@aws-sdk/client-kms 3.596.0 → 3.598.0

package/dist-types/models/models_0.d.ts

@@ -917,6 +917,7 @@ export interface GrantConstraints {
 export declare const GrantOperation: {
     readonly CreateGrant: "CreateGrant";
     readonly Decrypt: "Decrypt";
+    readonly DeriveSharedSecret: "DeriveSharedSecret";
     readonly DescribeKey: "DescribeKey";
     readonly Encrypt: "Encrypt";
     readonly GenerateDataKey: "GenerateDataKey";
@@ -1166,6 +1167,7 @@ export type KeySpec = (typeof KeySpec)[keyof typeof KeySpec];
 export declare const KeyUsageType: {
     readonly ENCRYPT_DECRYPT: "ENCRYPT_DECRYPT";
     readonly GENERATE_VERIFY_MAC: "GENERATE_VERIFY_MAC";
+    readonly KEY_AGREEMENT: "KEY_AGREEMENT";
     readonly SIGN_VERIFY: "SIGN_VERIFY";
 };
 /**
@@ -1266,16 +1268,20 @@ export interface CreateKeyRequest {
      *                <p>For HMAC KMS keys (symmetric), specify <code>GENERATE_VERIFY_MAC</code>.</p>
      *             </li>
      *             <li>
-     *                <p>For asymmetric KMS keys with RSA key material, specify <code>ENCRYPT_DECRYPT</code> or
+     *                <p>For asymmetric KMS keys with RSA key pairs, specify <code>ENCRYPT_DECRYPT</code> or
      *             <code>SIGN_VERIFY</code>.</p>
      *             </li>
      *             <li>
-     *                <p>For asymmetric KMS keys with ECC key material, specify
+     *                <p>For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, specify
+     *           <code>SIGN_VERIFY</code> or <code>KEY_AGREEMENT</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>For asymmetric KMS keys with <code>ECC_SECG_P256K1</code> key pairs specify
      *           <code>SIGN_VERIFY</code>.</p>
      *             </li>
      *             <li>
-     *                <p>For asymmetric KMS keys with SM2 key material (China Regions only), specify
-     *             <code>ENCRYPT_DECRYPT</code> or <code>SIGN_VERIFY</code>.</p>
+     *                <p>For asymmetric KMS keys with SM2 key pairs (China Regions only), specify
+     *             <code>ENCRYPT_DECRYPT</code>, <code>SIGN_VERIFY</code>, or <code>KEY_AGREEMENT</code>.</p>
      *             </li>
      *          </ul>
      * @public
@@ -1349,7 +1355,7 @@ export interface CreateKeyRequest {
      *                </ul>
      *             </li>
      *             <li>
-     *                <p>Asymmetric RSA key pairs</p>
+     *                <p>Asymmetric RSA key pairs (encryption and decryption -or- signing and verification)</p>
      *                <ul>
      *                   <li>
      *                      <p>
@@ -1369,7 +1375,7 @@ export interface CreateKeyRequest {
      *                </ul>
      *             </li>
      *             <li>
-     *                <p>Asymmetric NIST-recommended elliptic curve key pairs</p>
+     *                <p>Asymmetric NIST-recommended elliptic curve key pairs (signing and verification -or- deriving shared secrets)</p>
      *                <ul>
      *                   <li>
      *                      <p>
@@ -1386,7 +1392,7 @@ export interface CreateKeyRequest {
      *                </ul>
      *             </li>
      *             <li>
-     *                <p>Other asymmetric elliptic curve key pairs</p>
+     *                <p>Other asymmetric elliptic curve key pairs (signing and verification)</p>
      *                <ul>
      *                   <li>
      *                      <p>
@@ -1396,12 +1402,11 @@ export interface CreateKeyRequest {
      *                </ul>
      *             </li>
      *             <li>
-     *                <p>SM2 key pairs (China Regions only)</p>
+     *                <p>SM2 key pairs (encryption and decryption -or- signing and verification -or- deriving shared secrets)</p>
      *                <ul>
      *                   <li>
      *                      <p>
-     *                         <code>SM2</code>
-     *                      </p>
+     *                         <code>SM2</code> (China Regions only)</p>
      *                   </li>
      *                </ul>
      *             </li>
@@ -1547,6 +1552,17 @@ export declare const ExpirationModelType: {
  * @public
  */
 export type ExpirationModelType = (typeof ExpirationModelType)[keyof typeof ExpirationModelType];
+/**
+ * @public
+ * @enum
+ */
+export declare const KeyAgreementAlgorithmSpec: {
+    readonly ECDH: "ECDH";
+};
+/**
+ * @public
+ */
+export type KeyAgreementAlgorithmSpec = (typeof KeyAgreementAlgorithmSpec)[keyof typeof KeyAgreementAlgorithmSpec];
 /**
  * @public
  * @enum
@@ -1820,6 +1836,11 @@ export interface KeyMetadata {
      * @public
      */
     SigningAlgorithms?: SigningAlgorithmSpec[];
+    /**
+     * <p>The key agreement algorithm used to derive a shared secret.</p>
+     * @public
+     */
+    KeyAgreementAlgorithms?: KeyAgreementAlgorithmSpec[];
     /**
      * <p>Indicates whether the KMS key is a multi-Region (<code>True</code>) or regional
      *         (<code>False</code>) key. This value is <code>True</code> for multi-Region primary and
@@ -2533,7 +2554,8 @@ export declare class InvalidCiphertextException extends __BaseException {
  *         <code>KeyUsage</code> must be <code>ENCRYPT_DECRYPT</code>. For signing and verifying
  *       messages, the <code>KeyUsage</code> must be <code>SIGN_VERIFY</code>. For generating and
  *       verifying message authentication codes (MACs), the <code>KeyUsage</code> must be
- *         <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a KMS key, use the
+ *         <code>GENERATE_VERIFY_MAC</code>. For deriving key agreement secrets, the
+ *       <code>KeyUsage</code> must be <code>KEY_AGREEMENT</code>. To find the <code>KeyUsage</code> of a KMS key, use the
  *         <a>DescribeKey</a> operation.</p>
  *          <p>To find the encryption or signing algorithms supported for a particular KMS key, use the
  *         <a>DescribeKey</a> operation.</p>
@@ -2610,6 +2632,134 @@ export interface DeleteImportedKeyMaterialRequest {
      */
     KeyId: string | undefined;
 }
+/**
+ * @public
+ */
+export interface DeriveSharedSecretRequest {
+    /**
+     * <p>Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions only) KMS key. KMS
+     *       uses the private key in the specified key pair to derive the shared secret. The key usage of
+     *       the KMS key must be <code>KEY_AGREEMENT</code>. To find the
+     *       <code>KeyUsage</code> of a KMS key, use the <a>DescribeKey</a> operation.</p>
+     *          <p>To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with <code>"alias/"</code>. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.</p>
+     *          <p>For example:</p>
+     *          <ul>
+     *             <li>
+     *                <p>Key ID: <code>1234abcd-12ab-34cd-56ef-1234567890ab</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>Key ARN: <code>arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>Alias name: <code>alias/ExampleAlias</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>Alias ARN: <code>arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias</code>
+     *                </p>
+     *             </li>
+     *          </ul>
+     *          <p>To get the key ID and key ARN for a KMS key, use <a>ListKeys</a> or <a>DescribeKey</a>. To get the alias name and alias ARN, use <a>ListAliases</a>.</p>
+     * @public
+     */
+    KeyId: string | undefined;
+    /**
+     * <p>Specifies the key agreement algorithm used to derive the shared secret. The only valid value is <code>ECDH</code>.</p>
+     * @public
+     */
+    KeyAgreementAlgorithm: KeyAgreementAlgorithmSpec | undefined;
+    /**
+     * <p>Specifies the public key in your peer's NIST-recommended elliptic curve (ECC) or SM2 (China Regions only) key pair.</p>
+     *          <p>The public key must be a DER-encoded X.509 public key, also known as <code>SubjectPublicKeyInfo</code> (SPKI), as defined in <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>.</p>
+     *          <p>
+     *             <a>GetPublicKey</a> returns the public key of an asymmetric KMS key pair in the required DER-encoded format.</p>
+     *          <note>
+     *             <p>If you use <a href="https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html">Amazon Web Services CLI version 1</a>,
+     *         you must provide the DER-encoded X.509 public key in a file. Otherwise, the Amazon Web Services CLI Base64-encodes the public key a
+     *         second time, resulting in a <code>ValidationException</code>.</p>
+     *          </note>
+     *          <p>You can specify the public key as binary data in a file using fileb (<code>fileb://<path-to-file></code>) or
+     *       in-line using a Base64 encoded string.</p>
+     * @public
+     */
+    PublicKey: Uint8Array | undefined;
+    /**
+     * <p>A list of grant tokens.</p>
+     *          <p>Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved <i>eventual consistency</i>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token">Grant token</a> and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token">Using a grant token</a> in the
+     *     <i>Key Management Service Developer Guide</i>.</p>
+     * @public
+     */
+    GrantTokens?: string[];
+    /**
+     * <p>Checks if your request will succeed. <code>DryRun</code> is an optional parameter. </p>
+     *          <p>To learn more about how to use this parameter, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html">Testing your KMS API calls</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     * @public
+     */
+    DryRun?: boolean;
+    /**
+     * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
+     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The
+     *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To call
+     *       DeriveSharedSecret for an Amazon Web Services Nitro Enclaves, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> to generate the attestation
+     *       document and then use the Recipient parameter from any Amazon Web Services SDK to provide the attestation
+     *       document for the enclave.</p>
+     *          <p>When you use this parameter, instead of returning a plaintext copy of the shared secret,
+     *       KMS encrypts the plaintext shared secret under the public key in the attestation
+     *       document, and returns the resulting ciphertext in the <code>CiphertextForRecipient</code>
+     *       field in the response. This ciphertext can be decrypted only with the private key in the
+     *       enclave. The <code>CiphertextBlob</code> field in the response contains the encrypted shared
+     *       secret derived from the KMS key specified by the <code>KeyId</code> parameter and public key
+     *       specified by the <code>PublicKey</code> parameter. The <code>SharedSecret</code> field in
+     *       the response is null or empty.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     * @public
+     */
+    Recipient?: RecipientInfo;
+}
+/**
+ * @public
+ */
+export interface DeriveSharedSecretResponse {
+    /**
+     * <p>Identifies the KMS key used to derive the shared secret.</p>
+     * @public
+     */
+    KeyId?: string;
+    /**
+     * <p>The raw secret derived from the specified key agreement algorithm, private key in the
+     *       asymmetric KMS key, and your peer's public key.</p>
+     *          <p>If the response includes the <code>CiphertextForRecipient</code> field, the <code>SharedSecret</code> field is null or
+     *       empty.</p>
+     * @public
+     */
+    SharedSecret?: Uint8Array;
+    /**
+     * <p>The plaintext shared secret encrypted with the public key in the attestation document.</p>
+     *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     * @public
+     */
+    CiphertextForRecipient?: Uint8Array;
+    /**
+     * <p>Identifies the key agreement algorithm used to derive the shared secret.</p>
+     * @public
+     */
+    KeyAgreementAlgorithm?: KeyAgreementAlgorithmSpec;
+    /**
+     * <p>The source of the key material for the specified KMS key.</p>
+     *          <p>When this value is <code>AWS_KMS</code>, KMS created the key material. When this value is <code>EXTERNAL</code>,
+     *       the key material was imported or the KMS key doesn't have any key material.</p>
+     *          <p>The only valid values for DeriveSharedSecret are <code>AWS_KMS</code> and <code>EXTERNAL</code>. DeriveSharedSecret
+     *       does not support KMS keys with a <code>KeyOrigin</code> value of <code>AWS_CLOUDHSM</code> or
+     *       <code>EXTERNAL_KEY_STORE</code>.</p>
+     * @public
+     */
+    KeyOrigin?: OriginType;
+}
 /**
  * @public
  */
@@ -3156,8 +3306,10 @@ export interface GenerateDataKeyPairRequest {
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
      *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The
      *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
-     *       parameter, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK.</p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To call
+     *       DeriveSharedSecret for an Amazon Web Services Nitro Enclaves, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> to generate the attestation
+     *       document and then use the Recipient parameter from any Amazon Web Services SDK to provide the attestation
+     *       document for the enclave.</p>
      *          <p>When you use this parameter, instead of returning a plaintext copy of the private data
      *       key, KMS encrypts the plaintext private data key under the public key in the attestation
      *       document, and returns the resulting ciphertext in the <code>CiphertextForRecipient</code>
@@ -3658,19 +3810,13 @@ export interface GetParametersForImportRequest {
      */
     KeyId: string | undefined;
     /**
-     * <p>The algorithm you will use with the asymmetric public key (<code>PublicKey</code>) in the
+     * <p>The algorithm you will use with the RSA public key (<code>PublicKey</code>) in the
      *       response to protect your key material during import. For more information, see <a href="kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm">Select a wrapping algorithm</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>For RSA_AES wrapping algorithms, you encrypt your key material with an AES key that you
      *       generate, then encrypt your AES key with the RSA public key from KMS. For RSAES wrapping
-     *       algorithms, you encrypt your key material directly with the RSA public key from KMS.
-     *       For SM2PKE wrapping algorithms, you encrypt your key material directly with the SM2 public key
-     *       from KMS.</p>
+     *       algorithms, you encrypt your key material directly with the RSA public key from KMS.</p>
      *          <p>The wrapping algorithms that you can use depend on the type of key material that you are
-     *       importing. To import an RSA private key, you must use an RSA_AES wrapping algorithm, except
-     *       in China Regions, where you must use the SM2PKE wrapping algorithm to import an RSA private key.</p>
-     *          <p>The SM2PKE wrapping algorithm is available only in China Regions. The
-     *       <code>RSA_AES_KEY_WRAP_SHA_256</code> and <code>RSA_AES_KEY_WRAP_SHA_1</code>
-     *       wrapping algorithms are not supported in China Regions.</p>
+     *       importing. To import an RSA private key, you must use an RSA_AES wrapping algorithm.</p>
      *          <ul>
      *             <li>
      *                <p>
@@ -3701,22 +3847,16 @@ export interface GetParametersForImportRequest {
      *                   <b>RSAES_PKCS1_V1_5</b> (Deprecated) — As of October
      *           10, 2023, KMS does not support the RSAES_PKCS1_V1_5 wrapping algorithm.</p>
      *             </li>
-     *             <li>
-     *                <p>
-     *                   <b>SM2PKE</b> (China Regions only) — supported for
-     *           wrapping RSA, ECC, and SM2 key material.</p>
-     *             </li>
      *          </ul>
      * @public
      */
     WrappingAlgorithm: AlgorithmSpec | undefined;
     /**
-     * <p>The type of public key to return in the response. You will use this wrapping key with
+     * <p>The type of RSA public key to return in the response. You will use this wrapping key with
      *       the specified wrapping algorithm to protect your key material during import. </p>
-     *          <p>Use the longest wrapping key that is practical. </p>
+     *          <p>Use the longest RSA wrapping key that is practical. </p>
      *          <p>You cannot use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private key.
      *       Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public key.</p>
-     *          <p>The SM2 wrapping key spec is available only in China Regions.</p>
      * @public
      */
     WrappingKeySpec: WrappingKeySpec | undefined;
@@ -3823,9 +3963,9 @@ export interface GetPublicKeyResponse {
      */
     KeySpec?: KeySpec;
     /**
-     * <p>The permitted use of the public key. Valid values are <code>ENCRYPT_DECRYPT</code> or
-     *         <code>SIGN_VERIFY</code>. </p>
-     *          <p>This information is critical. If a public key with <code>SIGN_VERIFY</code> key usage
+     * <p>The permitted use of the public key. Valid values for asymmetric key pairs are <code>ENCRYPT_DECRYPT</code>,
+     *         <code>SIGN_VERIFY</code>, and <code>KEY_AGREEMENT</code>. </p>
+     *          <p>This information is critical. For example, if a public key with <code>SIGN_VERIFY</code> key usage
      *       encrypts data outside of KMS, the ciphertext cannot be decrypted. </p>
      * @public
      */
@@ -3846,6 +3986,11 @@ export interface GetPublicKeyResponse {
      * @public
      */
     SigningAlgorithms?: SigningAlgorithmSpec[];
+    /**
+     * <p>The key agreement algorithm used to derive a shared secret. This field is present only when the KMS key has a <code>KeyUsage</code> value of <code>KEY_AGREEMENT</code>.</p>
+     * @public
+     */
+    KeyAgreementAlgorithms?: KeyAgreementAlgorithmSpec[];
 }
 /**
  * <p>Contains information about a grant.</p>
@@ -5757,6 +5902,10 @@ export declare const CustomKeyStoresListEntryFilterSensitiveLog: (obj: CustomKey
  * @internal
  */
 export declare const DecryptResponseFilterSensitiveLog: (obj: DecryptResponse) => any;
+/**
+ * @internal
+ */
+export declare const DeriveSharedSecretResponseFilterSensitiveLog: (obj: DeriveSharedSecretResponse) => any;
 /**
  * @internal
  */

package/dist-types/protocols/Aws_json1_1.d.ts

@@ -10,6 +10,7 @@ import { DecryptCommandInput, DecryptCommandOutput } from "../commands/DecryptCo
 import { DeleteAliasCommandInput, DeleteAliasCommandOutput } from "../commands/DeleteAliasCommand";
 import { DeleteCustomKeyStoreCommandInput, DeleteCustomKeyStoreCommandOutput } from "../commands/DeleteCustomKeyStoreCommand";
 import { DeleteImportedKeyMaterialCommandInput, DeleteImportedKeyMaterialCommandOutput } from "../commands/DeleteImportedKeyMaterialCommand";
+import { DeriveSharedSecretCommandInput, DeriveSharedSecretCommandOutput } from "../commands/DeriveSharedSecretCommand";
 import { DescribeCustomKeyStoresCommandInput, DescribeCustomKeyStoresCommandOutput } from "../commands/DescribeCustomKeyStoresCommand";
 import { DescribeKeyCommandInput, DescribeKeyCommandOutput } from "../commands/DescribeKeyCommand";
 import { DisableKeyCommandInput, DisableKeyCommandOutput } from "../commands/DisableKeyCommand";
@@ -92,6 +93,10 @@ export declare const se_DeleteCustomKeyStoreCommand: (input: DeleteCustomKeyStor
  * serializeAws_json1_1DeleteImportedKeyMaterialCommand
  */
 export declare const se_DeleteImportedKeyMaterialCommand: (input: DeleteImportedKeyMaterialCommandInput, context: __SerdeContext) => Promise<__HttpRequest>;
+/**
+ * serializeAws_json1_1DeriveSharedSecretCommand
+ */
+export declare const se_DeriveSharedSecretCommand: (input: DeriveSharedSecretCommandInput, context: __SerdeContext) => Promise<__HttpRequest>;
 /**
  * serializeAws_json1_1DescribeCustomKeyStoresCommand
  */
@@ -300,6 +305,10 @@ export declare const de_DeleteCustomKeyStoreCommand: (output: __HttpResponse, co
  * deserializeAws_json1_1DeleteImportedKeyMaterialCommand
  */
 export declare const de_DeleteImportedKeyMaterialCommand: (output: __HttpResponse, context: __SerdeContext) => Promise<DeleteImportedKeyMaterialCommandOutput>;
+/**
+ * deserializeAws_json1_1DeriveSharedSecretCommand
+ */
+export declare const de_DeriveSharedSecretCommand: (output: __HttpResponse, context: __SerdeContext) => Promise<DeriveSharedSecretCommandOutput>;
 /**
  * deserializeAws_json1_1DescribeCustomKeyStoresCommand
  */

package/dist-types/ts3.4/KMS.d.ts

@@ -39,6 +39,10 @@ import {
   DeleteImportedKeyMaterialCommandInput,
   DeleteImportedKeyMaterialCommandOutput,
 } from "./commands/DeleteImportedKeyMaterialCommand";
+import {
+  DeriveSharedSecretCommandInput,
+  DeriveSharedSecretCommandOutput,
+} from "./commands/DeriveSharedSecretCommand";
 import {
   DescribeCustomKeyStoresCommandInput,
   DescribeCustomKeyStoresCommandOutput,
@@ -337,6 +341,19 @@ export interface KMS {
     options: __HttpHandlerOptions,
     cb: (err: any, data?: DeleteImportedKeyMaterialCommandOutput) => void
   ): void;
+  deriveSharedSecret(
+    args: DeriveSharedSecretCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<DeriveSharedSecretCommandOutput>;
+  deriveSharedSecret(
+    args: DeriveSharedSecretCommandInput,
+    cb: (err: any, data?: DeriveSharedSecretCommandOutput) => void
+  ): void;
+  deriveSharedSecret(
+    args: DeriveSharedSecretCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: DeriveSharedSecretCommandOutput) => void
+  ): void;
   describeCustomKeyStores(): Promise<DescribeCustomKeyStoresCommandOutput>;
   describeCustomKeyStores(
     args: DescribeCustomKeyStoresCommandInput,

package/dist-types/ts3.4/KMSClient.d.ts

@@ -85,6 +85,10 @@ import {
   DeleteImportedKeyMaterialCommandInput,
   DeleteImportedKeyMaterialCommandOutput,
 } from "./commands/DeleteImportedKeyMaterialCommand";
+import {
+  DeriveSharedSecretCommandInput,
+  DeriveSharedSecretCommandOutput,
+} from "./commands/DeriveSharedSecretCommand";
 import {
   DescribeCustomKeyStoresCommandInput,
   DescribeCustomKeyStoresCommandOutput,
@@ -268,6 +272,7 @@ export type ServiceInputTypes =
   | DeleteAliasCommandInput
   | DeleteCustomKeyStoreCommandInput
   | DeleteImportedKeyMaterialCommandInput
+  | DeriveSharedSecretCommandInput
   | DescribeCustomKeyStoresCommandInput
   | DescribeKeyCommandInput
   | DisableKeyCommandInput
@@ -321,6 +326,7 @@ export type ServiceOutputTypes =
   | DeleteAliasCommandOutput
   | DeleteCustomKeyStoreCommandOutput
   | DeleteImportedKeyMaterialCommandOutput
+  | DeriveSharedSecretCommandOutput
   | DescribeCustomKeyStoresCommandOutput
   | DescribeKeyCommandOutput
   | DisableKeyCommandOutput

package/dist-types/ts3.4/commands/DeriveSharedSecretCommand.d.ts

@@ -0,0 +1,40 @@
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+import {
+  KMSClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../KMSClient";
+import {
+  DeriveSharedSecretRequest,
+  DeriveSharedSecretResponse,
+} from "../models/models_0";
+export { __MetadataBearer };
+export { $Command };
+export interface DeriveSharedSecretCommandInput
+  extends DeriveSharedSecretRequest {}
+export interface DeriveSharedSecretCommandOutput
+  extends DeriveSharedSecretResponse,
+    __MetadataBearer {}
+declare const DeriveSharedSecretCommand_base: {
+  new (
+    input: DeriveSharedSecretCommandInput
+  ): import("@smithy/smithy-client").CommandImpl<
+    DeriveSharedSecretCommandInput,
+    DeriveSharedSecretCommandOutput,
+    KMSClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >;
+  new (
+    __0_0: DeriveSharedSecretCommandInput
+  ): import("@smithy/smithy-client").CommandImpl<
+    DeriveSharedSecretCommandInput,
+    DeriveSharedSecretCommandOutput,
+    KMSClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >;
+  getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
+};
+export declare class DeriveSharedSecretCommand extends DeriveSharedSecretCommand_base {}

package/dist-types/ts3.4/commands/index.d.ts

@@ -8,6 +8,7 @@ export * from "./DecryptCommand";
 export * from "./DeleteAliasCommand";
 export * from "./DeleteCustomKeyStoreCommand";
 export * from "./DeleteImportedKeyMaterialCommand";
+export * from "./DeriveSharedSecretCommand";
 export * from "./DescribeCustomKeyStoresCommand";
 export * from "./DescribeKeyCommand";
 export * from "./DisableKeyCommand";

package/dist-types/ts3.4/models/models_0.d.ts

@@ -329,6 +329,7 @@ export interface GrantConstraints {
 export declare const GrantOperation: {
   readonly CreateGrant: "CreateGrant";
   readonly Decrypt: "Decrypt";
+  readonly DeriveSharedSecret: "DeriveSharedSecret";
   readonly DescribeKey: "DescribeKey";
   readonly Encrypt: "Encrypt";
   readonly GenerateDataKey: "GenerateDataKey";
@@ -415,6 +416,7 @@ export type KeySpec = (typeof KeySpec)[keyof typeof KeySpec];
 export declare const KeyUsageType: {
   readonly ENCRYPT_DECRYPT: "ENCRYPT_DECRYPT";
   readonly GENERATE_VERIFY_MAC: "GENERATE_VERIFY_MAC";
+  readonly KEY_AGREEMENT: "KEY_AGREEMENT";
   readonly SIGN_VERIFY: "SIGN_VERIFY";
 };
 export type KeyUsageType = (typeof KeyUsageType)[keyof typeof KeyUsageType];
@@ -456,6 +458,11 @@ export declare const ExpirationModelType: {
 };
 export type ExpirationModelType =
   (typeof ExpirationModelType)[keyof typeof ExpirationModelType];
+export declare const KeyAgreementAlgorithmSpec: {
+  readonly ECDH: "ECDH";
+};
+export type KeyAgreementAlgorithmSpec =
+  (typeof KeyAgreementAlgorithmSpec)[keyof typeof KeyAgreementAlgorithmSpec];
 export declare const KeyManagerType: {
   readonly AWS: "AWS";
   readonly CUSTOMER: "CUSTOMER";
@@ -533,6 +540,7 @@ export interface KeyMetadata {
   KeySpec?: KeySpec;
   EncryptionAlgorithms?: EncryptionAlgorithmSpec[];
   SigningAlgorithms?: SigningAlgorithmSpec[];
+  KeyAgreementAlgorithms?: KeyAgreementAlgorithmSpec[];
   MultiRegion?: boolean;
   MultiRegionConfiguration?: MultiRegionConfiguration;
   PendingDeletionWindowInDays?: number;
@@ -692,6 +700,21 @@ export interface DeleteCustomKeyStoreResponse {}
 export interface DeleteImportedKeyMaterialRequest {
   KeyId: string | undefined;
 }
+export interface DeriveSharedSecretRequest {
+  KeyId: string | undefined;
+  KeyAgreementAlgorithm: KeyAgreementAlgorithmSpec | undefined;
+  PublicKey: Uint8Array | undefined;
+  GrantTokens?: string[];
+  DryRun?: boolean;
+  Recipient?: RecipientInfo;
+}
+export interface DeriveSharedSecretResponse {
+  KeyId?: string;
+  SharedSecret?: Uint8Array;
+  CiphertextForRecipient?: Uint8Array;
+  KeyAgreementAlgorithm?: KeyAgreementAlgorithmSpec;
+  KeyOrigin?: OriginType;
+}
 export interface DescribeCustomKeyStoresRequest {
   CustomKeyStoreId?: string;
   CustomKeyStoreName?: string;
@@ -880,6 +903,7 @@ export interface GetPublicKeyResponse {
   KeyUsage?: KeyUsageType;
   EncryptionAlgorithms?: EncryptionAlgorithmSpec[];
   SigningAlgorithms?: SigningAlgorithmSpec[];
+  KeyAgreementAlgorithms?: KeyAgreementAlgorithmSpec[];
 }
 export interface GrantListEntry {
   KeyId?: string;
@@ -1171,6 +1195,9 @@ export declare const CustomKeyStoresListEntryFilterSensitiveLog: (
 export declare const DecryptResponseFilterSensitiveLog: (
   obj: DecryptResponse
 ) => any;
+export declare const DeriveSharedSecretResponseFilterSensitiveLog: (
+  obj: DeriveSharedSecretResponse
+) => any;
 export declare const DescribeCustomKeyStoresResponseFilterSensitiveLog: (
   obj: DescribeCustomKeyStoresResponse
 ) => any;

package/dist-types/ts3.4/protocols/Aws_json1_1.d.ts

@@ -43,6 +43,10 @@ import {
   DeleteImportedKeyMaterialCommandInput,
   DeleteImportedKeyMaterialCommandOutput,
 } from "../commands/DeleteImportedKeyMaterialCommand";
+import {
+  DeriveSharedSecretCommandInput,
+  DeriveSharedSecretCommandOutput,
+} from "../commands/DeriveSharedSecretCommand";
 import {
   DescribeCustomKeyStoresCommandInput,
   DescribeCustomKeyStoresCommandOutput,
@@ -248,6 +252,10 @@ export declare const se_DeleteImportedKeyMaterialCommand: (
   input: DeleteImportedKeyMaterialCommandInput,
   context: __SerdeContext
 ) => Promise<__HttpRequest>;
+export declare const se_DeriveSharedSecretCommand: (
+  input: DeriveSharedSecretCommandInput,
+  context: __SerdeContext
+) => Promise<__HttpRequest>;
 export declare const se_DescribeCustomKeyStoresCommand: (
   input: DescribeCustomKeyStoresCommandInput,
   context: __SerdeContext
@@ -456,6 +464,10 @@ export declare const de_DeleteImportedKeyMaterialCommand: (
   output: __HttpResponse,
   context: __SerdeContext
 ) => Promise<DeleteImportedKeyMaterialCommandOutput>;
+export declare const de_DeriveSharedSecretCommand: (
+  output: __HttpResponse,
+  context: __SerdeContext
+) => Promise<DeriveSharedSecretCommandOutput>;
 export declare const de_DescribeCustomKeyStoresCommand: (
   output: __HttpResponse,
   context: __SerdeContext