@aws-sdk/client-kms 3.926.0 → 3.927.0

package/dist-cjs/index.js

@@ -555,6 +555,7 @@ const CustomerMasterKeySpec = {
     SYMMETRIC_DEFAULT: "SYMMETRIC_DEFAULT",
 };
 const KeySpec = {
+    ECC_NIST_EDWARDS25519: "ECC_NIST_EDWARDS25519",
     ECC_NIST_P256: "ECC_NIST_P256",
     ECC_NIST_P384: "ECC_NIST_P384",
     ECC_NIST_P521: "ECC_NIST_P521",
@@ -625,6 +626,8 @@ const SigningAlgorithmSpec = {
     ECDSA_SHA_256: "ECDSA_SHA_256",
     ECDSA_SHA_384: "ECDSA_SHA_384",
     ECDSA_SHA_512: "ECDSA_SHA_512",
+    ED25519_PH_SHA_512: "ED25519_PH_SHA_512",
+    ED25519_SHA_512: "ED25519_SHA_512",
     ML_DSA_SHAKE_256: "ML_DSA_SHAKE_256",
     RSASSA_PKCS1_V1_5_SHA_256: "RSASSA_PKCS1_V1_5_SHA_256",
     RSASSA_PKCS1_V1_5_SHA_384: "RSASSA_PKCS1_V1_5_SHA_384",
@@ -719,6 +722,7 @@ class CustomKeyStoreHasCMKsException extends KMSServiceException {
     }
 }
 const DataKeyPairSpec = {
+    ECC_NIST_EDWARDS25519: "ECC_NIST_EDWARDS25519",
     ECC_NIST_P256: "ECC_NIST_P256",
     ECC_NIST_P384: "ECC_NIST_P384",
     ECC_NIST_P521: "ECC_NIST_P521",

package/dist-es/models/models_0.js

@@ -438,6 +438,7 @@ export const CustomerMasterKeySpec = {
     SYMMETRIC_DEFAULT: "SYMMETRIC_DEFAULT",
 };
 export const KeySpec = {
+    ECC_NIST_EDWARDS25519: "ECC_NIST_EDWARDS25519",
     ECC_NIST_P256: "ECC_NIST_P256",
     ECC_NIST_P384: "ECC_NIST_P384",
     ECC_NIST_P521: "ECC_NIST_P521",
@@ -508,6 +509,8 @@ export const SigningAlgorithmSpec = {
     ECDSA_SHA_256: "ECDSA_SHA_256",
     ECDSA_SHA_384: "ECDSA_SHA_384",
     ECDSA_SHA_512: "ECDSA_SHA_512",
+    ED25519_PH_SHA_512: "ED25519_PH_SHA_512",
+    ED25519_SHA_512: "ED25519_SHA_512",
     ML_DSA_SHAKE_256: "ML_DSA_SHAKE_256",
     RSASSA_PKCS1_V1_5_SHA_256: "RSASSA_PKCS1_V1_5_SHA_256",
     RSASSA_PKCS1_V1_5_SHA_384: "RSASSA_PKCS1_V1_5_SHA_384",
@@ -602,6 +605,7 @@ export class CustomKeyStoreHasCMKsException extends __BaseException {
     }
 }
 export const DataKeyPairSpec = {
+    ECC_NIST_EDWARDS25519: "ECC_NIST_EDWARDS25519",
     ECC_NIST_P256: "ECC_NIST_P256",
     ECC_NIST_P384: "ECC_NIST_P384",
     ECC_NIST_P521: "ECC_NIST_P521",

package/dist-types/commands/CreateKeyCommand.d.ts

@@ -71,7 +71,7 @@ declare const CreateKeyCommand_base: {
  *             key never leaves KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key so it can be used
  *             outside of KMS. Each KMS key can have only one key usage. KMS keys with RSA key pairs
  *             can be used to encrypt and decrypt data or sign and verify messages (but not both). KMS
- *             keys with NIST-recommended ECC key pairs can be used to sign and verify messages or
+ *             keys with NIST-standard ECC key pairs can be used to sign and verify messages or
  *             derive shared secrets (but not both). KMS keys with <code>ECC_SECG_P256K1</code> can be
  *             used only to sign and verify messages. KMS keys with ML-DSA key pairs can be used to
  *             sign and verify messages. KMS keys with SM2 key pairs (China Regions only) can be used
@@ -211,7 +211,7 @@ declare const CreateKeyCommand_base: {
  *   Description: "STRING_VALUE",
  *   KeyUsage: "SIGN_VERIFY" || "ENCRYPT_DECRYPT" || "GENERATE_VERIFY_MAC" || "KEY_AGREEMENT",
  *   CustomerMasterKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
- *   KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87",
+ *   KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87" || "ECC_NIST_EDWARDS25519",
  *   Origin: "AWS_KMS" || "EXTERNAL" || "AWS_CLOUDHSM" || "EXTERNAL_KEY_STORE",
  *   CustomKeyStoreId: "STRING_VALUE",
  *   BypassPolicyLockoutSafetyCheck: true || false,
@@ -244,12 +244,12 @@ declare const CreateKeyCommand_base: {
  * //     ExpirationModel: "KEY_MATERIAL_EXPIRES" || "KEY_MATERIAL_DOES_NOT_EXPIRE",
  * //     KeyManager: "AWS" || "CUSTOMER",
  * //     CustomerMasterKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
- * //     KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87",
+ * //     KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87" || "ECC_NIST_EDWARDS25519",
  * //     EncryptionAlgorithms: [ // EncryptionAlgorithmSpecList
  * //       "SYMMETRIC_DEFAULT" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "SM2PKE",
  * //     ],
  * //     SigningAlgorithms: [ // SigningAlgorithmSpecList
- * //       "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256",
+ * //       "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256" || "ED25519_SHA_512" || "ED25519_PH_SHA_512",
  * //     ],
  * //     KeyAgreementAlgorithms: [ // KeyAgreementAlgorithmSpecList
  * //       "ECDH",

package/dist-types/commands/DecryptCommand.d.ts

@@ -82,12 +82,12 @@ declare const DecryptCommand_base: {
  *       particular trusted accounts. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices">Best practices for IAM
  *         policies</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
- *             <code>Decrypt</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a> and NitroTPM, which provide
- *       attested environments in Amazon EC2. To call <code>Decrypt</code> for a Nitro enclave or NitroTPM, use
- *       the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the
- *       attestation document for the attested environment. Instead of the plaintext data, the response
- *       includes the plaintext data encrypted with the public key from the attestation document
- *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <code>Decrypt</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a> and NitroTPM, which
+ *       provide attested environments in Amazon EC2. To call <code>Decrypt</code> for a Nitro enclave or
+ *       NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code>
+ *       parameter to provide the attestation document for the attested environment. Instead of the
+ *       plaintext data, the response includes the plaintext data encrypted with the public key from
+ *       the attestation document (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/DeriveSharedSecretCommand.d.ts

@@ -29,7 +29,7 @@ declare const DeriveSharedSecretCommand_base: {
 /**
  * <p>Derives a shared secret using a key agreement algorithm.</p>
  *          <note>
- *             <p>You must use an asymmetric NIST-recommended elliptic curve (ECC) or SM2 (China Regions
+ *             <p>You must use an asymmetric NIST-standard elliptic curve (ECC) or SM2 (China Regions
  *         only) KMS key pair with a <code>KeyUsage</code> value of <code>KEY_AGREEMENT</code> to call
  *         DeriveSharedSecret.</p>
  *          </note>
@@ -48,14 +48,14 @@ declare const DeriveSharedSecretCommand_base: {
  *                   <b>Alice</b> calls <a>CreateKey</a> to create an
  *           asymmetric KMS key pair with a <code>KeyUsage</code> value of
  *           <code>KEY_AGREEMENT</code>.</p>
- *                <p>The asymmetric KMS key must use a NIST-recommended elliptic curve (ECC) or SM2 (China
+ *                <p>The asymmetric KMS key must use a NIST-standard elliptic curve (ECC) or SM2 (China
  *           Regions only) key spec.</p>
  *             </li>
  *             <li>
  *                <p>
  *                   <b>Bob</b> creates an elliptic curve key pair.</p>
  *                <p>Bob can call <a>CreateKey</a> to create an asymmetric KMS key pair or
- *           generate a key pair outside of KMS. Bob's key pair must use the same NIST-recommended
+ *           generate a key pair outside of KMS. Bob's key pair must use the same NIST-standard
  *           elliptic curve (ECC) or SM2 (China Regions ony) curve as Alice.</p>
  *             </li>
  *             <li>
@@ -83,8 +83,8 @@ declare const DeriveSharedSecretCommand_base: {
  *             </li>
  *          </ol>
  *          <p>To derive a shared secret you must provide a key agreement algorithm, the private key of
- *       the caller's asymmetric NIST-recommended elliptic curve or SM2 (China Regions only) KMS key
- *       pair, and the public key from your peer's NIST-recommended elliptic curve or SM2 (China
+ *       the caller's asymmetric NIST-standard elliptic curve or SM2 (China Regions only) KMS key
+ *       pair, and the public key from your peer's NIST-standard elliptic curve or SM2 (China
  *       Regions only) key pair. The public key can be from another asymmetric KMS key pair or from a
  *       key pair generated outside of KMS, but both key pairs must be on the same elliptic
  *       curve.</p>

package/dist-types/commands/DescribeKeyCommand.d.ts

@@ -145,12 +145,12 @@ declare const DescribeKeyCommand_base: {
  * //     ExpirationModel: "KEY_MATERIAL_EXPIRES" || "KEY_MATERIAL_DOES_NOT_EXPIRE",
  * //     KeyManager: "AWS" || "CUSTOMER",
  * //     CustomerMasterKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
- * //     KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87",
+ * //     KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87" || "ECC_NIST_EDWARDS25519",
  * //     EncryptionAlgorithms: [ // EncryptionAlgorithmSpecList
  * //       "SYMMETRIC_DEFAULT" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "SM2PKE",
  * //     ],
  * //     SigningAlgorithms: [ // SigningAlgorithmSpecList
- * //       "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256",
+ * //       "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256" || "ED25519_SHA_512" || "ED25519_PH_SHA_512",
  * //     ],
  * //     KeyAgreementAlgorithms: [ // KeyAgreementAlgorithmSpecList
  * //       "ECDH",

package/dist-types/commands/GenerateDataKeyCommand.d.ts

@@ -53,12 +53,12 @@ declare const GenerateDataKeyCommand_base: {
  *          <p>
  *             <code>GenerateDataKey</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
  *       isolated compute environment in Amazon EC2. To call <code>GenerateDataKey</code> for an Amazon Web Services Nitro
- *       enclave or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
- *       to provide the attestation document for the attested environment. <code>GenerateDataKey</code> returns a
- *       copy of the data key encrypted under the specified KMS key, as usual. But instead of a
- *       plaintext copy of the data key, the response includes a copy of the data key encrypted under
- *       the public key from the attestation document (<code>CiphertextForRecipient</code>).
- *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       enclave or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the
+ *         <code>Recipient</code> parameter to provide the attestation document for the attested
+ *       environment. <code>GenerateDataKey</code> returns a copy of the data key encrypted under the
+ *       specified KMS key, as usual. But instead of a plaintext copy of the data key, the response
+ *       includes a copy of the data key encrypted under the public key from the attestation document
+ *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/GenerateDataKeyPairCommand.d.ts

@@ -60,12 +60,12 @@ declare const GenerateDataKeyPairCommand_base: {
  *          <p>
  *             <code>GenerateDataKeyPair</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
  *       isolated compute environment in Amazon EC2. To call <code>GenerateDataKeyPair</code> for an Amazon Web Services
- *       Nitro enclave or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code>
- *       parameter to provide the attestation document for the attested environment.
- *         <code>GenerateDataKeyPair</code> returns the public data key and a copy of the private data
- *       key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the
- *       private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the
- *       private data key encrypted under the public key from the attestation document
+ *       Nitro enclave or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the
+ *         <code>Recipient</code> parameter to provide the attestation document for the attested
+ *       environment. <code>GenerateDataKeyPair</code> returns the public data key and a copy of the
+ *       private data key encrypted under the specified KMS key, as usual. But instead of a plaintext
+ *       copy of the private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy
+ *       of the private data key encrypted under the public key from the attestation document
  *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
@@ -125,7 +125,7 @@ declare const GenerateDataKeyPairCommand_base: {
  *     "<keys>": "STRING_VALUE",
  *   },
  *   KeyId: "STRING_VALUE", // required
- *   KeyPairSpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SM2", // required
+ *   KeyPairSpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SM2" || "ECC_NIST_EDWARDS25519", // required
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
@@ -142,7 +142,7 @@ declare const GenerateDataKeyPairCommand_base: {
  * //   PrivateKeyPlaintext: new Uint8Array(),
  * //   PublicKey: new Uint8Array(),
  * //   KeyId: "STRING_VALUE",
- * //   KeyPairSpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SM2",
+ * //   KeyPairSpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SM2" || "ECC_NIST_EDWARDS25519",
  * //   CiphertextForRecipient: new Uint8Array(),
  * //   KeyMaterialId: "STRING_VALUE",
  * // };

package/dist-types/commands/GenerateDataKeyPairWithoutPlaintextCommand.d.ts

@@ -107,7 +107,7 @@ declare const GenerateDataKeyPairWithoutPlaintextCommand_base: {
  *     "<keys>": "STRING_VALUE",
  *   },
  *   KeyId: "STRING_VALUE", // required
- *   KeyPairSpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SM2", // required
+ *   KeyPairSpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SM2" || "ECC_NIST_EDWARDS25519", // required
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
@@ -119,7 +119,7 @@ declare const GenerateDataKeyPairWithoutPlaintextCommand_base: {
  * //   PrivateKeyCiphertextBlob: new Uint8Array(),
  * //   PublicKey: new Uint8Array(),
  * //   KeyId: "STRING_VALUE",
- * //   KeyPairSpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SM2",
+ * //   KeyPairSpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SM2" || "ECC_NIST_EDWARDS25519",
  * //   KeyMaterialId: "STRING_VALUE",
  * // };
  *

package/dist-types/commands/GenerateRandomCommand.d.ts

@@ -35,11 +35,11 @@ declare const GenerateRandomCommand_base: {
  *       parameter.</p>
  *          <p>
  *             <code>GenerateRandom</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
- *       isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> for a Nitro
- *       enclave or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
- *       to provide the attestation document for the attested environment. Instead of plaintext bytes, the response
- *       includes the plaintext bytes encrypted under the public key from the attestation document
- *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> for a Nitro enclave
+ *       or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code>
+ *       parameter to provide the attestation document for the attested environment. Instead of
+ *       plaintext bytes, the response includes the plaintext bytes encrypted under the public key from
+ *       the attestation document (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>For more information about entropy and random number generation, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#entropy-and-random-numbers">Entropy and random number generation</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: Not applicable.

package/dist-types/commands/GetPublicKeyCommand.d.ts

@@ -99,13 +99,13 @@ declare const GetPublicKeyCommand_base: {
  * //   KeyId: "STRING_VALUE",
  * //   PublicKey: new Uint8Array(),
  * //   CustomerMasterKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
- * //   KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87",
+ * //   KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87" || "ECC_NIST_EDWARDS25519",
  * //   KeyUsage: "SIGN_VERIFY" || "ENCRYPT_DECRYPT" || "GENERATE_VERIFY_MAC" || "KEY_AGREEMENT",
  * //   EncryptionAlgorithms: [ // EncryptionAlgorithmSpecList
  * //     "SYMMETRIC_DEFAULT" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "SM2PKE",
  * //   ],
  * //   SigningAlgorithms: [ // SigningAlgorithmSpecList
- * //     "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256",
+ * //     "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256" || "ED25519_SHA_512" || "ED25519_PH_SHA_512",
  * //   ],
  * //   KeyAgreementAlgorithms: [ // KeyAgreementAlgorithmSpecList
  * //     "ECDH",

package/dist-types/commands/ReplicateKeyCommand.d.ts

@@ -150,12 +150,12 @@ declare const ReplicateKeyCommand_base: {
  * //     ExpirationModel: "KEY_MATERIAL_EXPIRES" || "KEY_MATERIAL_DOES_NOT_EXPIRE",
  * //     KeyManager: "AWS" || "CUSTOMER",
  * //     CustomerMasterKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
- * //     KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87",
+ * //     KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2" || "ML_DSA_44" || "ML_DSA_65" || "ML_DSA_87" || "ECC_NIST_EDWARDS25519",
  * //     EncryptionAlgorithms: [ // EncryptionAlgorithmSpecList
  * //       "SYMMETRIC_DEFAULT" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "SM2PKE",
  * //     ],
  * //     SigningAlgorithms: [ // SigningAlgorithmSpecList
- * //       "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256",
+ * //       "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256" || "ED25519_SHA_512" || "ED25519_PH_SHA_512",
  * //     ],
  * //     KeyAgreementAlgorithms: [ // KeyAgreementAlgorithmSpecList
  * //       "ECDH",

package/dist-types/commands/SignCommand.d.ts

@@ -97,7 +97,7 @@ declare const SignCommand_base: {
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
- *   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256", // required
+ *   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256" || "ED25519_SHA_512" || "ED25519_PH_SHA_512", // required
  *   DryRun: true || false,
  * };
  * const command = new SignCommand(input);
@@ -105,7 +105,7 @@ declare const SignCommand_base: {
  * // { // SignResponse
  * //   KeyId: "STRING_VALUE",
  * //   Signature: new Uint8Array(),
- * //   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256",
+ * //   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256" || "ED25519_SHA_512" || "ED25519_PH_SHA_512",
  * // };
  *
  * ```

package/dist-types/commands/VerifyCommand.d.ts

@@ -78,7 +78,7 @@ declare const VerifyCommand_base: {
  *   Message: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")   // required
  *   MessageType: "RAW" || "DIGEST" || "EXTERNAL_MU",
  *   Signature: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")   // required
- *   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256", // required
+ *   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256" || "ED25519_SHA_512" || "ED25519_PH_SHA_512", // required
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
@@ -89,7 +89,7 @@ declare const VerifyCommand_base: {
  * // { // VerifyResponse
  * //   KeyId: "STRING_VALUE",
  * //   SignatureValid: true || false,
- * //   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256",
+ * //   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA" || "ML_DSA_SHAKE_256" || "ED25519_SHA_512" || "ED25519_PH_SHA_512",
  * // };
  *
  * ```

package/dist-types/models/models_0.d.ts

@@ -1151,6 +1151,7 @@ export type CustomerMasterKeySpec = (typeof CustomerMasterKeySpec)[keyof typeof
  * @enum
  */
 export declare const KeySpec: {
+    readonly ECC_NIST_EDWARDS25519: "ECC_NIST_EDWARDS25519";
     readonly ECC_NIST_P256: "ECC_NIST_P256";
     readonly ECC_NIST_P384: "ECC_NIST_P384";
     readonly ECC_NIST_P521: "ECC_NIST_P521";
@@ -1299,7 +1300,7 @@ export interface CreateKeyRequest {
      *             <code>SIGN_VERIFY</code>.</p>
      *             </li>
      *             <li>
-     *                <p>For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, specify
+     *                <p>For asymmetric KMS keys with NIST-standard elliptic curve key pairs, specify
      *             <code>SIGN_VERIFY</code> or <code>KEY_AGREEMENT</code>.</p>
      *             </li>
      *             <li>
@@ -1409,7 +1410,7 @@ export interface CreateKeyRequest {
      *                </ul>
      *             </li>
      *             <li>
-     *                <p>Asymmetric NIST-recommended elliptic curve key pairs (signing and verification -or-
+     *                <p>Asymmetric NIST-standard elliptic curve key pairs (signing and verification -or-
      *           deriving shared secrets)</p>
      *                <ul>
      *                   <li>
@@ -1424,6 +1425,21 @@ export interface CreateKeyRequest {
      *                      <p>
      *                         <code>ECC_NIST_P521</code> (secp521r1)</p>
      *                   </li>
+     *                   <li>
+     *                      <p>
+     *                         <code>ECC_NIST_EDWARDS25519</code> (ed25519) - signing and verification only</p>
+     *                      <ul>
+     *                         <li>
+     *                            <p>
+     *                               <b>Note:</b> For ECC_NIST_EDWARDS25519 KMS keys, the
+     *                           ED25519_SHA_512 signing algorithm requires <a href="kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType">
+     *                                  <code>MessageType:RAW</code>
+     *                               </a>, while ED25519_PH_SHA_512 requires <a href="kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType">
+     *                                  <code>MessageType:DIGEST</code>
+     *                               </a>. These message types cannot be used interchangeably.</p>
+     *                         </li>
+     *                      </ul>
+     *                   </li>
      *                </ul>
      *             </li>
      *             <li>
@@ -1726,6 +1742,8 @@ export declare const SigningAlgorithmSpec: {
     readonly ECDSA_SHA_256: "ECDSA_SHA_256";
     readonly ECDSA_SHA_384: "ECDSA_SHA_384";
     readonly ECDSA_SHA_512: "ECDSA_SHA_512";
+    readonly ED25519_PH_SHA_512: "ED25519_PH_SHA_512";
+    readonly ED25519_SHA_512: "ED25519_SHA_512";
     readonly ML_DSA_SHAKE_256: "ML_DSA_SHAKE_256";
     readonly RSASSA_PKCS1_V1_5_SHA_256: "RSASSA_PKCS1_V1_5_SHA_256";
     readonly RSASSA_PKCS1_V1_5_SHA_384: "RSASSA_PKCS1_V1_5_SHA_384";
@@ -2401,6 +2419,7 @@ export interface CustomKeyStoresListEntry {
  * @enum
  */
 export declare const DataKeyPairSpec: {
+    readonly ECC_NIST_EDWARDS25519: "ECC_NIST_EDWARDS25519";
     readonly ECC_NIST_P256: "ECC_NIST_P256";
     readonly ECC_NIST_P384: "ECC_NIST_P384";
     readonly ECC_NIST_P521: "ECC_NIST_P521";
@@ -2440,8 +2459,8 @@ export type KeyEncryptionMechanism = (typeof KeyEncryptionMechanism)[keyof typeo
 /**
  * <p>Contains information about the party that receives the response from the API
  *       operation.</p>
- *          <p>This data type is designed to support Amazon Web Services Nitro Enclaves and Amazon Web Services NitroTPM, which lets you create an attested
- *       environment in Amazon EC2. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>This data type is designed to support Amazon Web Services Nitro Enclaves and Amazon Web Services NitroTPM,
+ *       which lets you create an attested environment in Amazon EC2. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  * @public
  */
 export interface RecipientInfo {
@@ -2453,8 +2472,8 @@ export interface RecipientInfo {
      */
     KeyEncryptionAlgorithm?: KeyEncryptionMechanism | undefined;
     /**
-     * <p>The attestation document for an Amazon Web Services Nitro Enclave or a NitroTPM. This document includes the enclave's
-     *       public key.</p>
+     * <p>The attestation document for an Amazon Web Services Nitro Enclave or a NitroTPM. This document includes
+     *       the enclave's public key.</p>
      * @public
      */
     AttestationDocument?: Uint8Array | undefined;
@@ -2531,16 +2550,16 @@ export interface DecryptRequest {
     EncryptionAlgorithm?: EncryptionAlgorithmSpec | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc">attestation
-     *         document</a> from an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the
-     *       public key in the attestation document. The only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for Amazon Web Services Nitro Enclaves. It supports
-     *       any Amazon Web Services SDK for Amazon Web Services NitroTPM.
-     *     </p>
+     *         document</a> from an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to
+     *       use with the public key in the attestation document. The only valid encryption algorithm is
+     *         <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for
+     *       Amazon Web Services Nitro Enclaves. It supports any Amazon Web Services SDK for Amazon Web Services NitroTPM. </p>
      *          <p>When you use this parameter, instead of returning the plaintext data, KMS encrypts the
      *       plaintext data with the public key in the attestation document, and returns the resulting
      *       ciphertext in the <code>CiphertextForRecipient</code> field in the response. This ciphertext
-     *       can be decrypted only with the private key in the attested environment. The <code>Plaintext</code> field in
-     *       the response is null or empty.</p>
+     *       can be decrypted only with the private key in the attested environment. The
+     *         <code>Plaintext</code> field in the response is null or empty.</p>
      *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
@@ -2745,7 +2764,7 @@ export interface DeleteImportedKeyMaterialResponse {
  */
 export interface DeriveSharedSecretRequest {
     /**
-     * <p>Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions only) KMS key. KMS
+     * <p>Identifies an asymmetric NIST-standard ECC or SM2 (China Regions only) KMS key. KMS
      *       uses the private key in the specified key pair to derive the shared secret. The key usage of
      *       the KMS key must be <code>KEY_AGREEMENT</code>. To find the <code>KeyUsage</code> of a KMS
      *       key, use the <a>DescribeKey</a> operation.</p>
@@ -2780,7 +2799,7 @@ export interface DeriveSharedSecretRequest {
      */
     KeyAgreementAlgorithm: KeyAgreementAlgorithmSpec | undefined;
     /**
-     * <p>Specifies the public key in your peer's NIST-recommended elliptic curve (ECC) or SM2
+     * <p>Specifies the public key in your peer's NIST-standard elliptic curve (ECC) or SM2
      *       (China Regions only) key pair.</p>
      *          <p>The public key must be a DER-encoded X.509 public key, also known as
      *         <code>SubjectPublicKeyInfo</code> (SPKI), as defined in <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>.</p>
@@ -2812,20 +2831,22 @@ export interface DeriveSharedSecretRequest {
     DryRun?: boolean | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
-     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in the attestation document. The
-     *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
-     *       DeriveSharedSecret generate an attestation document use either <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> for an Amazon Web Services Nitro Enclaves or
-     *       <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html">Amazon Web Services NitroTPM tools</a> for Amazon Web Services NitroTPM. Then use the Recipient parameter from any Amazon Web Services SDK to provide the
+     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in
+     *       the attestation document. The only valid encryption algorithm is
+     *         <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves or
+     *       Amazon Web Services NitroTPM. To call DeriveSharedSecret generate an attestation document use either
+     *       <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> for an Amazon Web Services Nitro Enclaves or <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html">Amazon Web Services NitroTPM tools</a> for
+     *       Amazon Web Services NitroTPM. Then use the Recipient parameter from any Amazon Web Services SDK to provide the
      *       attestation document for the attested environment.</p>
      *          <p>When you use this parameter, instead of returning a plaintext copy of the shared secret,
      *       KMS encrypts the plaintext shared secret under the public key in the attestation document,
      *       and returns the resulting ciphertext in the <code>CiphertextForRecipient</code> field in the
-     *       response. This ciphertext can be decrypted only with the private key in the attested environment. The
-     *         <code>CiphertextBlob</code> field in the response contains the encrypted shared secret
-     *       derived from the KMS key specified by the <code>KeyId</code> parameter and public key
-     *       specified by the <code>PublicKey</code> parameter. The <code>SharedSecret</code> field in the
-     *       response is null or empty.</p>
+     *       response. This ciphertext can be decrypted only with the private key in the attested
+     *       environment. The <code>CiphertextBlob</code> field in the response contains the encrypted
+     *       shared secret derived from the KMS key specified by the <code>KeyId</code> parameter and
+     *       public key specified by the <code>PublicKey</code> parameter. The <code>SharedSecret</code>
+     *       field in the response is null or empty.</p>
      *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
@@ -2849,8 +2870,8 @@ export interface DeriveSharedSecretResponse {
      */
     SharedSecret?: Uint8Array | undefined;
     /**
-     * <p>The plaintext shared secret encrypted with the public key from the attestation document. This
-     *       ciphertext can be decrypted only by using a private key from the attested environment. </p>
+     * <p>The plaintext shared secret encrypted with the public key from the attestation document.
+     *       This ciphertext can be decrypted only by using a private key from the attested environment. </p>
      *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
      *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM.
      *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
@@ -3304,11 +3325,11 @@ export interface GenerateDataKeyRequest {
     GrantTokens?: string[] | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
-     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in the attestation document. The
-     *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for Amazon Web Services Nitro Enclaves. It supports
-     *       any Amazon Web Services SDK for Amazon Web Services NitroTPM.
-     *     </p>
+     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in
+     *       the attestation document. The only valid encryption algorithm is
+     *         <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for
+     *       Amazon Web Services Nitro Enclaves. It supports any Amazon Web Services SDK for Amazon Web Services NitroTPM. </p>
      *          <p>When you use this parameter, instead of returning the plaintext data key, KMS encrypts
      *       the plaintext data key under the public key in the attestation document, and returns the
      *       resulting ciphertext in the <code>CiphertextForRecipient</code> field in the response. This
@@ -3426,19 +3447,21 @@ export interface GenerateDataKeyPairRequest {
     GrantTokens?: string[] | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
-     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in the attestation document. The
-     *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
-     *       GenerateDataKeyPair generate an attestation document use either <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> for an Amazon Web Services Nitro Enclaves or
-     *       <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html">Amazon Web Services NitroTPM tools</a> for Amazon Web Services NitroTPM. Then use the Recipient parameter from any Amazon Web Services SDK to provide the
+     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in
+     *       the attestation document. The only valid encryption algorithm is
+     *         <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves or
+     *       Amazon Web Services NitroTPM. To call GenerateDataKeyPair generate an attestation document use either
+     *       <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> for an Amazon Web Services Nitro Enclaves or <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html">Amazon Web Services NitroTPM tools</a> for
+     *       Amazon Web Services NitroTPM. Then use the Recipient parameter from any Amazon Web Services SDK to provide the
      *       attestation document for the attested environment.</p>
      *          <p>When you use this parameter, instead of returning a plaintext copy of the private data
      *       key, KMS encrypts the plaintext private data key under the public key in the attestation
      *       document, and returns the resulting ciphertext in the <code>CiphertextForRecipient</code>
      *       field in the response. This ciphertext can be decrypted only with the private key in the
-     *       attested environment. The <code>CiphertextBlob</code> field in the response contains a copy of the private
-     *       data key encrypted under the KMS key specified by the <code>KeyId</code> parameter. The
-     *         <code>PrivateKeyPlaintext</code> field in the response is null or empty.</p>
+     *       attested environment. The <code>CiphertextBlob</code> field in the response contains a copy of
+     *       the private data key encrypted under the KMS key specified by the <code>KeyId</code>
+     *       parameter. The <code>PrivateKeyPlaintext</code> field in the response is null or empty.</p>
      *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
@@ -3482,8 +3505,9 @@ export interface GenerateDataKeyPairResponse {
      */
     KeyPairSpec?: DataKeyPairSpec | undefined;
     /**
-     * <p>The plaintext private data key encrypted with the public key from the attestation document. This
-     *       ciphertext can be decrypted only by using a private key from the attested environment. </p>
+     * <p>The plaintext private data key encrypted with the public key from the attestation
+     *       document. This ciphertext can be decrypted only by using a private key from the attested
+     *       environment. </p>
      *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
      *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM.
      *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
@@ -3769,16 +3793,16 @@ export interface GenerateRandomRequest {
     CustomKeyStoreId?: string | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
-     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in the attestation document. The
-     *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for Amazon Web Services Nitro Enclaves. It supports
-     *       any Amazon Web Services SDK for Amazon Web Services NitroTPM.
-     *     </p>
+     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in
+     *       the attestation document. The only valid encryption algorithm is
+     *         <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for
+     *       Amazon Web Services Nitro Enclaves. It supports any Amazon Web Services SDK for Amazon Web Services NitroTPM. </p>
      *          <p>When you use this parameter, instead of returning plaintext bytes, KMS encrypts the
      *       plaintext bytes under the public key in the attestation document, and returns the resulting
      *       ciphertext in the <code>CiphertextForRecipient</code> field in the response. This ciphertext
-     *       can be decrypted only with the private key in the attested environment. The <code>Plaintext</code> field in
-     *       the response is null or empty.</p>
+     *       can be decrypted only with the private key in the attested environment. The
+     *         <code>Plaintext</code> field in the response is null or empty.</p>
      *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
@@ -3796,8 +3820,8 @@ export interface GenerateRandomResponse {
      */
     Plaintext?: Uint8Array | undefined;
     /**
-     * <p>The plaintext random bytes encrypted with the public key from the attestation document. This
-     *       ciphertext can be decrypted only by using a private key from the attested environment. </p>
+     * <p>The plaintext random bytes encrypted with the public key from the attestation document.
+     *       This ciphertext can be decrypted only by using a private key from the attested environment. </p>
      *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
      *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM.
      *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
@@ -5642,6 +5666,17 @@ export interface SignRequest {
      *         value with an unhashed message, the security of the signing operation can be
      *         compromised.</p>
      *          </important>
+     *          <p>When using ECC_NIST_EDWARDS25519 KMS keys:</p>
+     *          <ul>
+     *             <li>
+     *                <p>ED25519_SHA_512 signing algorithm requires KMS <code>MessageType:RAW</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>ED25519_PH_SHA_512 signing algorithm requires KMS <code>MessageType:DIGEST</code>
+     *                </p>
+     *             </li>
+     *          </ul>
      *          <p>When the value of <code>MessageType</code> is <code>DIGEST</code>, the length of the
      *         <code>Message</code> value must match the length of hashed messages for the specified
      *       signing algorithm.</p>
@@ -6082,6 +6117,17 @@ export interface VerifyRequest {
      *         value with an unhashed message, the security of the signing operation can be
      *         compromised.</p>
      *          </important>
+     *          <p>When using ECC_NIST_EDWARDS25519 KMS keys:</p>
+     *          <ul>
+     *             <li>
+     *                <p>ED25519_SHA_512 signing algorithm requires KMS <code>MessageType:RAW</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>ED25519_PH_SHA_512 signing algorithm requires KMS <code>MessageType:DIGEST</code>
+     *                </p>
+     *             </li>
+     *          </ul>
      *          <p>When the value of <code>MessageType</code> is <code>DIGEST</code>, the length of the
      *         <code>Message</code> value must match the length of hashed messages for the specified
      *       signing algorithm.</p>

package/dist-types/ts3.4/models/models_0.d.ts

@@ -401,6 +401,7 @@ export declare const CustomerMasterKeySpec: {
 export type CustomerMasterKeySpec =
   (typeof CustomerMasterKeySpec)[keyof typeof CustomerMasterKeySpec];
 export declare const KeySpec: {
+  readonly ECC_NIST_EDWARDS25519: "ECC_NIST_EDWARDS25519";
   readonly ECC_NIST_P256: "ECC_NIST_P256";
   readonly ECC_NIST_P384: "ECC_NIST_P384";
   readonly ECC_NIST_P521: "ECC_NIST_P521";
@@ -513,6 +514,8 @@ export declare const SigningAlgorithmSpec: {
   readonly ECDSA_SHA_256: "ECDSA_SHA_256";
   readonly ECDSA_SHA_384: "ECDSA_SHA_384";
   readonly ECDSA_SHA_512: "ECDSA_SHA_512";
+  readonly ED25519_PH_SHA_512: "ED25519_PH_SHA_512";
+  readonly ED25519_SHA_512: "ED25519_SHA_512";
   readonly ML_DSA_SHAKE_256: "ML_DSA_SHAKE_256";
   readonly RSASSA_PKCS1_V1_5_SHA_256: "RSASSA_PKCS1_V1_5_SHA_256";
   readonly RSASSA_PKCS1_V1_5_SHA_384: "RSASSA_PKCS1_V1_5_SHA_384";
@@ -631,6 +634,7 @@ export interface CustomKeyStoresListEntry {
   XksProxyConfiguration?: XksProxyConfigurationType | undefined;
 }
 export declare const DataKeyPairSpec: {
+  readonly ECC_NIST_EDWARDS25519: "ECC_NIST_EDWARDS25519";
   readonly ECC_NIST_P256: "ECC_NIST_P256";
   readonly ECC_NIST_P384: "ECC_NIST_P384";
   readonly ECC_NIST_P521: "ECC_NIST_P521";

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-kms",
   "description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
-  "version": "3.926.0",
+  "version": "3.927.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline client-kms",
@@ -20,17 +20,17 @@
   "dependencies": {
     "@aws-crypto/sha256-browser": "5.2.0",
     "@aws-crypto/sha256-js": "5.2.0",
-    "@aws-sdk/core": "3.926.0",
-    "@aws-sdk/credential-provider-node": "3.926.0",
+    "@aws-sdk/core": "3.927.0",
+    "@aws-sdk/credential-provider-node": "3.927.0",
     "@aws-sdk/middleware-host-header": "3.922.0",
     "@aws-sdk/middleware-logger": "3.922.0",
     "@aws-sdk/middleware-recursion-detection": "3.922.0",
-    "@aws-sdk/middleware-user-agent": "3.926.0",
+    "@aws-sdk/middleware-user-agent": "3.927.0",
     "@aws-sdk/region-config-resolver": "3.925.0",
     "@aws-sdk/types": "3.922.0",
     "@aws-sdk/util-endpoints": "3.922.0",
     "@aws-sdk/util-user-agent-browser": "3.922.0",
-    "@aws-sdk/util-user-agent-node": "3.926.0",
+    "@aws-sdk/util-user-agent-node": "3.927.0",
     "@smithy/config-resolver": "^4.4.2",
     "@smithy/core": "^3.17.2",
     "@smithy/fetch-http-handler": "^5.3.5",