aws-sdk-kms 1.82.0 → 1.86.0

data/lib/aws-sdk-kms/client_api.rb

@@ -63,6 +63,8 @@ module Aws::KMS
     DeleteCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'DeleteCustomKeyStoreResponse')
     DeleteImportedKeyMaterialRequest = Shapes::StructureShape.new(name: 'DeleteImportedKeyMaterialRequest')
     DependencyTimeoutException = Shapes::StructureShape.new(name: 'DependencyTimeoutException')
+    DeriveSharedSecretRequest = Shapes::StructureShape.new(name: 'DeriveSharedSecretRequest')
+    DeriveSharedSecretResponse = Shapes::StructureShape.new(name: 'DeriveSharedSecretResponse')
     DescribeCustomKeyStoresRequest = Shapes::StructureShape.new(name: 'DescribeCustomKeyStoresRequest')
     DescribeCustomKeyStoresResponse = Shapes::StructureShape.new(name: 'DescribeCustomKeyStoresResponse')
     DescribeKeyRequest = Shapes::StructureShape.new(name: 'DescribeKeyRequest')
@@ -132,6 +134,8 @@ module Aws::KMS
     KMSInvalidMacException = Shapes::StructureShape.new(name: 'KMSInvalidMacException')
     KMSInvalidSignatureException = Shapes::StructureShape.new(name: 'KMSInvalidSignatureException')
     KMSInvalidStateException = Shapes::StructureShape.new(name: 'KMSInvalidStateException')
+    KeyAgreementAlgorithmSpec = Shapes::StringShape.new(name: 'KeyAgreementAlgorithmSpec')
+    KeyAgreementAlgorithmSpecList = Shapes::ListShape.new(name: 'KeyAgreementAlgorithmSpecList')
     KeyEncryptionMechanism = Shapes::StringShape.new(name: 'KeyEncryptionMechanism')
     KeyIdType = Shapes::StringShape.new(name: 'KeyIdType')
     KeyList = Shapes::ListShape.new(name: 'KeyList')
@@ -386,6 +390,21 @@ module Aws::KMS
     DependencyTimeoutException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     DependencyTimeoutException.struct_class = Types::DependencyTimeoutException
 
+    DeriveSharedSecretRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    DeriveSharedSecretRequest.add_member(:key_agreement_algorithm, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec, required: true, location_name: "KeyAgreementAlgorithm"))
+    DeriveSharedSecretRequest.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, required: true, location_name: "PublicKey"))
+    DeriveSharedSecretRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
+    DeriveSharedSecretRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "DryRun"))
+    DeriveSharedSecretRequest.add_member(:recipient, Shapes::ShapeRef.new(shape: RecipientInfo, location_name: "Recipient"))
+    DeriveSharedSecretRequest.struct_class = Types::DeriveSharedSecretRequest
+
+    DeriveSharedSecretResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    DeriveSharedSecretResponse.add_member(:shared_secret, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "SharedSecret"))
+    DeriveSharedSecretResponse.add_member(:ciphertext_for_recipient, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextForRecipient"))
+    DeriveSharedSecretResponse.add_member(:key_agreement_algorithm, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec, location_name: "KeyAgreementAlgorithm"))
+    DeriveSharedSecretResponse.add_member(:key_origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "KeyOrigin"))
+    DeriveSharedSecretResponse.struct_class = Types::DeriveSharedSecretResponse
+
     DescribeCustomKeyStoresRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
     DescribeCustomKeyStoresRequest.add_member(:custom_key_store_name, Shapes::ShapeRef.new(shape: CustomKeyStoreNameType, location_name: "CustomKeyStoreName"))
     DescribeCustomKeyStoresRequest.add_member(:limit, Shapes::ShapeRef.new(shape: LimitType, location_name: "Limit"))
@@ -566,6 +585,7 @@ module Aws::KMS
     GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
     GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
     GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
+    GetPublicKeyResponse.add_member(:key_agreement_algorithms, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpecList, location_name: "KeyAgreementAlgorithms"))
     GetPublicKeyResponse.struct_class = Types::GetPublicKeyResponse
 
     GrantConstraints.add_member(:encryption_context_subset, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextSubset"))
@@ -643,6 +663,8 @@ module Aws::KMS
     KMSInvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     KMSInvalidStateException.struct_class = Types::KMSInvalidStateException
 
+    KeyAgreementAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec)
+
     KeyList.member = Shapes::ShapeRef.new(shape: KeyListEntry)
 
     KeyListEntry.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
@@ -668,6 +690,7 @@ module Aws::KMS
     KeyMetadata.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
     KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
     KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
+    KeyMetadata.add_member(:key_agreement_algorithms, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpecList, location_name: "KeyAgreementAlgorithms"))
     KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
     KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
     KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
@@ -990,6 +1013,7 @@ module Aws::KMS
 
       api.metadata = {
         "apiVersion" => "2014-11-01",
+        "auth" => ["aws.auth#sigv4"],
         "endpointPrefix" => "kms",
         "jsonVersion" => "1.1",
         "protocol" => "json",
@@ -1163,6 +1187,23 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 
+      api.add_operation(:derive_shared_secret, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "DeriveSharedSecret"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: DeriveSharedSecretRequest)
+        o.output = Shapes::ShapeRef.new(shape: DeriveSharedSecretResponse)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: DryRunOperationException)
+      end)
+
       api.add_operation(:describe_custom_key_stores, Seahorse::Model::Operation.new.tap do |o|
         o.name = "DescribeCustomKeyStores"
         o.http_method = "POST"

data/lib/aws-sdk-kms/endpoints.rb

@@ -152,6 +152,20 @@ module Aws::KMS
       end
     end
 
+    class DeriveSharedSecret
+      def self.build(context)
+        unless context.config.regional_endpoint
+          endpoint = context.config.endpoint.to_s
+        end
+        Aws::KMS::EndpointParameters.new(
+          region: context.config.region,
+          use_dual_stack: context.config.use_dualstack_endpoint,
+          use_fips: context.config.use_fips_endpoint,
+          endpoint: endpoint,
+        )
+      end
+    end
+
     class DescribeCustomKeyStores
       def self.build(context)
         unless context.config.regional_endpoint

data/lib/aws-sdk-kms/plugins/endpoints.rb

@@ -78,6 +78,8 @@ module Aws::KMS
             Aws::KMS::Endpoints::DeleteCustomKeyStore.build(context)
           when :delete_imported_key_material
             Aws::KMS::Endpoints::DeleteImportedKeyMaterial.build(context)
+          when :derive_shared_secret
+            Aws::KMS::Endpoints::DeriveSharedSecret.build(context)
           when :describe_custom_key_stores
             Aws::KMS::Endpoints::DescribeCustomKeyStores.build(context)
           when :describe_key

data/lib/aws-sdk-kms/types.rb

@@ -841,14 +841,17 @@ module Aws::KMS
     #
     #   * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
     #
-    #   * For asymmetric KMS keys with RSA key material, specify
+    #   * For asymmetric KMS keys with RSA key pairs, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
-    #   * For asymmetric KMS keys with ECC key material, specify
+    #   * For asymmetric KMS keys with NIST-recommended elliptic curve key
+    #     pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
+    #
+    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
     #     `SIGN_VERIFY`.
     #
-    #   * For asymmetric KMS keys with SM2 key material (China Regions
-    #     only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #   * For asymmetric KMS keys with SM2 key pairs (China Regions only),
+    #     specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
     #
     #
     #
@@ -904,7 +907,8 @@ module Aws::KMS
     #
     #     * `HMAC_512`
     #
-    #   * Asymmetric RSA key pairs
+    #   * Asymmetric RSA key pairs (encryption and decryption -or- signing
+    #     and verification)
     #
     #     * `RSA_2048`
     #
@@ -912,7 +916,8 @@ module Aws::KMS
     #
     #     * `RSA_4096`
     #
-    #   * Asymmetric NIST-recommended elliptic curve key pairs
+    #   * Asymmetric NIST-recommended elliptic curve key pairs (signing and
+    #     verification -or- deriving shared secrets)
     #
     #     * `ECC_NIST_P256` (secp256r1)
     #
@@ -920,16 +925,18 @@ module Aws::KMS
     #
     #     * `ECC_NIST_P521` (secp521r1)
     #
-    #   * Other asymmetric elliptic curve key pairs
+    #   * Other asymmetric elliptic curve key pairs (signing and
+    #     verification)
     #
     #     * `ECC_SECG_P256K1` (secp256k1), commonly used for
     #       cryptocurrencies.
     #
     #     ^
     #
-    #   * SM2 key pairs (China Regions only)
+    #   * SM2 key pairs (encryption and decryption -or- signing and
+    #     verification -or- deriving shared secrets)
     #
-    #     * `SM2`
+    #     * `SM2` (China Regions only)
     #
     #     ^
     #
@@ -1761,6 +1768,195 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # @!attribute [rw] key_id
+    #   Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
+    #   only) KMS key. KMS uses the private key in the specified key pair to
+    #   derive the shared secret. The key usage of the KMS key must be
+    #   `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
+    #   DescribeKey operation.
+    #
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_agreement_algorithm
+    #   Specifies the key agreement algorithm used to derive the shared
+    #   secret. The only valid value is `ECDH`.
+    #   @return [String]
+    #
+    # @!attribute [rw] public_key
+    #   Specifies the public key in your peer's NIST-recommended elliptic
+    #   curve (ECC) or SM2 (China Regions only) key pair.
+    #
+    #   The public key must be a DER-encoded X.509 public key, also known as
+    #   `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
+    #
+    #   GetPublicKey returns the public key of an asymmetric KMS key pair in
+    #   the required DER-encoded format.
+    #
+    #   <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
+    #   the DER-encoded X.509 public key in a file. Otherwise, the Amazon
+    #   Web Services CLI Base64-encodes the public key a second time,
+    #   resulting in a `ValidationException`.
+    #
+    #    </note>
+    #
+    #   You can specify the public key as binary data in a file using fileb
+    #   (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280
+    #   [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
+    #   Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
+    #   Enclaves SDK][2] to generate the attestation document and then use
+    #   the Recipient parameter from any Amazon Web Services SDK to provide
+    #   the attestation document for the enclave.
+    #
+    #   When you use this parameter, instead of returning a plaintext copy
+    #   of the shared secret, KMS encrypts the plaintext shared secret under
+    #   the public key in the attestation document, and returns the
+    #   resulting ciphertext in the `CiphertextForRecipient` field in the
+    #   response. This ciphertext can be decrypted only with the private key
+    #   in the enclave. The `CiphertextBlob` field in the response contains
+    #   the encrypted shared secret derived from the KMS key specified by
+    #   the `KeyId` parameter and public key specified by the `PublicKey`
+    #   parameter. The `SharedSecret` field in the response is null or
+    #   empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
+    #
+    class DeriveSharedSecretRequest < Struct.new(
+      :key_id,
+      :key_agreement_algorithm,
+      :public_key,
+      :grant_tokens,
+      :dry_run,
+      :recipient)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] key_id
+    #   Identifies the KMS key used to derive the shared secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] shared_secret
+    #   The raw secret derived from the specified key agreement algorithm,
+    #   private key in the asymmetric KMS key, and your peer's public key.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `SharedSecret` field is null or empty.
+    #   @return [String]
+    #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext shared secret encrypted with the public key in the
+    #   attestation document.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [String]
+    #
+    # @!attribute [rw] key_agreement_algorithm
+    #   Identifies the key agreement algorithm used to derive the shared
+    #   secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_origin
+    #   The source of the key material for the specified KMS key.
+    #
+    #   When this value is `AWS_KMS`, KMS created the key material. When
+    #   this value is `EXTERNAL`, the key material was imported or the KMS
+    #   key doesn't have any key material.
+    #
+    #   The only valid values for DeriveSharedSecret are `AWS_KMS` and
+    #   `EXTERNAL`. DeriveSharedSecret does not support KMS keys with a
+    #   `KeyOrigin` value of `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretResponse AWS API Documentation
+    #
+    class DeriveSharedSecretResponse < Struct.new(
+      :key_id,
+      :shared_secret,
+      :ciphertext_for_recipient,
+      :key_agreement_algorithm,
+      :key_origin)
+      SENSITIVE = [:shared_secret]
+      include Aws::Structure
+    end
+
     # @!attribute [rw] custom_key_store_id
     #   Gets only information about the specified custom key store. Enter
     #   the key store ID.
@@ -2317,8 +2513,11 @@ module Aws::KMS
     #   `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
+    #   Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
+    #   Enclaves SDK][2] to generate the attestation document and then use
+    #   the Recipient parameter from any Amazon Web Services SDK to provide
+    #   the attestation document for the enclave.
     #
     #   When you use this parameter, instead of returning a plaintext copy
     #   of the private data key, KMS encrypts the plaintext private data key
@@ -3208,28 +3407,20 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] wrapping_algorithm
-    #   The algorithm you will use with the asymmetric public key
-    #   (`PublicKey`) in the response to protect your key material during
-    #   import. For more information, see [Select a wrapping
+    #   The algorithm you will use with the RSA public key (`PublicKey`) in
+    #   the response to protect your key material during import. For more
+    #   information, see [Select a wrapping
     #   algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
     #   in the *Key Management Service Developer Guide*.
     #
     #   For RSA\_AES wrapping algorithms, you encrypt your key material with
     #   an AES key that you generate, then encrypt your AES key with the RSA
     #   public key from KMS. For RSAES wrapping algorithms, you encrypt your
-    #   key material directly with the RSA public key from KMS. For SM2PKE
-    #   wrapping algorithms, you encrypt your key material directly with the
-    #   SM2 public key from KMS.
+    #   key material directly with the RSA public key from KMS.
     #
     #   The wrapping algorithms that you can use depend on the type of key
     #   material that you are importing. To import an RSA private key, you
-    #   must use an RSA\_AES wrapping algorithm, except in China Regions,
-    #   where you must use the SM2PKE wrapping algorithm to import an RSA
-    #   private key.
-    #
-    #   The SM2PKE wrapping algorithm is available only in China Regions.
-    #   The `RSA_AES_KEY_WRAP_SHA_256` and `RSA_AES_KEY_WRAP_SHA_1` wrapping
-    #   algorithms are not supported in China Regions.
+    #   must use an RSA\_AES wrapping algorithm.
     #
     #   * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
     #     ECC key material.
@@ -3252,23 +3443,18 @@ module Aws::KMS
     #
     #   * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
     #     does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
-    #
-    #   * **SM2PKE** (China Regions only) — supported for wrapping RSA, ECC,
-    #     and SM2 key material.
     #   @return [String]
     #
     # @!attribute [rw] wrapping_key_spec
-    #   The type of public key to return in the response. You will use this
-    #   wrapping key with the specified wrapping algorithm to protect your
-    #   key material during import.
+    #   The type of RSA public key to return in the response. You will use
+    #   this wrapping key with the specified wrapping algorithm to protect
+    #   your key material during import.
     #
-    #   Use the longest wrapping key that is practical.
+    #   Use the longest RSA wrapping key that is practical.
     #
     #   You cannot use an RSA\_2048 public key to directly wrap an
     #   ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
     #   algorithm or choose a longer RSA public key.
-    #
-    #   The SM2 wrapping key spec is available only in China Regions.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
@@ -3401,12 +3587,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The permitted use of the public key. Valid values are
-    #   `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #   The permitted use of the public key. Valid values for asymmetric key
+    #   pairs are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, and `KEY_AGREEMENT`.
     #
-    #   This information is critical. If a public key with `SIGN_VERIFY` key
-    #   usage encrypts data outside of KMS, the ciphertext cannot be
-    #   decrypted.
+    #   This information is critical. For example, if a public key with
+    #   `SIGN_VERIFY` key usage encrypts data outside of KMS, the ciphertext
+    #   cannot be decrypted.
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithms
@@ -3427,6 +3613,12 @@ module Aws::KMS
     #   public key is `SIGN_VERIFY`.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] key_agreement_algorithms
+    #   The key agreement algorithm used to derive a shared secret. This
+    #   field is present only when the KMS key has a `KeyUsage` value of
+    #   `KEY_AGREEMENT`.
+    #   @return [Array<String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
     #
     class GetPublicKeyResponse < Struct.new(
@@ -3436,7 +3628,8 @@ module Aws::KMS
       :key_spec,
       :key_usage,
       :encryption_algorithms,
-      :signing_algorithms)
+      :signing_algorithms,
+      :key_agreement_algorithms)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3824,8 +4017,9 @@ module Aws::KMS
     # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
     # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
     # verifying message authentication codes (MACs), the `KeyUsage` must be
-    # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
-    # DescribeKey operation.
+    # `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
+    # `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS
+    # key, use the DescribeKey operation.
     #
     # To find the encryption or signing algorithms supported for a
     # particular KMS key, use the DescribeKey operation.
@@ -4104,6 +4298,10 @@ module Aws::KMS
     #   `SIGN_VERIFY`.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] key_agreement_algorithms
+    #   The key agreement algorithm used to derive a shared secret.
+    #   @return [Array<String>]
+    #
     # @!attribute [rw] multi_region
     #   Indicates whether the KMS key is a multi-Region (`True`) or regional
     #   (`False`) key. This value is `True` for multi-Region primary and
@@ -4197,6 +4395,7 @@ module Aws::KMS
       :key_spec,
       :encryption_algorithms,
       :signing_algorithms,
+      :key_agreement_algorithms,
       :multi_region,
       :multi_region_configuration,
       :pending_deletion_window_in_days,

data/lib/aws-sdk-kms.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-kms/customizations'
 # @!group service
 module Aws::KMS
 
-  GEM_VERSION = '1.82.0'
+  GEM_VERSION = '1.86.0'
 
 end

data/sig/client.rbs

@@ -131,7 +131,7 @@ module Aws
                           key_id: ::String,
                           grantee_principal: ::String,
                           ?retiring_principal: ::String,
-                          operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac")],
+                          operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac" | "DeriveSharedSecret")],
                           ?constraints: {
                             encryption_context_subset: Hash[::String, ::String]?,
                             encryption_context_equals: Hash[::String, ::String]?
@@ -150,7 +150,7 @@ module Aws
       def create_key: (
                         ?policy: ::String,
                         ?description: ::String,
-                        ?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC"),
+                        ?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT"),
                         ?customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
                         ?key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
                         ?origin: ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE"),
@@ -210,6 +210,28 @@ module Aws
                                         ) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
                                       | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
 
+      interface _DeriveSharedSecretResponseSuccess
+        include ::Seahorse::Client::_ResponseSuccess[Types::DeriveSharedSecretResponse]
+        def key_id: () -> ::String
+        def shared_secret: () -> ::String
+        def ciphertext_for_recipient: () -> ::String
+        def key_agreement_algorithm: () -> ("ECDH")
+        def key_origin: () -> ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE")
+      end
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#derive_shared_secret-instance_method
+      def derive_shared_secret: (
+                                  key_id: ::String,
+                                  key_agreement_algorithm: ("ECDH"),
+                                  public_key: ::String,
+                                  ?grant_tokens: Array[::String],
+                                  ?dry_run: bool,
+                                  ?recipient: {
+                                    key_encryption_algorithm: ("RSAES_OAEP_SHA_256")?,
+                                    attestation_document: ::String?
+                                  }
+                                ) -> _DeriveSharedSecretResponseSuccess
+                              | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _DeriveSharedSecretResponseSuccess
+
       interface _DescribeCustomKeyStoresResponseSuccess
         include ::Seahorse::Client::_ResponseSuccess[Types::DescribeCustomKeyStoresResponse]
         def custom_key_stores: () -> ::Array[Types::CustomKeyStoresListEntry]
@@ -444,9 +466,10 @@ module Aws
         def public_key: () -> ::String
         def customer_master_key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
         def key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
-        def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC")
+        def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
         def encryption_algorithms: () -> ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
         def signing_algorithms: () -> ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
+        def key_agreement_algorithms: () -> ::Array[("ECDH")]
       end
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#get_public_key-instance_method
       def get_public_key: (