aws-sdk-kms 1.82.0 → 1.84.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -63,6 +63,8 @@ module Aws::KMS
63
63
  DeleteCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'DeleteCustomKeyStoreResponse')
64
64
  DeleteImportedKeyMaterialRequest = Shapes::StructureShape.new(name: 'DeleteImportedKeyMaterialRequest')
65
65
  DependencyTimeoutException = Shapes::StructureShape.new(name: 'DependencyTimeoutException')
66
+ DeriveSharedSecretRequest = Shapes::StructureShape.new(name: 'DeriveSharedSecretRequest')
67
+ DeriveSharedSecretResponse = Shapes::StructureShape.new(name: 'DeriveSharedSecretResponse')
66
68
  DescribeCustomKeyStoresRequest = Shapes::StructureShape.new(name: 'DescribeCustomKeyStoresRequest')
67
69
  DescribeCustomKeyStoresResponse = Shapes::StructureShape.new(name: 'DescribeCustomKeyStoresResponse')
68
70
  DescribeKeyRequest = Shapes::StructureShape.new(name: 'DescribeKeyRequest')
@@ -132,6 +134,8 @@ module Aws::KMS
132
134
  KMSInvalidMacException = Shapes::StructureShape.new(name: 'KMSInvalidMacException')
133
135
  KMSInvalidSignatureException = Shapes::StructureShape.new(name: 'KMSInvalidSignatureException')
134
136
  KMSInvalidStateException = Shapes::StructureShape.new(name: 'KMSInvalidStateException')
137
+ KeyAgreementAlgorithmSpec = Shapes::StringShape.new(name: 'KeyAgreementAlgorithmSpec')
138
+ KeyAgreementAlgorithmSpecList = Shapes::ListShape.new(name: 'KeyAgreementAlgorithmSpecList')
135
139
  KeyEncryptionMechanism = Shapes::StringShape.new(name: 'KeyEncryptionMechanism')
136
140
  KeyIdType = Shapes::StringShape.new(name: 'KeyIdType')
137
141
  KeyList = Shapes::ListShape.new(name: 'KeyList')
@@ -386,6 +390,21 @@ module Aws::KMS
386
390
  DependencyTimeoutException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
387
391
  DependencyTimeoutException.struct_class = Types::DependencyTimeoutException
388
392
 
393
+ DeriveSharedSecretRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
394
+ DeriveSharedSecretRequest.add_member(:key_agreement_algorithm, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec, required: true, location_name: "KeyAgreementAlgorithm"))
395
+ DeriveSharedSecretRequest.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, required: true, location_name: "PublicKey"))
396
+ DeriveSharedSecretRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
397
+ DeriveSharedSecretRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "DryRun"))
398
+ DeriveSharedSecretRequest.add_member(:recipient, Shapes::ShapeRef.new(shape: RecipientInfo, location_name: "Recipient"))
399
+ DeriveSharedSecretRequest.struct_class = Types::DeriveSharedSecretRequest
400
+
401
+ DeriveSharedSecretResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
402
+ DeriveSharedSecretResponse.add_member(:shared_secret, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "SharedSecret"))
403
+ DeriveSharedSecretResponse.add_member(:ciphertext_for_recipient, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextForRecipient"))
404
+ DeriveSharedSecretResponse.add_member(:key_agreement_algorithm, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec, location_name: "KeyAgreementAlgorithm"))
405
+ DeriveSharedSecretResponse.add_member(:key_origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "KeyOrigin"))
406
+ DeriveSharedSecretResponse.struct_class = Types::DeriveSharedSecretResponse
407
+
389
408
  DescribeCustomKeyStoresRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
390
409
  DescribeCustomKeyStoresRequest.add_member(:custom_key_store_name, Shapes::ShapeRef.new(shape: CustomKeyStoreNameType, location_name: "CustomKeyStoreName"))
391
410
  DescribeCustomKeyStoresRequest.add_member(:limit, Shapes::ShapeRef.new(shape: LimitType, location_name: "Limit"))
@@ -566,6 +585,7 @@ module Aws::KMS
566
585
  GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
567
586
  GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
568
587
  GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
588
+ GetPublicKeyResponse.add_member(:key_agreement_algorithms, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpecList, location_name: "KeyAgreementAlgorithms"))
569
589
  GetPublicKeyResponse.struct_class = Types::GetPublicKeyResponse
570
590
 
571
591
  GrantConstraints.add_member(:encryption_context_subset, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextSubset"))
@@ -643,6 +663,8 @@ module Aws::KMS
643
663
  KMSInvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
644
664
  KMSInvalidStateException.struct_class = Types::KMSInvalidStateException
645
665
 
666
+ KeyAgreementAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec)
667
+
646
668
  KeyList.member = Shapes::ShapeRef.new(shape: KeyListEntry)
647
669
 
648
670
  KeyListEntry.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
@@ -668,6 +690,7 @@ module Aws::KMS
668
690
  KeyMetadata.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
669
691
  KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
670
692
  KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
693
+ KeyMetadata.add_member(:key_agreement_algorithms, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpecList, location_name: "KeyAgreementAlgorithms"))
671
694
  KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
672
695
  KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
673
696
  KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
@@ -990,6 +1013,7 @@ module Aws::KMS
990
1013
 
991
1014
  api.metadata = {
992
1015
  "apiVersion" => "2014-11-01",
1016
+ "auth" => ["aws.auth#sigv4"],
993
1017
  "endpointPrefix" => "kms",
994
1018
  "jsonVersion" => "1.1",
995
1019
  "protocol" => "json",
@@ -1163,6 +1187,23 @@ module Aws::KMS
1163
1187
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1164
1188
  end)
1165
1189
 
1190
+ api.add_operation(:derive_shared_secret, Seahorse::Model::Operation.new.tap do |o|
1191
+ o.name = "DeriveSharedSecret"
1192
+ o.http_method = "POST"
1193
+ o.http_request_uri = "/"
1194
+ o.input = Shapes::ShapeRef.new(shape: DeriveSharedSecretRequest)
1195
+ o.output = Shapes::ShapeRef.new(shape: DeriveSharedSecretResponse)
1196
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1197
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1198
+ o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
1199
+ o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1200
+ o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1201
+ o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
1202
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1203
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1204
+ o.errors << Shapes::ShapeRef.new(shape: DryRunOperationException)
1205
+ end)
1206
+
1166
1207
  api.add_operation(:describe_custom_key_stores, Seahorse::Model::Operation.new.tap do |o|
1167
1208
  o.name = "DescribeCustomKeyStores"
1168
1209
  o.http_method = "POST"
@@ -152,6 +152,20 @@ module Aws::KMS
152
152
  end
153
153
  end
154
154
 
155
+ class DeriveSharedSecret
156
+ def self.build(context)
157
+ unless context.config.regional_endpoint
158
+ endpoint = context.config.endpoint.to_s
159
+ end
160
+ Aws::KMS::EndpointParameters.new(
161
+ region: context.config.region,
162
+ use_dual_stack: context.config.use_dualstack_endpoint,
163
+ use_fips: context.config.use_fips_endpoint,
164
+ endpoint: endpoint,
165
+ )
166
+ end
167
+ end
168
+
155
169
  class DescribeCustomKeyStores
156
170
  def self.build(context)
157
171
  unless context.config.regional_endpoint
@@ -78,6 +78,8 @@ module Aws::KMS
78
78
  Aws::KMS::Endpoints::DeleteCustomKeyStore.build(context)
79
79
  when :delete_imported_key_material
80
80
  Aws::KMS::Endpoints::DeleteImportedKeyMaterial.build(context)
81
+ when :derive_shared_secret
82
+ Aws::KMS::Endpoints::DeriveSharedSecret.build(context)
81
83
  when :describe_custom_key_stores
82
84
  Aws::KMS::Endpoints::DescribeCustomKeyStores.build(context)
83
85
  when :describe_key
@@ -841,14 +841,17 @@ module Aws::KMS
841
841
  #
842
842
  # * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
843
843
  #
844
- # * For asymmetric KMS keys with RSA key material, specify
844
+ # * For asymmetric KMS keys with RSA key pairs, specify
845
845
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
846
846
  #
847
- # * For asymmetric KMS keys with ECC key material, specify
847
+ # * For asymmetric KMS keys with NIST-recommended elliptic curve key
848
+ # pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
849
+ #
850
+ # * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
848
851
  # `SIGN_VERIFY`.
849
852
  #
850
- # * For asymmetric KMS keys with SM2 key material (China Regions
851
- # only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
853
+ # * For asymmetric KMS keys with SM2 key pairs (China Regions only),
854
+ # specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
852
855
  #
853
856
  #
854
857
  #
@@ -904,7 +907,8 @@ module Aws::KMS
904
907
  #
905
908
  # * `HMAC_512`
906
909
  #
907
- # * Asymmetric RSA key pairs
910
+ # * Asymmetric RSA key pairs (encryption and decryption -or- signing
911
+ # and verification)
908
912
  #
909
913
  # * `RSA_2048`
910
914
  #
@@ -912,7 +916,8 @@ module Aws::KMS
912
916
  #
913
917
  # * `RSA_4096`
914
918
  #
915
- # * Asymmetric NIST-recommended elliptic curve key pairs
919
+ # * Asymmetric NIST-recommended elliptic curve key pairs (signing and
920
+ # verification -or- deriving shared secrets)
916
921
  #
917
922
  # * `ECC_NIST_P256` (secp256r1)
918
923
  #
@@ -920,16 +925,18 @@ module Aws::KMS
920
925
  #
921
926
  # * `ECC_NIST_P521` (secp521r1)
922
927
  #
923
- # * Other asymmetric elliptic curve key pairs
928
+ # * Other asymmetric elliptic curve key pairs (signing and
929
+ # verification)
924
930
  #
925
931
  # * `ECC_SECG_P256K1` (secp256k1), commonly used for
926
932
  # cryptocurrencies.
927
933
  #
928
934
  # ^
929
935
  #
930
- # * SM2 key pairs (China Regions only)
936
+ # * SM2 key pairs (encryption and decryption -or- signing and
937
+ # verification -or- deriving shared secrets)
931
938
  #
932
- # * `SM2`
939
+ # * `SM2` (China Regions only)
933
940
  #
934
941
  # ^
935
942
  #
@@ -1761,6 +1768,195 @@ module Aws::KMS
1761
1768
  include Aws::Structure
1762
1769
  end
1763
1770
 
1771
+ # @!attribute [rw] key_id
1772
+ # Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
1773
+ # only) KMS key. KMS uses the private key in the specified key pair to
1774
+ # derive the shared secret. The key usage of the KMS key must be
1775
+ # `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
1776
+ # DescribeKey operation.
1777
+ #
1778
+ # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1779
+ # ARN. When using an alias name, prefix it with `"alias/"`. To specify
1780
+ # a KMS key in a different Amazon Web Services account, you must use
1781
+ # the key ARN or alias ARN.
1782
+ #
1783
+ # For example:
1784
+ #
1785
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1786
+ #
1787
+ # * Key ARN:
1788
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1789
+ #
1790
+ # * Alias name: `alias/ExampleAlias`
1791
+ #
1792
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1793
+ #
1794
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
1795
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1796
+ # @return [String]
1797
+ #
1798
+ # @!attribute [rw] key_agreement_algorithm
1799
+ # Specifies the key agreement algorithm used to derive the shared
1800
+ # secret. The only valid value is `ECDH`.
1801
+ # @return [String]
1802
+ #
1803
+ # @!attribute [rw] public_key
1804
+ # Specifies the public key in your peer's NIST-recommended elliptic
1805
+ # curve (ECC) or SM2 (China Regions only) key pair.
1806
+ #
1807
+ # The public key must be a DER-encoded X.509 public key, also known as
1808
+ # `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
1809
+ #
1810
+ # GetPublicKey returns the public key of an asymmetric KMS key pair in
1811
+ # the required DER-encoded format.
1812
+ #
1813
+ # <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
1814
+ # the DER-encoded X.509 public key in a file. Otherwise, the Amazon
1815
+ # Web Services CLI Base64-encodes the public key a second time,
1816
+ # resulting in a `ValidationException`.
1817
+ #
1818
+ # </note>
1819
+ #
1820
+ # You can specify the public key as binary data in a file using fileb
1821
+ # (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
1822
+ #
1823
+ #
1824
+ #
1825
+ # [1]: https://tools.ietf.org/html/rfc5280
1826
+ # [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
1827
+ # @return [String]
1828
+ #
1829
+ # @!attribute [rw] grant_tokens
1830
+ # A list of grant tokens.
1831
+ #
1832
+ # Use a grant token when your permission to call this operation comes
1833
+ # from a new grant that has not yet achieved *eventual consistency*.
1834
+ # For more information, see [Grant token][1] and [Using a grant
1835
+ # token][2] in the *Key Management Service Developer Guide*.
1836
+ #
1837
+ #
1838
+ #
1839
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
1840
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
1841
+ # @return [Array<String>]
1842
+ #
1843
+ # @!attribute [rw] dry_run
1844
+ # Checks if your request will succeed. `DryRun` is an optional
1845
+ # parameter.
1846
+ #
1847
+ # To learn more about how to use this parameter, see [Testing your KMS
1848
+ # API calls][1] in the *Key Management Service Developer Guide*.
1849
+ #
1850
+ #
1851
+ #
1852
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
1853
+ # @return [Boolean]
1854
+ #
1855
+ # @!attribute [rw] recipient
1856
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
1857
+ # enclave and the encryption algorithm to use with the enclave's
1858
+ # public key. The only valid encryption algorithm is
1859
+ # `RSAES_OAEP_SHA_256`.
1860
+ #
1861
+ # This parameter only supports attestation documents for Amazon Web
1862
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
1863
+ # Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
1864
+ # Enclaves SDK][2] to generate the attestation document and then use
1865
+ # the Recipient parameter from any Amazon Web Services SDK to provide
1866
+ # the attestation document for the enclave.
1867
+ #
1868
+ # When you use this parameter, instead of returning a plaintext copy
1869
+ # of the shared secret, KMS encrypts the plaintext shared secret under
1870
+ # the public key in the attestation document, and returns the
1871
+ # resulting ciphertext in the `CiphertextForRecipient` field in the
1872
+ # response. This ciphertext can be decrypted only with the private key
1873
+ # in the enclave. The `CiphertextBlob` field in the response contains
1874
+ # the encrypted shared secret derived from the KMS key specified by
1875
+ # the `KeyId` parameter and public key specified by the `PublicKey`
1876
+ # parameter. The `SharedSecret` field in the response is null or
1877
+ # empty.
1878
+ #
1879
+ # For information about the interaction between KMS and Amazon Web
1880
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
1881
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
1882
+ #
1883
+ #
1884
+ #
1885
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
1886
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1887
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1888
+ # @return [Types::RecipientInfo]
1889
+ #
1890
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
1891
+ #
1892
+ class DeriveSharedSecretRequest < Struct.new(
1893
+ :key_id,
1894
+ :key_agreement_algorithm,
1895
+ :public_key,
1896
+ :grant_tokens,
1897
+ :dry_run,
1898
+ :recipient)
1899
+ SENSITIVE = []
1900
+ include Aws::Structure
1901
+ end
1902
+
1903
+ # @!attribute [rw] key_id
1904
+ # Identifies the KMS key used to derive the shared secret.
1905
+ # @return [String]
1906
+ #
1907
+ # @!attribute [rw] shared_secret
1908
+ # The raw secret derived from the specified key agreement algorithm,
1909
+ # private key in the asymmetric KMS key, and your peer's public key.
1910
+ #
1911
+ # If the response includes the `CiphertextForRecipient` field, the
1912
+ # `SharedSecret` field is null or empty.
1913
+ # @return [String]
1914
+ #
1915
+ # @!attribute [rw] ciphertext_for_recipient
1916
+ # The plaintext shared secret encrypted with the public key in the
1917
+ # attestation document.
1918
+ #
1919
+ # This field is included in the response only when the `Recipient`
1920
+ # parameter in the request includes a valid attestation document from
1921
+ # an Amazon Web Services Nitro enclave. For information about the
1922
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
1923
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
1924
+ # Management Service Developer Guide*.
1925
+ #
1926
+ #
1927
+ #
1928
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1929
+ # @return [String]
1930
+ #
1931
+ # @!attribute [rw] key_agreement_algorithm
1932
+ # Identifies the key agreement algorithm used to derive the shared
1933
+ # secret.
1934
+ # @return [String]
1935
+ #
1936
+ # @!attribute [rw] key_origin
1937
+ # The source of the key material for the specified KMS key.
1938
+ #
1939
+ # When this value is `AWS_KMS`, KMS created the key material. When
1940
+ # this value is `EXTERNAL`, the key material was imported or the KMS
1941
+ # key doesn't have any key material.
1942
+ #
1943
+ # The only valid values for DeriveSharedSecret are `AWS_KMS` and
1944
+ # `EXTERNAL`. DeriveSharedSecret does not support KMS keys with a
1945
+ # `KeyOrigin` value of `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE`.
1946
+ # @return [String]
1947
+ #
1948
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretResponse AWS API Documentation
1949
+ #
1950
+ class DeriveSharedSecretResponse < Struct.new(
1951
+ :key_id,
1952
+ :shared_secret,
1953
+ :ciphertext_for_recipient,
1954
+ :key_agreement_algorithm,
1955
+ :key_origin)
1956
+ SENSITIVE = [:shared_secret]
1957
+ include Aws::Structure
1958
+ end
1959
+
1764
1960
  # @!attribute [rw] custom_key_store_id
1765
1961
  # Gets only information about the specified custom key store. Enter
1766
1962
  # the key store ID.
@@ -2317,8 +2513,11 @@ module Aws::KMS
2317
2513
  # `RSAES_OAEP_SHA_256`.
2318
2514
  #
2319
2515
  # This parameter only supports attestation documents for Amazon Web
2320
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
2321
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2516
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
2517
+ # Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
2518
+ # Enclaves SDK][2] to generate the attestation document and then use
2519
+ # the Recipient parameter from any Amazon Web Services SDK to provide
2520
+ # the attestation document for the enclave.
2322
2521
  #
2323
2522
  # When you use this parameter, instead of returning a plaintext copy
2324
2523
  # of the private data key, KMS encrypts the plaintext private data key
@@ -3208,28 +3407,20 @@ module Aws::KMS
3208
3407
  # @return [String]
3209
3408
  #
3210
3409
  # @!attribute [rw] wrapping_algorithm
3211
- # The algorithm you will use with the asymmetric public key
3212
- # (`PublicKey`) in the response to protect your key material during
3213
- # import. For more information, see [Select a wrapping
3410
+ # The algorithm you will use with the RSA public key (`PublicKey`) in
3411
+ # the response to protect your key material during import. For more
3412
+ # information, see [Select a wrapping
3214
3413
  # algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
3215
3414
  # in the *Key Management Service Developer Guide*.
3216
3415
  #
3217
3416
  # For RSA\_AES wrapping algorithms, you encrypt your key material with
3218
3417
  # an AES key that you generate, then encrypt your AES key with the RSA
3219
3418
  # public key from KMS. For RSAES wrapping algorithms, you encrypt your
3220
- # key material directly with the RSA public key from KMS. For SM2PKE
3221
- # wrapping algorithms, you encrypt your key material directly with the
3222
- # SM2 public key from KMS.
3419
+ # key material directly with the RSA public key from KMS.
3223
3420
  #
3224
3421
  # The wrapping algorithms that you can use depend on the type of key
3225
3422
  # material that you are importing. To import an RSA private key, you
3226
- # must use an RSA\_AES wrapping algorithm, except in China Regions,
3227
- # where you must use the SM2PKE wrapping algorithm to import an RSA
3228
- # private key.
3229
- #
3230
- # The SM2PKE wrapping algorithm is available only in China Regions.
3231
- # The `RSA_AES_KEY_WRAP_SHA_256` and `RSA_AES_KEY_WRAP_SHA_1` wrapping
3232
- # algorithms are not supported in China Regions.
3423
+ # must use an RSA\_AES wrapping algorithm.
3233
3424
  #
3234
3425
  # * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
3235
3426
  # ECC key material.
@@ -3252,23 +3443,18 @@ module Aws::KMS
3252
3443
  #
3253
3444
  # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
3254
3445
  # does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
3255
- #
3256
- # * **SM2PKE** (China Regions only) — supported for wrapping RSA, ECC,
3257
- # and SM2 key material.
3258
3446
  # @return [String]
3259
3447
  #
3260
3448
  # @!attribute [rw] wrapping_key_spec
3261
- # The type of public key to return in the response. You will use this
3262
- # wrapping key with the specified wrapping algorithm to protect your
3263
- # key material during import.
3449
+ # The type of RSA public key to return in the response. You will use
3450
+ # this wrapping key with the specified wrapping algorithm to protect
3451
+ # your key material during import.
3264
3452
  #
3265
- # Use the longest wrapping key that is practical.
3453
+ # Use the longest RSA wrapping key that is practical.
3266
3454
  #
3267
3455
  # You cannot use an RSA\_2048 public key to directly wrap an
3268
3456
  # ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
3269
3457
  # algorithm or choose a longer RSA public key.
3270
- #
3271
- # The SM2 wrapping key spec is available only in China Regions.
3272
3458
  # @return [String]
3273
3459
  #
3274
3460
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
@@ -3401,12 +3587,12 @@ module Aws::KMS
3401
3587
  # @return [String]
3402
3588
  #
3403
3589
  # @!attribute [rw] key_usage
3404
- # The permitted use of the public key. Valid values are
3405
- # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
3590
+ # The permitted use of the public key. Valid values for asymmetric key
3591
+ # pairs are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, and `KEY_AGREEMENT`.
3406
3592
  #
3407
- # This information is critical. If a public key with `SIGN_VERIFY` key
3408
- # usage encrypts data outside of KMS, the ciphertext cannot be
3409
- # decrypted.
3593
+ # This information is critical. For example, if a public key with
3594
+ # `SIGN_VERIFY` key usage encrypts data outside of KMS, the ciphertext
3595
+ # cannot be decrypted.
3410
3596
  # @return [String]
3411
3597
  #
3412
3598
  # @!attribute [rw] encryption_algorithms
@@ -3427,6 +3613,12 @@ module Aws::KMS
3427
3613
  # public key is `SIGN_VERIFY`.
3428
3614
  # @return [Array<String>]
3429
3615
  #
3616
+ # @!attribute [rw] key_agreement_algorithms
3617
+ # The key agreement algorithm used to derive a shared secret. This
3618
+ # field is present only when the KMS key has a `KeyUsage` value of
3619
+ # `KEY_AGREEMENT`.
3620
+ # @return [Array<String>]
3621
+ #
3430
3622
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
3431
3623
  #
3432
3624
  class GetPublicKeyResponse < Struct.new(
@@ -3436,7 +3628,8 @@ module Aws::KMS
3436
3628
  :key_spec,
3437
3629
  :key_usage,
3438
3630
  :encryption_algorithms,
3439
- :signing_algorithms)
3631
+ :signing_algorithms,
3632
+ :key_agreement_algorithms)
3440
3633
  SENSITIVE = []
3441
3634
  include Aws::Structure
3442
3635
  end
@@ -3824,8 +4017,9 @@ module Aws::KMS
3824
4017
  # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
3825
4018
  # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
3826
4019
  # verifying message authentication codes (MACs), the `KeyUsage` must be
3827
- # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
3828
- # DescribeKey operation.
4020
+ # `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
4021
+ # `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS
4022
+ # key, use the DescribeKey operation.
3829
4023
  #
3830
4024
  # To find the encryption or signing algorithms supported for a
3831
4025
  # particular KMS key, use the DescribeKey operation.
@@ -4104,6 +4298,10 @@ module Aws::KMS
4104
4298
  # `SIGN_VERIFY`.
4105
4299
  # @return [Array<String>]
4106
4300
  #
4301
+ # @!attribute [rw] key_agreement_algorithms
4302
+ # The key agreement algorithm used to derive a shared secret.
4303
+ # @return [Array<String>]
4304
+ #
4107
4305
  # @!attribute [rw] multi_region
4108
4306
  # Indicates whether the KMS key is a multi-Region (`True`) or regional
4109
4307
  # (`False`) key. This value is `True` for multi-Region primary and
@@ -4197,6 +4395,7 @@ module Aws::KMS
4197
4395
  :key_spec,
4198
4396
  :encryption_algorithms,
4199
4397
  :signing_algorithms,
4398
+ :key_agreement_algorithms,
4200
4399
  :multi_region,
4201
4400
  :multi_region_configuration,
4202
4401
  :pending_deletion_window_in_days,
data/lib/aws-sdk-kms.rb CHANGED
@@ -52,6 +52,6 @@ require_relative 'aws-sdk-kms/customizations'
52
52
  # @!group service
53
53
  module Aws::KMS
54
54
 
55
- GEM_VERSION = '1.82.0'
55
+ GEM_VERSION = '1.84.0'
56
56
 
57
57
  end
data/sig/client.rbs CHANGED
@@ -131,7 +131,7 @@ module Aws
131
131
  key_id: ::String,
132
132
  grantee_principal: ::String,
133
133
  ?retiring_principal: ::String,
134
- operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac")],
134
+ operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac" | "DeriveSharedSecret")],
135
135
  ?constraints: {
136
136
  encryption_context_subset: Hash[::String, ::String]?,
137
137
  encryption_context_equals: Hash[::String, ::String]?
@@ -150,7 +150,7 @@ module Aws
150
150
  def create_key: (
151
151
  ?policy: ::String,
152
152
  ?description: ::String,
153
- ?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC"),
153
+ ?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT"),
154
154
  ?customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
155
155
  ?key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
156
156
  ?origin: ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE"),
@@ -210,6 +210,28 @@ module Aws
210
210
  ) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
211
211
  | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
212
212
 
213
+ interface _DeriveSharedSecretResponseSuccess
214
+ include ::Seahorse::Client::_ResponseSuccess[Types::DeriveSharedSecretResponse]
215
+ def key_id: () -> ::String
216
+ def shared_secret: () -> ::String
217
+ def ciphertext_for_recipient: () -> ::String
218
+ def key_agreement_algorithm: () -> ("ECDH")
219
+ def key_origin: () -> ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE")
220
+ end
221
+ # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#derive_shared_secret-instance_method
222
+ def derive_shared_secret: (
223
+ key_id: ::String,
224
+ key_agreement_algorithm: ("ECDH"),
225
+ public_key: ::String,
226
+ ?grant_tokens: Array[::String],
227
+ ?dry_run: bool,
228
+ ?recipient: {
229
+ key_encryption_algorithm: ("RSAES_OAEP_SHA_256")?,
230
+ attestation_document: ::String?
231
+ }
232
+ ) -> _DeriveSharedSecretResponseSuccess
233
+ | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _DeriveSharedSecretResponseSuccess
234
+
213
235
  interface _DescribeCustomKeyStoresResponseSuccess
214
236
  include ::Seahorse::Client::_ResponseSuccess[Types::DescribeCustomKeyStoresResponse]
215
237
  def custom_key_stores: () -> ::Array[Types::CustomKeyStoresListEntry]
@@ -444,9 +466,10 @@ module Aws
444
466
  def public_key: () -> ::String
445
467
  def customer_master_key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
446
468
  def key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
447
- def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC")
469
+ def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
448
470
  def encryption_algorithms: () -> ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
449
471
  def signing_algorithms: () -> ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
472
+ def key_agreement_algorithms: () -> ::Array[("ECDH")]
450
473
  end
451
474
  # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#get_public_key-instance_method
452
475
  def get_public_key: (