to change the
4215
4214
  # encryption context of a ciphertext.
4216
4215
  #
4217
4216
  # The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
@@ -4219,7 +4218,7 @@ module Aws::KMS
4219
4218
  # GenerateDataKey. It can also decrypt ciphertext that was encrypted by
4220
4219
  # using the public key of an asymmetric CMK outside of AWS KMS. However,
4221
4220
  # it cannot decrypt ciphertext produced by other libraries, such as the
4222
- # [AWS Encryption SDK][1] or [Amazon S3 client-side encryption][2].
4221
+ # [AWS Encryption SDK][2] or [Amazon S3 client-side encryption][3].
4223
4222
  # These libraries return a ciphertext format that is incompatible with
4224
4223
  # AWS KMS.
4225
4224
  #
@@ -4266,21 +4265,22 @@ module Aws::KMS
4266
4265
  # To permit reencryption from
4267
4266
  #
4268
4267
  # or to a CMK, include the `"kms:ReEncrypt*"` permission in your [key
4269
- # policy][3]. This permission is automatically included in the key
4268
+ # policy][4]. This permission is automatically included in the key
4270
4269
  # policy when you use the console to create a CMK. But you must include
4271
4270
  # it manually when you create a CMK programmatically or when you use the
4272
4271
  # PutKeyPolicy operation set a key policy.
4273
4272
  #
4274
4273
  # The CMK that you use for this operation must be in a compatible key
4275
4274
  # state. For details, see [How Key State Affects Use of a Customer
4276
- # Master Key][4] in the *AWS Key Management Service Developer Guide*.
4275
+ # Master Key][5] in the *AWS Key Management Service Developer Guide*.
4277
4276
  #
4278
4277
  #
4279
4278
  #
4280
- # [1]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
4281
- # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
4282
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
4283
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4279
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
4280
+ # [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
4281
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
4282
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
4283
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4284
4284
  #
4285
4285
  # @option params [required, String, IO] :ciphertext_blob
4286
4286
  # Ciphertext of the data to reencrypt.
@@ -5215,38 +5215,35 @@ module Aws::KMS
5215
5215
  end
5216
5216
 
5217
5217
  # Verifies a digital signature that was generated by the Sign operation.
5218
- # This operation requires an asymmetric CMK with a `KeyUsage` value of
5219
- # `SIGN_VERIFY`.
5220
5218
  #
5221
5219
  #
5222
5220
  #
5223
5221
  # Verification confirms that an authorized user signed the message with
5224
- # the specified key and signing algorithm, and the message hasn't
5225
- # changed since it was signed. A digital signature is generated by using
5226
- # the private key in an asymmetric CMK. The signature is verified by
5227
- # using the public key in the same asymmetric CMK. For information about
5228
- # symmetric and asymmetric CMKs, see [Using Symmetric and Asymmetric
5229
- # CMKs][1] in the *AWS Key Management Service Developer Guide*.
5222
+ # the specified CMK and signing algorithm, and the message hasn't
5223
+ # changed since it was signed. If the signature is verified, the value
5224
+ # of the `SignatureValid` field in the response is `True`. If the
5225
+ # signature verification fails, the `Verify` operation fails with an
5226
+ # `KMSInvalidSignatureException` exception.
5227
+ #
5228
+ # A digital signature is generated by using the private key in an
5229
+ # asymmetric CMK. The signature is verified by using the public key in
5230
+ # the same asymmetric CMK. For information about symmetric and
5231
+ # asymmetric CMKs, see [Using Symmetric and Asymmetric CMKs][1] in the
5232
+ # *AWS Key Management Service Developer Guide*.
5230
5233
  #
5231
5234
  # To verify a digital signature, you can use the `Verify` operation.
5232
- # Specify the same asymmetric CMK that was used by the `Sign` operation
5233
- # to generate the digital signature.
5235
+ # Specify the same asymmetric CMK, message, and signing algorithm that
5236
+ # were used to produce the signature.
5234
5237
  #
5235
5238
  # You can also verify the digital signature by using the public key of
5236
5239
  # the CMK outside of AWS KMS. Use the GetPublicKey operation to download
5237
5240
  # the public key in the asymmetric CMK and then use the public key to
5238
- # verify the signature outside of AWS KMS.
5239
- #
5240
- # The advantage of using the `Verify` operation is that it is performed
5241
- # within AWS KMS. As a result, it's easy to call, the operation is
5242
- # performed within the FIPS boundary, it is logged in AWS CloudTrail,
5243
- # and you can use key policy and IAM policy to determine who is
5244
- # authorized to use the CMK to verify signatures.
5245
- #
5246
- # The result of the `Verify` operation, which is represented by its HTTP
5247
- # status code, does not indicate whether the signature verification
5248
- # succeeded or failed. To determine whether the signature was verified,
5249
- # see the `SignatureValid` field in the response.
5241
+ # verify the signature outside of AWS KMS. The advantage of using the
5242
+ # `Verify` operation is that it is performed within AWS KMS. As a
5243
+ # result, it's easy to call, the operation is performed within the FIPS
5244
+ # boundary, it is logged in AWS CloudTrail, and you can use key policy
5245
+ # and IAM policy to determine who is authorized to use the CMK to verify
5246
+ # signatures.
5250
5247
  #
5251
5248
  # The CMK that you use for this operation must be in a compatible key
5252
5249
  # state. For details, see [How Key State Affects Use of a Customer
@@ -5260,8 +5257,8 @@ module Aws::KMS
5260
5257
  # @option params [required, String] :key_id
5261
5258
  # Identifies the asymmetric CMK that will be used to verify the
5262
5259
  # signature. This must be the same CMK that was used to generate the
5263
- # signature. If you specify a different CMK, the value of the
5264
- # `SignatureValid` field in the response will be `False`.
5260
+ # signature. If you specify a different CMK, the signature verification
5261
+ # fails.
5265
5262
  #
5266
5263
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
5267
5264
  # name, or alias ARN. When using an alias name, prefix it with
@@ -5288,8 +5285,7 @@ module Aws::KMS
5288
5285
  # provide a hash digest of the message.
5289
5286
  #
5290
5287
  # If the digest of the message specified here is different from the
5291
- # message digest that was signed, the `SignatureValid` value in the
5292
- # response will be `False`.
5288
+ # message digest that was signed, the signature verification fails.
5293
5289
  #
5294
5290
  # @option params [String] :message_type
5295
5291
  # Tells AWS KMS whether the value of the `Message` parameter is a
@@ -5301,8 +5297,7 @@ module Aws::KMS
5301
5297
  #
5302
5298
  # @option params [required, String] :signing_algorithm
5303
5299
  # The signing algorithm that was used to sign the message. If you submit
5304
- # a different algorithm, the value of the `SignatureValid` field in the
5305
- # response will be `False`.
5300
+ # a different algorithm, the signature verification fails.
5306
5301
  #
5307
5302
  # @option params [Array<String>] :grant_tokens
5308
5303
  # A list of grant tokens.
@@ -5359,7 +5354,7 @@ module Aws::KMS
5359
5354
  params: params,
5360
5355
  config: config)
5361
5356
  context[:gem_name] = 'aws-sdk-kms'
5362
- context[:gem_version] = '1.26.0'
5357
+ context[:gem_version] = '1.27.0'
5363
5358
  Seahorse::Client::Request.new(handlers, context)
5364
5359
  end
5365
5360
 
@@ -121,6 +121,7 @@ module Aws::KMS
121
121
  InvalidKeyUsageException = Shapes::StructureShape.new(name: 'InvalidKeyUsageException')
122
122
  InvalidMarkerException = Shapes::StructureShape.new(name: 'InvalidMarkerException')
123
123
  KMSInternalException = Shapes::StructureShape.new(name: 'KMSInternalException')
124
+ KMSInvalidSignatureException = Shapes::StructureShape.new(name: 'KMSInvalidSignatureException')
124
125
  KMSInvalidStateException = Shapes::StructureShape.new(name: 'KMSInvalidStateException')
125
126
  KeyIdType = Shapes::StringShape.new(name: 'KeyIdType')
126
127
  KeyList = Shapes::ListShape.new(name: 'KeyList')
@@ -525,6 +526,9 @@ module Aws::KMS
525
526
  KMSInternalException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
526
527
  KMSInternalException.struct_class = Types::KMSInternalException
527
528
 
529
+ KMSInvalidSignatureException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
530
+ KMSInvalidSignatureException.struct_class = Types::KMSInvalidSignatureException
531
+
528
532
  KMSInvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
529
533
  KMSInvalidStateException.struct_class = Types::KMSInvalidStateException
530
534
 
@@ -1344,6 +1348,7 @@ module Aws::KMS
1344
1348
  o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1345
1349
  o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1346
1350
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1351
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1347
1352
  end)
1348
1353
 
1349
1354
  api.add_operation(:tag_resource, Seahorse::Model::Operation.new.tap do |o|
@@ -1427,6 +1432,8 @@ module Aws::KMS
1427
1432
  o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1428
1433
  o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1429
1434
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1435
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1436
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidSignatureException)
1430
1437
  end)
1431
1438
  end
1432
1439
 
@@ -410,6 +410,22 @@ module Aws::KMS
410
410
 
411
411
  end
412
412
 
413
+ class KMSInvalidSignatureException < ServiceError
414
+
415
+ # @param [Seahorse::Client::RequestContext] context
416
+ # @param [String] message
417
+ # @param [Aws::KMS::Types::KMSInvalidSignatureException] data
418
+ def initialize(context, message, data = Aws::EmptyStructure.new)
419
+ super(context, message, data)
420
+ end
421
+
422
+ # @return [String]
423
+ def message
424
+ @message || @data[:message]
425
+ end
426
+
427
+ end
428
+
413
429
  class KMSInvalidStateException < ServiceError
414
430
 
415
431
  # @param [Seahorse::Client::RequestContext] context
@@ -2792,6 +2792,21 @@ module Aws::KMS
2792
2792
  include Aws::Structure
2793
2793
  end
2794
2794
 
2795
+ # The request was rejected because the signature verification failed.
2796
+ # Signature verification fails when it cannot confirm that signature was
2797
+ # produced by signing the specified message with the specified CMK and
2798
+ # signing algorithm.
2799
+ #
2800
+ # @!attribute [rw] message
2801
+ # @return [String]
2802
+ #
2803
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidSignatureException AWS API Documentation
2804
+ #
2805
+ class KMSInvalidSignatureException < Struct.new(
2806
+ :message)
2807
+ include Aws::Structure
2808
+ end
2809
+
2795
2810
  # The request was rejected because the state of the specified resource
2796
2811
  # is not valid for this request.
2797
2812
  #
@@ -4289,8 +4304,8 @@ module Aws::KMS
4289
4304
  # @!attribute [rw] key_id
4290
4305
  # Identifies the asymmetric CMK that will be used to verify the
4291
4306
  # signature. This must be the same CMK that was used to generate the
4292
- # signature. If you specify a different CMK, the value of the
4293
- # `SignatureValid` field in the response will be `False`.
4307
+ # signature. If you specify a different CMK, the signature
4308
+ # verification fails.
4294
4309
  #
4295
4310
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4296
4311
  # name, or alias ARN. When using an alias name, prefix it with
@@ -4318,8 +4333,7 @@ module Aws::KMS
4318
4333
  # provide a hash digest of the message.
4319
4334
  #
4320
4335
  # If the digest of the message specified here is different from the
4321
- # message digest that was signed, the `SignatureValid` value in the
4322
- # response will be `False`.
4336
+ # message digest that was signed, the signature verification fails.
4323
4337
  # @return [String]
4324
4338
  #
4325
4339
  # @!attribute [rw] message_type
@@ -4334,8 +4348,7 @@ module Aws::KMS
4334
4348
  #
4335
4349
  # @!attribute [rw] signing_algorithm
4336
4350
  # The signing algorithm that was used to sign the message. If you
4337
- # submit a different algorithm, the value of the `SignatureValid`
4338
- # field in the response will be `False`.
4351
+ # submit a different algorithm, the signature verification fails.
4339
4352
  # @return [String]
4340
4353
  #
4341
4354
  # @!attribute [rw] grant_tokens
@@ -4368,10 +4381,10 @@ module Aws::KMS
4368
4381
  #
4369
4382
  # @!attribute [rw] signature_valid
4370
4383
  # A Boolean value that indicates whether the signature was verified. A
4371
- # value of True indicates that the `Signature` was produced by signing
4372
- # the `Message` with the specified KeyID and `SigningAlgorithm.` A
4373
- # value of False indicates that the message, the algorithm, or the key
4374
- # changed since the message was signed.
4384
+ # value of `True` indicates that the `Signature` was produced by
4385
+ # signing the `Message` with the specified `KeyID` and
4386
+ # `SigningAlgorithm.` If the signature is not verified, the `Verify`
4387
+ # operation fails with a `KMSInvalidSignatureException` exception.
4375
4388
  # @return [Boolean]
4376
4389
  #
4377
4390
  # @!attribute [rw] signing_algorithm
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-kms
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.26.0
4
+ version: 1.27.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-11-25 00:00:00.000000000 Z
11
+ date: 2019-12-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-core