aws-sdk-kms 1.82.0 → 1.87.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +25 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +335 -60
- data/lib/aws-sdk-kms/client_api.rb +41 -0
- data/lib/aws-sdk-kms/endpoints.rb +14 -0
- data/lib/aws-sdk-kms/plugins/endpoints.rb +2 -0
- data/lib/aws-sdk-kms/types.rb +240 -41
- data/lib/aws-sdk-kms.rb +1 -1
- data/sig/client.rbs +26 -3
- data/sig/types.rbs +26 -5
- metadata +4 -4
@@ -63,6 +63,8 @@ module Aws::KMS
|
|
63
63
|
DeleteCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'DeleteCustomKeyStoreResponse')
|
64
64
|
DeleteImportedKeyMaterialRequest = Shapes::StructureShape.new(name: 'DeleteImportedKeyMaterialRequest')
|
65
65
|
DependencyTimeoutException = Shapes::StructureShape.new(name: 'DependencyTimeoutException')
|
66
|
+
DeriveSharedSecretRequest = Shapes::StructureShape.new(name: 'DeriveSharedSecretRequest')
|
67
|
+
DeriveSharedSecretResponse = Shapes::StructureShape.new(name: 'DeriveSharedSecretResponse')
|
66
68
|
DescribeCustomKeyStoresRequest = Shapes::StructureShape.new(name: 'DescribeCustomKeyStoresRequest')
|
67
69
|
DescribeCustomKeyStoresResponse = Shapes::StructureShape.new(name: 'DescribeCustomKeyStoresResponse')
|
68
70
|
DescribeKeyRequest = Shapes::StructureShape.new(name: 'DescribeKeyRequest')
|
@@ -132,6 +134,8 @@ module Aws::KMS
|
|
132
134
|
KMSInvalidMacException = Shapes::StructureShape.new(name: 'KMSInvalidMacException')
|
133
135
|
KMSInvalidSignatureException = Shapes::StructureShape.new(name: 'KMSInvalidSignatureException')
|
134
136
|
KMSInvalidStateException = Shapes::StructureShape.new(name: 'KMSInvalidStateException')
|
137
|
+
KeyAgreementAlgorithmSpec = Shapes::StringShape.new(name: 'KeyAgreementAlgorithmSpec')
|
138
|
+
KeyAgreementAlgorithmSpecList = Shapes::ListShape.new(name: 'KeyAgreementAlgorithmSpecList')
|
135
139
|
KeyEncryptionMechanism = Shapes::StringShape.new(name: 'KeyEncryptionMechanism')
|
136
140
|
KeyIdType = Shapes::StringShape.new(name: 'KeyIdType')
|
137
141
|
KeyList = Shapes::ListShape.new(name: 'KeyList')
|
@@ -386,6 +390,21 @@ module Aws::KMS
|
|
386
390
|
DependencyTimeoutException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
387
391
|
DependencyTimeoutException.struct_class = Types::DependencyTimeoutException
|
388
392
|
|
393
|
+
DeriveSharedSecretRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
394
|
+
DeriveSharedSecretRequest.add_member(:key_agreement_algorithm, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec, required: true, location_name: "KeyAgreementAlgorithm"))
|
395
|
+
DeriveSharedSecretRequest.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, required: true, location_name: "PublicKey"))
|
396
|
+
DeriveSharedSecretRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
397
|
+
DeriveSharedSecretRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "DryRun"))
|
398
|
+
DeriveSharedSecretRequest.add_member(:recipient, Shapes::ShapeRef.new(shape: RecipientInfo, location_name: "Recipient"))
|
399
|
+
DeriveSharedSecretRequest.struct_class = Types::DeriveSharedSecretRequest
|
400
|
+
|
401
|
+
DeriveSharedSecretResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
402
|
+
DeriveSharedSecretResponse.add_member(:shared_secret, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "SharedSecret"))
|
403
|
+
DeriveSharedSecretResponse.add_member(:ciphertext_for_recipient, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextForRecipient"))
|
404
|
+
DeriveSharedSecretResponse.add_member(:key_agreement_algorithm, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec, location_name: "KeyAgreementAlgorithm"))
|
405
|
+
DeriveSharedSecretResponse.add_member(:key_origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "KeyOrigin"))
|
406
|
+
DeriveSharedSecretResponse.struct_class = Types::DeriveSharedSecretResponse
|
407
|
+
|
389
408
|
DescribeCustomKeyStoresRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
|
390
409
|
DescribeCustomKeyStoresRequest.add_member(:custom_key_store_name, Shapes::ShapeRef.new(shape: CustomKeyStoreNameType, location_name: "CustomKeyStoreName"))
|
391
410
|
DescribeCustomKeyStoresRequest.add_member(:limit, Shapes::ShapeRef.new(shape: LimitType, location_name: "Limit"))
|
@@ -566,6 +585,7 @@ module Aws::KMS
|
|
566
585
|
GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
|
567
586
|
GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
568
587
|
GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
588
|
+
GetPublicKeyResponse.add_member(:key_agreement_algorithms, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpecList, location_name: "KeyAgreementAlgorithms"))
|
569
589
|
GetPublicKeyResponse.struct_class = Types::GetPublicKeyResponse
|
570
590
|
|
571
591
|
GrantConstraints.add_member(:encryption_context_subset, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextSubset"))
|
@@ -643,6 +663,8 @@ module Aws::KMS
|
|
643
663
|
KMSInvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
644
664
|
KMSInvalidStateException.struct_class = Types::KMSInvalidStateException
|
645
665
|
|
666
|
+
KeyAgreementAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec)
|
667
|
+
|
646
668
|
KeyList.member = Shapes::ShapeRef.new(shape: KeyListEntry)
|
647
669
|
|
648
670
|
KeyListEntry.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
@@ -668,6 +690,7 @@ module Aws::KMS
|
|
668
690
|
KeyMetadata.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
|
669
691
|
KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
670
692
|
KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
693
|
+
KeyMetadata.add_member(:key_agreement_algorithms, Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpecList, location_name: "KeyAgreementAlgorithms"))
|
671
694
|
KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
|
672
695
|
KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
|
673
696
|
KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
|
@@ -990,6 +1013,7 @@ module Aws::KMS
|
|
990
1013
|
|
991
1014
|
api.metadata = {
|
992
1015
|
"apiVersion" => "2014-11-01",
|
1016
|
+
"auth" => ["aws.auth#sigv4"],
|
993
1017
|
"endpointPrefix" => "kms",
|
994
1018
|
"jsonVersion" => "1.1",
|
995
1019
|
"protocol" => "json",
|
@@ -1163,6 +1187,23 @@ module Aws::KMS
|
|
1163
1187
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1164
1188
|
end)
|
1165
1189
|
|
1190
|
+
api.add_operation(:derive_shared_secret, Seahorse::Model::Operation.new.tap do |o|
|
1191
|
+
o.name = "DeriveSharedSecret"
|
1192
|
+
o.http_method = "POST"
|
1193
|
+
o.http_request_uri = "/"
|
1194
|
+
o.input = Shapes::ShapeRef.new(shape: DeriveSharedSecretRequest)
|
1195
|
+
o.output = Shapes::ShapeRef.new(shape: DeriveSharedSecretResponse)
|
1196
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
1197
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
1198
|
+
o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
|
1199
|
+
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
1200
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
1201
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
|
1202
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1203
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1204
|
+
o.errors << Shapes::ShapeRef.new(shape: DryRunOperationException)
|
1205
|
+
end)
|
1206
|
+
|
1166
1207
|
api.add_operation(:describe_custom_key_stores, Seahorse::Model::Operation.new.tap do |o|
|
1167
1208
|
o.name = "DescribeCustomKeyStores"
|
1168
1209
|
o.http_method = "POST"
|
@@ -152,6 +152,20 @@ module Aws::KMS
|
|
152
152
|
end
|
153
153
|
end
|
154
154
|
|
155
|
+
class DeriveSharedSecret
|
156
|
+
def self.build(context)
|
157
|
+
unless context.config.regional_endpoint
|
158
|
+
endpoint = context.config.endpoint.to_s
|
159
|
+
end
|
160
|
+
Aws::KMS::EndpointParameters.new(
|
161
|
+
region: context.config.region,
|
162
|
+
use_dual_stack: context.config.use_dualstack_endpoint,
|
163
|
+
use_fips: context.config.use_fips_endpoint,
|
164
|
+
endpoint: endpoint,
|
165
|
+
)
|
166
|
+
end
|
167
|
+
end
|
168
|
+
|
155
169
|
class DescribeCustomKeyStores
|
156
170
|
def self.build(context)
|
157
171
|
unless context.config.regional_endpoint
|
@@ -78,6 +78,8 @@ module Aws::KMS
|
|
78
78
|
Aws::KMS::Endpoints::DeleteCustomKeyStore.build(context)
|
79
79
|
when :delete_imported_key_material
|
80
80
|
Aws::KMS::Endpoints::DeleteImportedKeyMaterial.build(context)
|
81
|
+
when :derive_shared_secret
|
82
|
+
Aws::KMS::Endpoints::DeriveSharedSecret.build(context)
|
81
83
|
when :describe_custom_key_stores
|
82
84
|
Aws::KMS::Endpoints::DescribeCustomKeyStores.build(context)
|
83
85
|
when :describe_key
|
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -841,14 +841,17 @@ module Aws::KMS
|
|
841
841
|
#
|
842
842
|
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
843
843
|
#
|
844
|
-
# * For asymmetric KMS keys with RSA key
|
844
|
+
# * For asymmetric KMS keys with RSA key pairs, specify
|
845
845
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
846
846
|
#
|
847
|
-
# * For asymmetric KMS keys with
|
847
|
+
# * For asymmetric KMS keys with NIST-recommended elliptic curve key
|
848
|
+
# pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
|
849
|
+
#
|
850
|
+
# * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
|
848
851
|
# `SIGN_VERIFY`.
|
849
852
|
#
|
850
|
-
# * For asymmetric KMS keys with SM2 key
|
851
|
-
#
|
853
|
+
# * For asymmetric KMS keys with SM2 key pairs (China Regions only),
|
854
|
+
# specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
|
852
855
|
#
|
853
856
|
#
|
854
857
|
#
|
@@ -904,7 +907,8 @@ module Aws::KMS
|
|
904
907
|
#
|
905
908
|
# * `HMAC_512`
|
906
909
|
#
|
907
|
-
# * Asymmetric RSA key pairs
|
910
|
+
# * Asymmetric RSA key pairs (encryption and decryption -or- signing
|
911
|
+
# and verification)
|
908
912
|
#
|
909
913
|
# * `RSA_2048`
|
910
914
|
#
|
@@ -912,7 +916,8 @@ module Aws::KMS
|
|
912
916
|
#
|
913
917
|
# * `RSA_4096`
|
914
918
|
#
|
915
|
-
# * Asymmetric NIST-recommended elliptic curve key pairs
|
919
|
+
# * Asymmetric NIST-recommended elliptic curve key pairs (signing and
|
920
|
+
# verification -or- deriving shared secrets)
|
916
921
|
#
|
917
922
|
# * `ECC_NIST_P256` (secp256r1)
|
918
923
|
#
|
@@ -920,16 +925,18 @@ module Aws::KMS
|
|
920
925
|
#
|
921
926
|
# * `ECC_NIST_P521` (secp521r1)
|
922
927
|
#
|
923
|
-
# * Other asymmetric elliptic curve key pairs
|
928
|
+
# * Other asymmetric elliptic curve key pairs (signing and
|
929
|
+
# verification)
|
924
930
|
#
|
925
931
|
# * `ECC_SECG_P256K1` (secp256k1), commonly used for
|
926
932
|
# cryptocurrencies.
|
927
933
|
#
|
928
934
|
# ^
|
929
935
|
#
|
930
|
-
# * SM2 key pairs (
|
936
|
+
# * SM2 key pairs (encryption and decryption -or- signing and
|
937
|
+
# verification -or- deriving shared secrets)
|
931
938
|
#
|
932
|
-
# * `SM2`
|
939
|
+
# * `SM2` (China Regions only)
|
933
940
|
#
|
934
941
|
# ^
|
935
942
|
#
|
@@ -1761,6 +1768,195 @@ module Aws::KMS
|
|
1761
1768
|
include Aws::Structure
|
1762
1769
|
end
|
1763
1770
|
|
1771
|
+
# @!attribute [rw] key_id
|
1772
|
+
# Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
|
1773
|
+
# only) KMS key. KMS uses the private key in the specified key pair to
|
1774
|
+
# derive the shared secret. The key usage of the KMS key must be
|
1775
|
+
# `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
|
1776
|
+
# DescribeKey operation.
|
1777
|
+
#
|
1778
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1779
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1780
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1781
|
+
# the key ARN or alias ARN.
|
1782
|
+
#
|
1783
|
+
# For example:
|
1784
|
+
#
|
1785
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
1786
|
+
#
|
1787
|
+
# * Key ARN:
|
1788
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1789
|
+
#
|
1790
|
+
# * Alias name: `alias/ExampleAlias`
|
1791
|
+
#
|
1792
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1793
|
+
#
|
1794
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1795
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1796
|
+
# @return [String]
|
1797
|
+
#
|
1798
|
+
# @!attribute [rw] key_agreement_algorithm
|
1799
|
+
# Specifies the key agreement algorithm used to derive the shared
|
1800
|
+
# secret. The only valid value is `ECDH`.
|
1801
|
+
# @return [String]
|
1802
|
+
#
|
1803
|
+
# @!attribute [rw] public_key
|
1804
|
+
# Specifies the public key in your peer's NIST-recommended elliptic
|
1805
|
+
# curve (ECC) or SM2 (China Regions only) key pair.
|
1806
|
+
#
|
1807
|
+
# The public key must be a DER-encoded X.509 public key, also known as
|
1808
|
+
# `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
|
1809
|
+
#
|
1810
|
+
# GetPublicKey returns the public key of an asymmetric KMS key pair in
|
1811
|
+
# the required DER-encoded format.
|
1812
|
+
#
|
1813
|
+
# <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
|
1814
|
+
# the DER-encoded X.509 public key in a file. Otherwise, the Amazon
|
1815
|
+
# Web Services CLI Base64-encodes the public key a second time,
|
1816
|
+
# resulting in a `ValidationException`.
|
1817
|
+
#
|
1818
|
+
# </note>
|
1819
|
+
#
|
1820
|
+
# You can specify the public key as binary data in a file using fileb
|
1821
|
+
# (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
|
1822
|
+
#
|
1823
|
+
#
|
1824
|
+
#
|
1825
|
+
# [1]: https://tools.ietf.org/html/rfc5280
|
1826
|
+
# [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
|
1827
|
+
# @return [String]
|
1828
|
+
#
|
1829
|
+
# @!attribute [rw] grant_tokens
|
1830
|
+
# A list of grant tokens.
|
1831
|
+
#
|
1832
|
+
# Use a grant token when your permission to call this operation comes
|
1833
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1834
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1835
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1836
|
+
#
|
1837
|
+
#
|
1838
|
+
#
|
1839
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1840
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1841
|
+
# @return [Array<String>]
|
1842
|
+
#
|
1843
|
+
# @!attribute [rw] dry_run
|
1844
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
1845
|
+
# parameter.
|
1846
|
+
#
|
1847
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
1848
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
1849
|
+
#
|
1850
|
+
#
|
1851
|
+
#
|
1852
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
1853
|
+
# @return [Boolean]
|
1854
|
+
#
|
1855
|
+
# @!attribute [rw] recipient
|
1856
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
1857
|
+
# enclave and the encryption algorithm to use with the enclave's
|
1858
|
+
# public key. The only valid encryption algorithm is
|
1859
|
+
# `RSAES_OAEP_SHA_256`.
|
1860
|
+
#
|
1861
|
+
# This parameter only supports attestation documents for Amazon Web
|
1862
|
+
# Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
|
1863
|
+
# Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
|
1864
|
+
# Enclaves SDK][2] to generate the attestation document and then use
|
1865
|
+
# the Recipient parameter from any Amazon Web Services SDK to provide
|
1866
|
+
# the attestation document for the enclave.
|
1867
|
+
#
|
1868
|
+
# When you use this parameter, instead of returning a plaintext copy
|
1869
|
+
# of the shared secret, KMS encrypts the plaintext shared secret under
|
1870
|
+
# the public key in the attestation document, and returns the
|
1871
|
+
# resulting ciphertext in the `CiphertextForRecipient` field in the
|
1872
|
+
# response. This ciphertext can be decrypted only with the private key
|
1873
|
+
# in the enclave. The `CiphertextBlob` field in the response contains
|
1874
|
+
# the encrypted shared secret derived from the KMS key specified by
|
1875
|
+
# the `KeyId` parameter and public key specified by the `PublicKey`
|
1876
|
+
# parameter. The `SharedSecret` field in the response is null or
|
1877
|
+
# empty.
|
1878
|
+
#
|
1879
|
+
# For information about the interaction between KMS and Amazon Web
|
1880
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
1881
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
1882
|
+
#
|
1883
|
+
#
|
1884
|
+
#
|
1885
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
1886
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
1887
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
1888
|
+
# @return [Types::RecipientInfo]
|
1889
|
+
#
|
1890
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
|
1891
|
+
#
|
1892
|
+
class DeriveSharedSecretRequest < Struct.new(
|
1893
|
+
:key_id,
|
1894
|
+
:key_agreement_algorithm,
|
1895
|
+
:public_key,
|
1896
|
+
:grant_tokens,
|
1897
|
+
:dry_run,
|
1898
|
+
:recipient)
|
1899
|
+
SENSITIVE = []
|
1900
|
+
include Aws::Structure
|
1901
|
+
end
|
1902
|
+
|
1903
|
+
# @!attribute [rw] key_id
|
1904
|
+
# Identifies the KMS key used to derive the shared secret.
|
1905
|
+
# @return [String]
|
1906
|
+
#
|
1907
|
+
# @!attribute [rw] shared_secret
|
1908
|
+
# The raw secret derived from the specified key agreement algorithm,
|
1909
|
+
# private key in the asymmetric KMS key, and your peer's public key.
|
1910
|
+
#
|
1911
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
1912
|
+
# `SharedSecret` field is null or empty.
|
1913
|
+
# @return [String]
|
1914
|
+
#
|
1915
|
+
# @!attribute [rw] ciphertext_for_recipient
|
1916
|
+
# The plaintext shared secret encrypted with the public key in the
|
1917
|
+
# attestation document.
|
1918
|
+
#
|
1919
|
+
# This field is included in the response only when the `Recipient`
|
1920
|
+
# parameter in the request includes a valid attestation document from
|
1921
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
1922
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
1923
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
1924
|
+
# Management Service Developer Guide*.
|
1925
|
+
#
|
1926
|
+
#
|
1927
|
+
#
|
1928
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
1929
|
+
# @return [String]
|
1930
|
+
#
|
1931
|
+
# @!attribute [rw] key_agreement_algorithm
|
1932
|
+
# Identifies the key agreement algorithm used to derive the shared
|
1933
|
+
# secret.
|
1934
|
+
# @return [String]
|
1935
|
+
#
|
1936
|
+
# @!attribute [rw] key_origin
|
1937
|
+
# The source of the key material for the specified KMS key.
|
1938
|
+
#
|
1939
|
+
# When this value is `AWS_KMS`, KMS created the key material. When
|
1940
|
+
# this value is `EXTERNAL`, the key material was imported or the KMS
|
1941
|
+
# key doesn't have any key material.
|
1942
|
+
#
|
1943
|
+
# The only valid values for DeriveSharedSecret are `AWS_KMS` and
|
1944
|
+
# `EXTERNAL`. DeriveSharedSecret does not support KMS keys with a
|
1945
|
+
# `KeyOrigin` value of `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE`.
|
1946
|
+
# @return [String]
|
1947
|
+
#
|
1948
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretResponse AWS API Documentation
|
1949
|
+
#
|
1950
|
+
class DeriveSharedSecretResponse < Struct.new(
|
1951
|
+
:key_id,
|
1952
|
+
:shared_secret,
|
1953
|
+
:ciphertext_for_recipient,
|
1954
|
+
:key_agreement_algorithm,
|
1955
|
+
:key_origin)
|
1956
|
+
SENSITIVE = [:shared_secret]
|
1957
|
+
include Aws::Structure
|
1958
|
+
end
|
1959
|
+
|
1764
1960
|
# @!attribute [rw] custom_key_store_id
|
1765
1961
|
# Gets only information about the specified custom key store. Enter
|
1766
1962
|
# the key store ID.
|
@@ -2317,8 +2513,11 @@ module Aws::KMS
|
|
2317
2513
|
# `RSAES_OAEP_SHA_256`.
|
2318
2514
|
#
|
2319
2515
|
# This parameter only supports attestation documents for Amazon Web
|
2320
|
-
# Services Nitro Enclaves. To
|
2321
|
-
# Web Services Nitro Enclaves
|
2516
|
+
# Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
|
2517
|
+
# Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
|
2518
|
+
# Enclaves SDK][2] to generate the attestation document and then use
|
2519
|
+
# the Recipient parameter from any Amazon Web Services SDK to provide
|
2520
|
+
# the attestation document for the enclave.
|
2322
2521
|
#
|
2323
2522
|
# When you use this parameter, instead of returning a plaintext copy
|
2324
2523
|
# of the private data key, KMS encrypts the plaintext private data key
|
@@ -3208,28 +3407,20 @@ module Aws::KMS
|
|
3208
3407
|
# @return [String]
|
3209
3408
|
#
|
3210
3409
|
# @!attribute [rw] wrapping_algorithm
|
3211
|
-
# The algorithm you will use with the
|
3212
|
-
#
|
3213
|
-
#
|
3410
|
+
# The algorithm you will use with the RSA public key (`PublicKey`) in
|
3411
|
+
# the response to protect your key material during import. For more
|
3412
|
+
# information, see [Select a wrapping
|
3214
3413
|
# algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
|
3215
3414
|
# in the *Key Management Service Developer Guide*.
|
3216
3415
|
#
|
3217
3416
|
# For RSA\_AES wrapping algorithms, you encrypt your key material with
|
3218
3417
|
# an AES key that you generate, then encrypt your AES key with the RSA
|
3219
3418
|
# public key from KMS. For RSAES wrapping algorithms, you encrypt your
|
3220
|
-
# key material directly with the RSA public key from KMS.
|
3221
|
-
# wrapping algorithms, you encrypt your key material directly with the
|
3222
|
-
# SM2 public key from KMS.
|
3419
|
+
# key material directly with the RSA public key from KMS.
|
3223
3420
|
#
|
3224
3421
|
# The wrapping algorithms that you can use depend on the type of key
|
3225
3422
|
# material that you are importing. To import an RSA private key, you
|
3226
|
-
# must use an RSA\_AES wrapping algorithm
|
3227
|
-
# where you must use the SM2PKE wrapping algorithm to import an RSA
|
3228
|
-
# private key.
|
3229
|
-
#
|
3230
|
-
# The SM2PKE wrapping algorithm is available only in China Regions.
|
3231
|
-
# The `RSA_AES_KEY_WRAP_SHA_256` and `RSA_AES_KEY_WRAP_SHA_1` wrapping
|
3232
|
-
# algorithms are not supported in China Regions.
|
3423
|
+
# must use an RSA\_AES wrapping algorithm.
|
3233
3424
|
#
|
3234
3425
|
# * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
|
3235
3426
|
# ECC key material.
|
@@ -3252,23 +3443,18 @@ module Aws::KMS
|
|
3252
3443
|
#
|
3253
3444
|
# * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
|
3254
3445
|
# does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
|
3255
|
-
#
|
3256
|
-
# * **SM2PKE** (China Regions only) — supported for wrapping RSA, ECC,
|
3257
|
-
# and SM2 key material.
|
3258
3446
|
# @return [String]
|
3259
3447
|
#
|
3260
3448
|
# @!attribute [rw] wrapping_key_spec
|
3261
|
-
# The type of public key to return in the response. You will use
|
3262
|
-
# wrapping key with the specified wrapping algorithm to protect
|
3263
|
-
# key material during import.
|
3449
|
+
# The type of RSA public key to return in the response. You will use
|
3450
|
+
# this wrapping key with the specified wrapping algorithm to protect
|
3451
|
+
# your key material during import.
|
3264
3452
|
#
|
3265
|
-
# Use the longest wrapping key that is practical.
|
3453
|
+
# Use the longest RSA wrapping key that is practical.
|
3266
3454
|
#
|
3267
3455
|
# You cannot use an RSA\_2048 public key to directly wrap an
|
3268
3456
|
# ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
|
3269
3457
|
# algorithm or choose a longer RSA public key.
|
3270
|
-
#
|
3271
|
-
# The SM2 wrapping key spec is available only in China Regions.
|
3272
3458
|
# @return [String]
|
3273
3459
|
#
|
3274
3460
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
|
@@ -3401,12 +3587,12 @@ module Aws::KMS
|
|
3401
3587
|
# @return [String]
|
3402
3588
|
#
|
3403
3589
|
# @!attribute [rw] key_usage
|
3404
|
-
# The permitted use of the public key. Valid values
|
3405
|
-
# `ENCRYPT_DECRYPT`
|
3590
|
+
# The permitted use of the public key. Valid values for asymmetric key
|
3591
|
+
# pairs are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, and `KEY_AGREEMENT`.
|
3406
3592
|
#
|
3407
|
-
# This information is critical.
|
3408
|
-
# usage encrypts data outside of KMS, the ciphertext
|
3409
|
-
# decrypted.
|
3593
|
+
# This information is critical. For example, if a public key with
|
3594
|
+
# `SIGN_VERIFY` key usage encrypts data outside of KMS, the ciphertext
|
3595
|
+
# cannot be decrypted.
|
3410
3596
|
# @return [String]
|
3411
3597
|
#
|
3412
3598
|
# @!attribute [rw] encryption_algorithms
|
@@ -3427,6 +3613,12 @@ module Aws::KMS
|
|
3427
3613
|
# public key is `SIGN_VERIFY`.
|
3428
3614
|
# @return [Array<String>]
|
3429
3615
|
#
|
3616
|
+
# @!attribute [rw] key_agreement_algorithms
|
3617
|
+
# The key agreement algorithm used to derive a shared secret. This
|
3618
|
+
# field is present only when the KMS key has a `KeyUsage` value of
|
3619
|
+
# `KEY_AGREEMENT`.
|
3620
|
+
# @return [Array<String>]
|
3621
|
+
#
|
3430
3622
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
|
3431
3623
|
#
|
3432
3624
|
class GetPublicKeyResponse < Struct.new(
|
@@ -3436,7 +3628,8 @@ module Aws::KMS
|
|
3436
3628
|
:key_spec,
|
3437
3629
|
:key_usage,
|
3438
3630
|
:encryption_algorithms,
|
3439
|
-
:signing_algorithms
|
3631
|
+
:signing_algorithms,
|
3632
|
+
:key_agreement_algorithms)
|
3440
3633
|
SENSITIVE = []
|
3441
3634
|
include Aws::Structure
|
3442
3635
|
end
|
@@ -3824,8 +4017,9 @@ module Aws::KMS
|
|
3824
4017
|
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
3825
4018
|
# messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
|
3826
4019
|
# verifying message authentication codes (MACs), the `KeyUsage` must be
|
3827
|
-
# `GENERATE_VERIFY_MAC`.
|
3828
|
-
#
|
4020
|
+
# `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
|
4021
|
+
# `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS
|
4022
|
+
# key, use the DescribeKey operation.
|
3829
4023
|
#
|
3830
4024
|
# To find the encryption or signing algorithms supported for a
|
3831
4025
|
# particular KMS key, use the DescribeKey operation.
|
@@ -4104,6 +4298,10 @@ module Aws::KMS
|
|
4104
4298
|
# `SIGN_VERIFY`.
|
4105
4299
|
# @return [Array<String>]
|
4106
4300
|
#
|
4301
|
+
# @!attribute [rw] key_agreement_algorithms
|
4302
|
+
# The key agreement algorithm used to derive a shared secret.
|
4303
|
+
# @return [Array<String>]
|
4304
|
+
#
|
4107
4305
|
# @!attribute [rw] multi_region
|
4108
4306
|
# Indicates whether the KMS key is a multi-Region (`True`) or regional
|
4109
4307
|
# (`False`) key. This value is `True` for multi-Region primary and
|
@@ -4197,6 +4395,7 @@ module Aws::KMS
|
|
4197
4395
|
:key_spec,
|
4198
4396
|
:encryption_algorithms,
|
4199
4397
|
:signing_algorithms,
|
4398
|
+
:key_agreement_algorithms,
|
4200
4399
|
:multi_region,
|
4201
4400
|
:multi_region_configuration,
|
4202
4401
|
:pending_deletion_window_in_days,
|
data/lib/aws-sdk-kms.rb
CHANGED
data/sig/client.rbs
CHANGED
@@ -131,7 +131,7 @@ module Aws
|
|
131
131
|
key_id: ::String,
|
132
132
|
grantee_principal: ::String,
|
133
133
|
?retiring_principal: ::String,
|
134
|
-
operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac")],
|
134
|
+
operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac" | "DeriveSharedSecret")],
|
135
135
|
?constraints: {
|
136
136
|
encryption_context_subset: Hash[::String, ::String]?,
|
137
137
|
encryption_context_equals: Hash[::String, ::String]?
|
@@ -150,7 +150,7 @@ module Aws
|
|
150
150
|
def create_key: (
|
151
151
|
?policy: ::String,
|
152
152
|
?description: ::String,
|
153
|
-
?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC"),
|
153
|
+
?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT"),
|
154
154
|
?customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
|
155
155
|
?key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
|
156
156
|
?origin: ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE"),
|
@@ -210,6 +210,28 @@ module Aws
|
|
210
210
|
) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
|
211
211
|
| (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
|
212
212
|
|
213
|
+
interface _DeriveSharedSecretResponseSuccess
|
214
|
+
include ::Seahorse::Client::_ResponseSuccess[Types::DeriveSharedSecretResponse]
|
215
|
+
def key_id: () -> ::String
|
216
|
+
def shared_secret: () -> ::String
|
217
|
+
def ciphertext_for_recipient: () -> ::String
|
218
|
+
def key_agreement_algorithm: () -> ("ECDH")
|
219
|
+
def key_origin: () -> ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE")
|
220
|
+
end
|
221
|
+
# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#derive_shared_secret-instance_method
|
222
|
+
def derive_shared_secret: (
|
223
|
+
key_id: ::String,
|
224
|
+
key_agreement_algorithm: ("ECDH"),
|
225
|
+
public_key: ::String,
|
226
|
+
?grant_tokens: Array[::String],
|
227
|
+
?dry_run: bool,
|
228
|
+
?recipient: {
|
229
|
+
key_encryption_algorithm: ("RSAES_OAEP_SHA_256")?,
|
230
|
+
attestation_document: ::String?
|
231
|
+
}
|
232
|
+
) -> _DeriveSharedSecretResponseSuccess
|
233
|
+
| (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _DeriveSharedSecretResponseSuccess
|
234
|
+
|
213
235
|
interface _DescribeCustomKeyStoresResponseSuccess
|
214
236
|
include ::Seahorse::Client::_ResponseSuccess[Types::DescribeCustomKeyStoresResponse]
|
215
237
|
def custom_key_stores: () -> ::Array[Types::CustomKeyStoresListEntry]
|
@@ -444,9 +466,10 @@ module Aws
|
|
444
466
|
def public_key: () -> ::String
|
445
467
|
def customer_master_key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
|
446
468
|
def key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
|
447
|
-
def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC")
|
469
|
+
def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
|
448
470
|
def encryption_algorithms: () -> ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
|
449
471
|
def signing_algorithms: () -> ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
|
472
|
+
def key_agreement_algorithms: () -> ::Array[("ECDH")]
|
450
473
|
end
|
451
474
|
# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#get_public_key-instance_method
|
452
475
|
def get_public_key: (
|