/* * Copyright 2010-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ package com.amazonaws.services.kms.model; import java.io.Serializable; import com.amazonaws.AmazonWebServiceRequest; /** *

* Returns a unique symmetric data key for use outside of KMS. This operation * returns a plaintext copy of the data key and a copy that is encrypted under a * symmetric encryption KMS key that you specify. The bytes in the plaintext key * are random; they are not related to the caller or the KMS key. You can use * the plaintext key to encrypt your data outside of KMS and store the encrypted * data key with the encrypted data. *

* To generate a data key, specify the symmetric encryption KMS key that will be * used to encrypt the data key. You cannot use an asymmetric KMS key to encrypt * data keys. To get the type of your KMS key, use the DescribeKey * operation. *

* You must also specify the length of the data key. Use either the * KeySpec or NumberOfBytes parameters (but not both). * For 128-bit and 256-bit data keys, use the KeySpec parameter. *

* To generate a 128-bit SM4 data key (China Regions only), specify a * KeySpec value of AES_128 or a * NumberOfBytes value of 16. The symmetric encryption * key used in China Regions to encrypt your data key is an SM4 encryption key. *

* To get only an encrypted copy of the data key, use * GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key * pair, use the GenerateDataKeyPair or * GenerateDataKeyPairWithoutPlaintext operation. To get a * cryptographically secure random byte string, use GenerateRandom. *

* You can use an optional encryption context to add additional security to the * encryption operation. If you specify an EncryptionContext, you * must specify the same encryption context (a case-sensitive exact match) when * decrypting the encrypted data key. Otherwise, the request to decrypt fails * with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide. *

* GenerateDataKey also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute * environment in Amazon EC2. To call GenerateDataKey for an Amazon * Web Services Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. * Use the Recipient parameter to provide the attestation document * for the enclave. GenerateDataKey returns a copy of the data key * encrypted under the specified KMS key, as usual. But instead of a plaintext * copy of the data key, the response includes a copy of the data key encrypted * under the public key from the attestation document ( * CiphertextForRecipient). For information about the interaction * between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management * Service Developer Guide.. *

* The KMS key that you use for this operation must be in a compatible key * state. For details, see Key states of KMS keys in the Key Management Service Developer * Guide. *

* How to use your data key *

* We recommend that you use the following pattern to encrypt data locally in * your application. You can write your own code or use a client-side encryption * library, such as the Amazon Web Services Encryption SDK, the Amazon DynamoDB Encryption Client, or Amazon S3 client-side encryption to do these tasks for you. *

* To encrypt data outside of KMS: *

*
* Use the GenerateDataKey operation to get a data key. *
*
*
* Use the plaintext data key (in the Plaintext field of the * response) to encrypt your data outside of KMS. Then erase the plaintext data * key from memory. *
*
*
* Store the encrypted data key (in the CiphertextBlob field of the * response) with the encrypted data. *
*

* To decrypt data outside of KMS: *

*
* Use the Decrypt operation to decrypt the encrypted data key. The * operation returns a plaintext copy of the data key. *
*
*
* Use the plaintext data key to decrypt data outside of KMS, then erase the * plaintext data key from memory. *
*

* Cross-account use: Yes. To perform this operation with a KMS key in a * different Amazon Web Services account, specify the key ARN or alias ARN in * the value of the KeyId parameter. *

* Required permissions: kms:GenerateDataKey (key policy) *

* Related operations: *

*
* Decrypt *
*
*
* Encrypt *
*
*
* GenerateDataKeyPair *
*
*
* GenerateDataKeyPairWithoutPlaintext *
*
*
* GenerateDataKeyWithoutPlaintext *
*

*/ public class GenerateDataKeyRequest extends AmazonWebServiceRequest implements Serializable { /** *

* Specifies the symmetric encryption KMS key that encrypts the data key. * You cannot specify an asymmetric KMS key or a KMS key in a custom key * store. To get the type and origin of your KMS key, use the * DescribeKey operation. *

* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. * When using an alias name, prefix it with "alias/". To * specify a KMS key in a different Amazon Web Services account, you must * use the key ARN or alias ARN. *

* For example: *

*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Alias name: alias/ExampleAlias *
*
*
* Alias ARN: * arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias *
*

* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. To get the alias name and alias ARN, use * ListAliases. *

* Constraints:
* Length: 1 - 2048
*/ private String keyId; /** *

* Specifies the encryption context that will be used when encrypting the * data key. *

* *

* Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *

* *

* An encryption context is a collection of non-secret key-value * pairs that represent additional authenticated data. When you use an * encryption context to encrypt data, you must specify the same (an exact * case-sensitive match) encryption context to decrypt the data. An * encryption context is supported only on operations with symmetric * encryption KMS keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly recommended. *

* For more information, see Encryption context in the Key Management Service Developer * Guide. *

*/ private java.util.Map encryptionContext = new java.util.HashMap(); /** *

* Specifies the length of the data key in bytes. For example, use the value * 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit * (16-byte) and 256-bit (32-byte) data keys, use the KeySpec * parameter. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Constraints:
* Range: 1 - 1024
*/ private Integer numberOfBytes; /** *

* Specifies the length of the data key. Use AES_128 to * generate a 128-bit symmetric key, or AES_256 to generate a * 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Constraints:
* Allowed Values: AES_256, AES_128 */ private String keySpec; /** *

* A list of grant tokens. *

* Use a grant token when your permission to call this operation comes from * a new grant that has not yet achieved eventual consistency. For * more information, see Grant token and Using a grant token in the Key Management Service Developer * Guide. *

*/ private java.util.List grantTokens = new java.util.ArrayList(); /** *

* A signed attestation document from an Amazon Web Services Nitro enclave and * the encryption algorithm to use with the enclave's public key. The only * valid encryption algorithm is RSAES_OAEP_SHA_256. *

* This parameter only supports attestation documents for Amazon Web * Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services * SDK. *

* When you use this parameter, instead of returning the plaintext data key, * KMS encrypts the plaintext data key under the public key in the * attestation document, and returns the resulting ciphertext in the * CiphertextForRecipient field in the response. This * ciphertext can be decrypted only with the private key in the enclave. The * CiphertextBlob field in the response contains a copy of the * data key encrypted under the KMS key specified by the KeyId * parameter. The Plaintext field in the response is null or * empty. *

* For information about the interaction between KMS and Amazon Web Services * Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key * Management Service Developer Guide. *

*/ private RecipientInfo recipient; /** *

* Checks if your request will succeed. DryRun is an optional * parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *

*/ private Boolean dryRun; /** *

* For example: *

*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Alias name: alias/ExampleAlias *
*
*
* Alias ARN: * arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias *
*

* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. To get the alias name and alias ARN, use * ListAliases. *

* Constraints:
* Length: 1 - 2048
* * @return

* Specifies the symmetric encryption KMS key that encrypts the data * key. You cannot specify an asymmetric KMS key or a KMS key in a * custom key store. To get the type and origin of your KMS key, use * the DescribeKey operation. *

* To specify a KMS key, use its key ID, key ARN, alias name, or * alias ARN. When using an alias name, prefix it with * "alias/". To specify a KMS key in a different Amazon * Web Services account, you must use the key ARN or alias ARN. *

* For example: *

*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Alias name: alias/ExampleAlias *
*
*
* Alias ARN: * arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias *
*

* To get the key ID and key ARN for a KMS key, use ListKeys * or DescribeKey. To get the alias name and alias ARN, use * ListAliases. *

*/ public String getKeyId() { return keyId; } /** *

* For example: *

*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Alias name: alias/ExampleAlias *
*
*
* Alias ARN: * arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias *
*

* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. To get the alias name and alias ARN, use * ListAliases. *

* Constraints:
* Length: 1 - 2048
* * @param keyId

* Specifies the symmetric encryption KMS key that encrypts the * data key. You cannot specify an asymmetric KMS key or a KMS * key in a custom key store. To get the type and origin of your * KMS key, use the DescribeKey operation. *

* To specify a KMS key, use its key ID, key ARN, alias name, or * alias ARN. When using an alias name, prefix it with * "alias/". To specify a KMS key in a different * Amazon Web Services account, you must use the key ARN or alias * ARN. *

* For example: *

*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Alias name: alias/ExampleAlias *
*
*
* Alias ARN: * arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias *
*

* To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey. To get the alias name * and alias ARN, use ListAliases. *

*/ public void setKeyId(String keyId) { this.keyId = keyId; } /** *

* For example: *

*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Alias name: alias/ExampleAlias *
*
*
* Alias ARN: * arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias *
*

* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. To get the alias name and alias ARN, use * ListAliases. *

* Returns a reference to this object so that method calls can be chained * together. *

* Constraints:
* Length: 1 - 2048
* * @param keyId

* For example: *

*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *
*
*
* Alias name: alias/ExampleAlias *
*
*
* Alias ARN: * arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias *
*

* To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey. To get the alias name * and alias ARN, use ListAliases. *

* @return A reference to this updated object so that method calls can be * chained together. */ public GenerateDataKeyRequest withKeyId(String keyId) { this.keyId = keyId; return this; } /** *

* Specifies the encryption context that will be used when encrypting the * data key. *

* *

* Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *

* *

* For more information, see Encryption context in the Key Management Service Developer * Guide. *

* * @return

* Specifies the encryption context that will be used when * encrypting the data key. *

* *

* Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *

* *

* An encryption context is a collection of non-secret * key-value pairs that represent additional authenticated data. * When you use an encryption context to encrypt data, you must * specify the same (an exact case-sensitive match) encryption * context to decrypt the data. An encryption context is supported * only on operations with symmetric encryption KMS keys. On * operations with symmetric encryption KMS keys, an encryption * context is optional, but it is strongly recommended. *

* For more information, see Encryption context in the Key Management Service * Developer Guide. *

*/ public java.util.Map getEncryptionContext() { return encryptionContext; } /** *

* Specifies the encryption context that will be used when encrypting the * data key. *

* *

* Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *

* *

* For more information, see Encryption context in the Key Management Service Developer * Guide. *

* * @param encryptionContext

* Specifies the encryption context that will be used when * encrypting the data key. *

* *

* Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *

* *

* An encryption context is a collection of non-secret * key-value pairs that represent additional authenticated data. * When you use an encryption context to encrypt data, you must * specify the same (an exact case-sensitive match) encryption * context to decrypt the data. An encryption context is * supported only on operations with symmetric encryption KMS * keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly * recommended. *

* For more information, see Encryption context in the Key Management Service * Developer Guide. *

*/ public void setEncryptionContext(java.util.Map encryptionContext) { this.encryptionContext = encryptionContext; } /** *

* Specifies the encryption context that will be used when encrypting the * data key. *

* *

* Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *

* *

* For more information, see Encryption context in the Key Management Service Developer * Guide. *

* Returns a reference to this object so that method calls can be chained * together. * * @param encryptionContext

* Specifies the encryption context that will be used when * encrypting the data key. *

* *

* Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *

* *

* An encryption context is a collection of non-secret * key-value pairs that represent additional authenticated data. * When you use an encryption context to encrypt data, you must * specify the same (an exact case-sensitive match) encryption * context to decrypt the data. An encryption context is * supported only on operations with symmetric encryption KMS * keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly * recommended. *

* For more information, see Encryption context in the Key Management Service * Developer Guide. *

* @return A reference to this updated object so that method calls can be * chained together. */ public GenerateDataKeyRequest withEncryptionContext( java.util.Map encryptionContext) { this.encryptionContext = encryptionContext; return this; } /** *

* Specifies the encryption context that will be used when encrypting the * data key. *

* *

* Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *

* *

* For more information, see Encryption context in the Key Management Service Developer * Guide. *

* The method adds a new key-value pair into EncryptionContext parameter, * and returns a reference to this object so that method calls can be * chained together. * * @param key The key of the entry to be added into EncryptionContext. * @param value The corresponding value of the entry to be added into * EncryptionContext. * @return A reference to this updated object so that method calls can be * chained together. */ public GenerateDataKeyRequest addEncryptionContextEntry(String key, String value) { if (null == this.encryptionContext) { this.encryptionContext = new java.util.HashMap(); } if (this.encryptionContext.containsKey(key)) throw new IllegalArgumentException("Duplicated keys (" + key.toString() + ") are provided."); this.encryptionContext.put(key, value); return this; } /** * Removes all the entries added into EncryptionContext. *

* Returns a reference to this object so that method calls can be chained * together. */ public GenerateDataKeyRequest clearEncryptionContextEntries() { this.encryptionContext = null; return this; } /** *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Constraints:
* Range: 1 - 1024
* * @return

* Specifies the length of the data key in bytes. For example, use * the value 64 to generate a 512-bit data key (64 bytes is 512 * bits). For 128-bit (16-byte) and 256-bit (32-byte) data keys, use * the KeySpec parameter. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

*/ public Integer getNumberOfBytes() { return numberOfBytes; } /** *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Constraints:
* Range: 1 - 1024
* * @param numberOfBytes

* Specifies the length of the data key in bytes. For example, * use the value 64 to generate a 512-bit data key (64 bytes is * 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data * keys, use the KeySpec parameter. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

*/ public void setNumberOfBytes(Integer numberOfBytes) { this.numberOfBytes = numberOfBytes; } /** *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Returns a reference to this object so that method calls can be chained * together. *

* Constraints:
* Range: 1 - 1024
* * @param numberOfBytes

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* @return A reference to this updated object so that method calls can be * chained together. */ public GenerateDataKeyRequest withNumberOfBytes(Integer numberOfBytes) { this.numberOfBytes = numberOfBytes; return this; } /** *

* Specifies the length of the data key. Use AES_128 to * generate a 128-bit symmetric key, or AES_256 to generate a * 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Constraints:
* Allowed Values: AES_256, AES_128 * * @return

* Specifies the length of the data key. Use AES_128 to * generate a 128-bit symmetric key, or AES_256 to * generate a 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* @see DataKeySpec */ public String getKeySpec() { return keySpec; } /** *

* Specifies the length of the data key. Use AES_128 to * generate a 128-bit symmetric key, or AES_256 to generate a * 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Constraints:
* Allowed Values: AES_256, AES_128 * * @param keySpec

* Specifies the length of the data key. Use AES_128 * to generate a 128-bit symmetric key, or AES_256 * to generate a 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* @see DataKeySpec */ public void setKeySpec(String keySpec) { this.keySpec = keySpec; } /** *

* Specifies the length of the data key. Use AES_128 to * generate a 128-bit symmetric key, or AES_256 to generate a * 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Returns a reference to this object so that method calls can be chained * together. *

* Constraints:
* Allowed Values: AES_256, AES_128 * * @param keySpec

* Specifies the length of the data key. Use AES_128 * to generate a 128-bit symmetric key, or AES_256 * to generate a 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* @return A reference to this updated object so that method calls can be * chained together. * @see DataKeySpec */ public GenerateDataKeyRequest withKeySpec(String keySpec) { this.keySpec = keySpec; return this; } /** *

* Specifies the length of the data key. Use AES_128 to * generate a 128-bit symmetric key, or AES_256 to generate a * 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Constraints:
* Allowed Values: AES_256, AES_128 * * @param keySpec

* Specifies the length of the data key. Use AES_128 * to generate a 128-bit symmetric key, or AES_256 * to generate a 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* @see DataKeySpec */ public void setKeySpec(DataKeySpec keySpec) { this.keySpec = keySpec.toString(); } /** *

* Specifies the length of the data key. Use AES_128 to * generate a 128-bit symmetric key, or AES_256 to generate a * 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* Returns a reference to this object so that method calls can be chained * together. *

* Constraints:
* Allowed Values: AES_256, AES_128 * * @param keySpec

* Specifies the length of the data key. Use AES_128 * to generate a 128-bit symmetric key, or AES_256 * to generate a 256-bit symmetric key. *

* You must specify either the KeySpec or the * NumberOfBytes parameter (but not both) in every * GenerateDataKey request. *

* @return A reference to this updated object so that method calls can be * chained together. * @see DataKeySpec */ public GenerateDataKeyRequest withKeySpec(DataKeySpec keySpec) { this.keySpec = keySpec.toString(); return this; } /** *

* A list of grant tokens. *

* * @return

* A list of grant tokens. *

* Use a grant token when your permission to call this operation * comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant token and Using a grant token in the Key Management Service * Developer Guide. *

*/ public java.util.List getGrantTokens() { return grantTokens; } /** *

* A list of grant tokens. *

* * @param grantTokens

* A list of grant tokens. *

*/ public void setGrantTokens(java.util.Collection grantTokens) { if (grantTokens == null) { this.grantTokens = null; return; } this.grantTokens = new java.util.ArrayList(grantTokens); } /** *

* A list of grant tokens. *

* Returns a reference to this object so that method calls can be chained * together. * * @param grantTokens

* A list of grant tokens. *

* @return A reference to this updated object so that method calls can be * chained together. */ public GenerateDataKeyRequest withGrantTokens(String... grantTokens) { if (getGrantTokens() == null) { this.grantTokens = new java.util.ArrayList(grantTokens.length); } for (String value : grantTokens) { this.grantTokens.add(value); } return this; } /** *

* A list of grant tokens. *

* Returns a reference to this object so that method calls can be chained * together. * * @param grantTokens

* A list of grant tokens. *

* @return A reference to this updated object so that method calls can be * chained together. */ public GenerateDataKeyRequest withGrantTokens(java.util.Collection grantTokens) { setGrantTokens(grantTokens); return this; } /** *

* For information about the interaction between KMS and Amazon Web Services * Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key * Management Service Developer Guide. *

* * @return

* A signed attestation document from an Amazon Web Services Nitro * enclave and the encryption algorithm to use with the enclave's * public key. The only valid encryption algorithm is * RSAES_OAEP_SHA_256. *

* When you use this parameter, instead of returning the plaintext * data key, KMS encrypts the plaintext data key under the public * key in the attestation document, and returns the resulting * ciphertext in the CiphertextForRecipient field in * the response. This ciphertext can be decrypted only with the * private key in the enclave. The CiphertextBlob field * in the response contains a copy of the data key encrypted under * the KMS key specified by the KeyId parameter. The * Plaintext field in the response is null or empty. *

* For information about the interaction between KMS and Amazon Web * Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the * Key Management Service Developer Guide. *

*/ public RecipientInfo getRecipient() { return recipient; } /** *

* For information about the interaction between KMS and Amazon Web Services * Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key * Management Service Developer Guide. *

* * @param recipient

* This parameter only supports attestation documents for Amazon * Web Services Nitro Enclaves. To include this parameter, use * the Amazon Web Services Nitro Enclaves SDK or any Amazon Web * Services SDK. *

* When you use this parameter, instead of returning the * plaintext data key, KMS encrypts the plaintext data key under * the public key in the attestation document, and returns the * resulting ciphertext in the * CiphertextForRecipient field in the response. * This ciphertext can be decrypted only with the private key in * the enclave. The CiphertextBlob field in the * response contains a copy of the data key encrypted under the * KMS key specified by the KeyId parameter. The * Plaintext field in the response is null or empty. *

* For information about the interaction between KMS and Amazon * Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the * Key Management Service Developer Guide. *

*/ public void setRecipient(RecipientInfo recipient) { this.recipient = recipient; } /** *

* For information about the interaction between KMS and Amazon Web Services * Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key * Management Service Developer Guide. *

* Returns a reference to this object so that method calls can be chained * together. * * @param recipient

* For information about the interaction between KMS and Amazon * Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the * Key Management Service Developer Guide. *

* @return A reference to this updated object so that method calls can be * chained together. */ public GenerateDataKeyRequest withRecipient(RecipientInfo recipient) { this.recipient = recipient; return this; } /** *

* Checks if your request will succeed. DryRun is an optional * parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *

* * @return

* Checks if your request will succeed. DryRun is an * optional parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *

*/ public Boolean isDryRun() { return dryRun; } /** *

* Checks if your request will succeed. DryRun is an optional * parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *

* * @return

* Checks if your request will succeed. DryRun is an * optional parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *

*/ public Boolean getDryRun() { return dryRun; } /** *

* Checks if your request will succeed. DryRun is an optional * parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *

* * @param dryRun

* Checks if your request will succeed. DryRun is an * optional parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management * Service Developer Guide. *

*/ public void setDryRun(Boolean dryRun) { this.dryRun = dryRun; } /** *

* Checks if your request will succeed. DryRun is an optional * parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *

* Returns a reference to this object so that method calls can be chained * together. * * @param dryRun

* Checks if your request will succeed. DryRun is an * optional parameter. *

* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management * Service Developer Guide. *

* @return A reference to this updated object so that method calls can be * chained together. */ public GenerateDataKeyRequest withDryRun(Boolean dryRun) { this.dryRun = dryRun; return this; } /** * Returns a string representation of this object; useful for testing and * debugging. * * @return A string representation of this object. * @see java.lang.Object#toString() */ @Override public String toString() { StringBuilder sb = new StringBuilder(); sb.append("{"); if (getKeyId() != null) sb.append("KeyId: " + getKeyId() + ","); if (getEncryptionContext() != null) sb.append("EncryptionContext: " + getEncryptionContext() + ","); if (getNumberOfBytes() != null) sb.append("NumberOfBytes: " + getNumberOfBytes() + ","); if (getKeySpec() != null) sb.append("KeySpec: " + getKeySpec() + ","); if (getGrantTokens() != null) sb.append("GrantTokens: " + getGrantTokens() + ","); if (getRecipient() != null) sb.append("Recipient: " + getRecipient() + ","); if (getDryRun() != null) sb.append("DryRun: " + getDryRun()); sb.append("}"); return sb.toString(); } @Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getKeyId() == null) ? 0 : getKeyId().hashCode()); hashCode = prime * hashCode + ((getEncryptionContext() == null) ? 0 : getEncryptionContext().hashCode()); hashCode = prime * hashCode + ((getNumberOfBytes() == null) ? 0 : getNumberOfBytes().hashCode()); hashCode = prime * hashCode + ((getKeySpec() == null) ? 0 : getKeySpec().hashCode()); hashCode = prime * hashCode + ((getGrantTokens() == null) ? 0 : getGrantTokens().hashCode()); hashCode = prime * hashCode + ((getRecipient() == null) ? 0 : getRecipient().hashCode()); hashCode = prime * hashCode + ((getDryRun() == null) ? 0 : getDryRun().hashCode()); return hashCode; } @Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (obj instanceof GenerateDataKeyRequest == false) return false; GenerateDataKeyRequest other = (GenerateDataKeyRequest) obj; if (other.getKeyId() == null ^ this.getKeyId() == null) return false; if (other.getKeyId() != null && other.getKeyId().equals(this.getKeyId()) == false) return false; if (other.getEncryptionContext() == null ^ this.getEncryptionContext() == null) return false; if (other.getEncryptionContext() != null && other.getEncryptionContext().equals(this.getEncryptionContext()) == false) return false; if (other.getNumberOfBytes() == null ^ this.getNumberOfBytes() == null) return false; if (other.getNumberOfBytes() != null && other.getNumberOfBytes().equals(this.getNumberOfBytes()) == false) return false; if (other.getKeySpec() == null ^ this.getKeySpec() == null) return false; if (other.getKeySpec() != null && other.getKeySpec().equals(this.getKeySpec()) == false) return false; if (other.getGrantTokens() == null ^ this.getGrantTokens() == null) return false; if (other.getGrantTokens() != null && other.getGrantTokens().equals(this.getGrantTokens()) == false) return false; if (other.getRecipient() == null ^ this.getRecipient() == null) return false; if (other.getRecipient() != null && other.getRecipient().equals(this.getRecipient()) == false) return false; if (other.getDryRun() == null ^ this.getDryRun() == null) return false; if (other.getDryRun() != null && other.getDryRun().equals(this.getDryRun()) == false) return false; return true; } }