aws-sdk-kms 1.26.0 → 1.27.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d59aaf932f27931fc311148bfc796c86df64701d
-  data.tar.gz: ac1dad7855119f6cddf454fc003e119c2df422dd
+  metadata.gz: 6a983aaa03a80ed7188f61a1bab13d7bcddf5701
+  data.tar.gz: 155fd553e0ddd8cb820d3f1b4e8f051177446d1f
 SHA512:
-  metadata.gz: 39eee3a7813574221e57b7a80147d10ee1fdc3ef79cf1d8969b743167de96c63aa934085091f13e62040ec765cdd217815d4be3dc4f31d8aaccc0f9f8e148434
-  data.tar.gz: 872bbe01e8a2ea47976706e4c8e0177b778ef80b85945aca05fbcdd30bf036c345c129d07fa50a28b7000875f957efc4076c84886275bd1adcc12ed268b841c2
+  metadata.gz: 39eb4bc0cfd2bb7b6cd062d5b1b54052edf5868d720bae9f20359a75b8c84721b676e20444e4454b446b576ea5009ff5d5b3259094d82a0d8eb758abd27af195
+  data.tar.gz: 0fd429e969b0ba7461822783be9b7ea9e77239e021ff189bdeb729327ff2179b887009eacdd77d237f32ae622851fd483cb539fe69717f9d670799e779731741

data/lib/aws-sdk-kms.rb

@@ -42,6 +42,6 @@ require_relative 'aws-sdk-kms/customizations'
 # @service
 module Aws::KMS
 
-  GEM_VERSION = '1.26.0'
+  GEM_VERSION = '1.27.0'
 
 end

data/lib/aws-sdk-kms/client.rb

@@ -3215,19 +3215,18 @@ module Aws::KMS
     # authorization, and logging that are part of every AWS KMS operation.
     # You also reduce of risk of encrypting data that cannot be decrypted.
     # These features are not effective outside of AWS KMS. For details, see
-    # [Special Considerations for Downloading Public
-    # Keys](kms/latest/developerguide/get-public-key.html#get-public-key-considerations).
+    # [Special Considerations for Downloading Public Keys][2].
     #
     # To help you use the public key safely outside of AWS KMS,
     # `GetPublicKey` returns important information about the public key in
     # the response, including:
     #
-    # * [CustomerMasterKeySpec][2]\: The type of key material in the public
+    # * [CustomerMasterKeySpec][3]\: The type of key material in the public
     #   key, such as `RSA_4096` or `ECC_NIST_P521`.
     #
-    # * [KeyUsage][3]\: Whether the key is used for encryption or signing.
+    # * [KeyUsage][4]\: Whether the key is used for encryption or signing.
     #
-    # * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]\: A list of the
+    # * [EncryptionAlgorithms][5] or [SigningAlgorithms][6]\: A list of the
     #   encryption algorithms or the signing algorithms for the key.
     #
     # Although AWS KMS cannot enforce these restrictions on external
@@ -3240,16 +3239,17 @@ module Aws::KMS
     #
     # The CMK that you use for this operation must be in a compatible key
     # state. For details, see [How Key State Affects Use of a Customer
-    # Master Key][6] in the *AWS Key Management Service Developer Guide*.
+    # Master Key][7] in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec
-    # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
-    # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
-    # [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations
+    # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec
+    # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
+    # [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
+    # [6]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   Identifies the asymmetric CMK that includes the public key.
@@ -4208,10 +4208,9 @@ module Aws::KMS
 
     # Decrypts ciphertext and then reencrypts it entirely within AWS KMS.
     # You can use this operation to change the customer master key (CMK)
-    # under which data is encrypted, such as when you [manually
-    # rotate](kms/latest/developerguide/rotate-keys.html#rotate-keys-manually)
-    # a CMK or change the CMK that protects a ciphertext. You can also use
-    # it to reencrypt ciphertext under the same CMK, such as to change the
+    # under which data is encrypted, such as when you [manually rotate][1] a
+    # CMK or change the CMK that protects a ciphertext. You can also use it
+    # to reencrypt ciphertext under the same CMK, such as to change the
     # encryption context of a ciphertext.
     #
     # The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
@@ -4219,7 +4218,7 @@ module Aws::KMS
     # GenerateDataKey. It can also decrypt ciphertext that was encrypted by
     # using the public key of an asymmetric CMK outside of AWS KMS. However,
     # it cannot decrypt ciphertext produced by other libraries, such as the
-    # [AWS Encryption SDK][1] or [Amazon S3 client-side encryption][2].
+    # [AWS Encryption SDK][2] or [Amazon S3 client-side encryption][3].
     # These libraries return a ciphertext format that is incompatible with
     # AWS KMS.
     #
@@ -4266,21 +4265,22 @@ module Aws::KMS
     # To permit reencryption from
     #
     # or to a CMK, include the `"kms:ReEncrypt*"` permission in your [key
-    # policy][3]. This permission is automatically included in the key
+    # policy][4]. This permission is automatically included in the key
     # policy when you use the console to create a CMK. But you must include
     # it manually when you create a CMK programmatically or when you use the
     # PutKeyPolicy operation set a key policy.
     #
     # The CMK that you use for this operation must be in a compatible key
     # state. For details, see [How Key State Affects Use of a Customer
-    # Master Key][4] in the *AWS Key Management Service Developer Guide*.
+    # Master Key][5] in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
-    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
+    # [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
+    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String, IO] :ciphertext_blob
     #   Ciphertext of the data to reencrypt.
@@ -5215,38 +5215,35 @@ module Aws::KMS
     end
 
     # Verifies a digital signature that was generated by the Sign operation.
-    # This operation requires an asymmetric CMK with a `KeyUsage` value of
-    # `SIGN_VERIFY`.
     #
     #
     #
     # Verification confirms that an authorized user signed the message with
-    # the specified key and signing algorithm, and the message hasn't
-    # changed since it was signed. A digital signature is generated by using
-    # the private key in an asymmetric CMK. The signature is verified by
-    # using the public key in the same asymmetric CMK. For information about
-    # symmetric and asymmetric CMKs, see [Using Symmetric and Asymmetric
-    # CMKs][1] in the *AWS Key Management Service Developer Guide*.
+    # the specified CMK and signing algorithm, and the message hasn't
+    # changed since it was signed. If the signature is verified, the value
+    # of the `SignatureValid` field in the response is `True`. If the
+    # signature verification fails, the `Verify` operation fails with an
+    # `KMSInvalidSignatureException` exception.
+    #
+    # A digital signature is generated by using the private key in an
+    # asymmetric CMK. The signature is verified by using the public key in
+    # the same asymmetric CMK. For information about symmetric and
+    # asymmetric CMKs, see [Using Symmetric and Asymmetric CMKs][1] in the
+    # *AWS Key Management Service Developer Guide*.
     #
     # To verify a digital signature, you can use the `Verify` operation.
-    # Specify the same asymmetric CMK that was used by the `Sign` operation
-    # to generate the digital signature.
+    # Specify the same asymmetric CMK, message, and signing algorithm that
+    # were used to produce the signature.
     #
     # You can also verify the digital signature by using the public key of
     # the CMK outside of AWS KMS. Use the GetPublicKey operation to download
     # the public key in the asymmetric CMK and then use the public key to
-    # verify the signature outside of AWS KMS.
-    #
-    # The advantage of using the `Verify` operation is that it is performed
-    # within AWS KMS. As a result, it's easy to call, the operation is
-    # performed within the FIPS boundary, it is logged in AWS CloudTrail,
-    # and you can use key policy and IAM policy to determine who is
-    # authorized to use the CMK to verify signatures.
-    #
-    # The result of the `Verify` operation, which is represented by its HTTP
-    # status code, does not indicate whether the signature verification
-    # succeeded or failed. To determine whether the signature was verified,
-    # see the `SignatureValid` field in the response.
+    # verify the signature outside of AWS KMS. The advantage of using the
+    # `Verify` operation is that it is performed within AWS KMS. As a
+    # result, it's easy to call, the operation is performed within the FIPS
+    # boundary, it is logged in AWS CloudTrail, and you can use key policy
+    # and IAM policy to determine who is authorized to use the CMK to verify
+    # signatures.
     #
     # The CMK that you use for this operation must be in a compatible key
     # state. For details, see [How Key State Affects Use of a Customer
@@ -5260,8 +5257,8 @@ module Aws::KMS
     # @option params [required, String] :key_id
     #   Identifies the asymmetric CMK that will be used to verify the
     #   signature. This must be the same CMK that was used to generate the
-    #   signature. If you specify a different CMK, the value of the
-    #   `SignatureValid` field in the response will be `False`.
+    #   signature. If you specify a different CMK, the signature verification
+    #   fails.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -5288,8 +5285,7 @@ module Aws::KMS
     #   provide a hash digest of the message.
     #
     #   If the digest of the message specified here is different from the
-    #   message digest that was signed, the `SignatureValid` value in the
-    #   response will be `False`.
+    #   message digest that was signed, the signature verification fails.
     #
     # @option params [String] :message_type
     #   Tells AWS KMS whether the value of the `Message` parameter is a
@@ -5301,8 +5297,7 @@ module Aws::KMS
     #
     # @option params [required, String] :signing_algorithm
     #   The signing algorithm that was used to sign the message. If you submit
-    #   a different algorithm, the value of the `SignatureValid` field in the
-    #   response will be `False`.
+    #   a different algorithm, the signature verification fails.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -5359,7 +5354,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.26.0'
+      context[:gem_version] = '1.27.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-kms/client_api.rb

@@ -121,6 +121,7 @@ module Aws::KMS
     InvalidKeyUsageException = Shapes::StructureShape.new(name: 'InvalidKeyUsageException')
     InvalidMarkerException = Shapes::StructureShape.new(name: 'InvalidMarkerException')
     KMSInternalException = Shapes::StructureShape.new(name: 'KMSInternalException')
+    KMSInvalidSignatureException = Shapes::StructureShape.new(name: 'KMSInvalidSignatureException')
     KMSInvalidStateException = Shapes::StructureShape.new(name: 'KMSInvalidStateException')
     KeyIdType = Shapes::StringShape.new(name: 'KeyIdType')
     KeyList = Shapes::ListShape.new(name: 'KeyList')
@@ -525,6 +526,9 @@ module Aws::KMS
     KMSInternalException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     KMSInternalException.struct_class = Types::KMSInternalException
 
+    KMSInvalidSignatureException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
+    KMSInvalidSignatureException.struct_class = Types::KMSInvalidSignatureException
+
     KMSInvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     KMSInvalidStateException.struct_class = Types::KMSInvalidStateException
 
@@ -1344,6 +1348,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 
       api.add_operation(:tag_resource, Seahorse::Model::Operation.new.tap do |o|
@@ -1427,6 +1432,8 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidSignatureException)
       end)
     end
 

data/lib/aws-sdk-kms/errors.rb

@@ -410,6 +410,22 @@ module Aws::KMS
 
     end
 
+    class KMSInvalidSignatureException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::KMS::Types::KMSInvalidSignatureException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+
+    end
+
     class KMSInvalidStateException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-kms/types.rb

@@ -2792,6 +2792,21 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # The request was rejected because the signature verification failed.
+    # Signature verification fails when it cannot confirm that signature was
+    # produced by signing the specified message with the specified CMK and
+    # signing algorithm.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidSignatureException AWS API Documentation
+    #
+    class KMSInvalidSignatureException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
     # The request was rejected because the state of the specified resource
     # is not valid for this request.
     #
@@ -4289,8 +4304,8 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Identifies the asymmetric CMK that will be used to verify the
     #   signature. This must be the same CMK that was used to generate the
-    #   signature. If you specify a different CMK, the value of the
-    #   `SignatureValid` field in the response will be `False`.
+    #   signature. If you specify a different CMK, the signature
+    #   verification fails.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -4318,8 +4333,7 @@ module Aws::KMS
     #   provide a hash digest of the message.
     #
     #   If the digest of the message specified here is different from the
-    #   message digest that was signed, the `SignatureValid` value in the
-    #   response will be `False`.
+    #   message digest that was signed, the signature verification fails.
     #   @return [String]
     #
     # @!attribute [rw] message_type
@@ -4334,8 +4348,7 @@ module Aws::KMS
     #
     # @!attribute [rw] signing_algorithm
     #   The signing algorithm that was used to sign the message. If you
-    #   submit a different algorithm, the value of the `SignatureValid`
-    #   field in the response will be `False`.
+    #   submit a different algorithm, the signature verification fails.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -4368,10 +4381,10 @@ module Aws::KMS
     #
     # @!attribute [rw] signature_valid
     #   A Boolean value that indicates whether the signature was verified. A
-    #   value of True indicates that the `Signature` was produced by signing
-    #   the `Message` with the specified KeyID and `SigningAlgorithm.` A
-    #   value of False indicates that the message, the algorithm, or the key
-    #   changed since the message was signed.
+    #   value of `True` indicates that the `Signature` was produced by
+    #   signing the `Message` with the specified `KeyID` and
+    #   `SigningAlgorithm.` If the signature is not verified, the `Verify`
+    #   operation fails with a `KMSInvalidSignatureException` exception.
     #   @return [Boolean]
     #
     # @!attribute [rw] signing_algorithm

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.26.0
+  version: 1.27.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-25 00:00:00.000000000 Z
+date: 2019-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core