// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Do not modify this file. This file is machine generated, and any changes to it will be overwritten. include "../StandardLibrary/StandardLibrary.dfy" include "../Util/UTF8.dfy" module {:extern "Dafny.Com.Amazonaws.Kms"} Com.Amazonaws.Kms { import opened Wrappers import opened StandardLibrary.UInt import opened UTF8 datatype AlgorithmSpec = | RSAES_PKCS1_V1_5 | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 type AliasList = seq datatype AliasListEntry = AliasListEntry ( nameonly AliasName: Option , nameonly AliasArn: Option , nameonly TargetKeyId: Option , nameonly CreationDate: Option , nameonly LastUpdatedDate: Option ) type AliasNameType = x: string | IsValid_AliasNameType(x) witness * predicate method IsValid_AliasNameType(x: string) { ( 1 <= |x| <= 256 ) } class AlreadyExistsException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type ArnType = x: string | IsValid_ArnType(x) witness * predicate method IsValid_ArnType(x: string) { ( 20 <= |x| <= 2048 ) } type AWSAccountIdType = string type BooleanType = bool datatype CancelKeyDeletionRequest = CancelKeyDeletionRequest ( nameonly KeyId: KeyIdType ) datatype CancelKeyDeletionResponse = CancelKeyDeletionResponse ( nameonly KeyId: Option ) type CiphertextType = x: seq | IsValid_CiphertextType(x) witness * predicate method IsValid_CiphertextType(x: seq) { ( 1 <= |x| <= 6144 ) } type CloudHsmClusterIdType = x: string | IsValid_CloudHsmClusterIdType(x) witness * predicate method IsValid_CloudHsmClusterIdType(x: string) { ( 19 <= |x| <= 24 ) } class CloudHsmClusterInUseException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class CloudHsmClusterInvalidConfigurationException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class CloudHsmClusterNotActiveException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class CloudHsmClusterNotFoundException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class CloudHsmClusterNotRelatedException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } datatype ConnectCustomKeyStoreRequest = ConnectCustomKeyStoreRequest ( nameonly CustomKeyStoreId: CustomKeyStoreIdType ) datatype ConnectCustomKeyStoreResponse = ConnectCustomKeyStoreResponse ( ) datatype ConnectionErrorCodeType = | INVALID_CREDENTIALS | CLUSTER_NOT_FOUND | NETWORK_ERRORS | INTERNAL_ERROR | INSUFFICIENT_CLOUDHSM_HSMS | USER_LOCKED_OUT | USER_NOT_FOUND | USER_LOGGED_IN | SUBNET_NOT_FOUND datatype ConnectionStateType = | CONNECTED | CONNECTING | FAILED | DISCONNECTED | DISCONNECTING datatype CreateAliasRequest = CreateAliasRequest ( nameonly AliasName: AliasNameType , nameonly TargetKeyId: KeyIdType ) datatype CreateCustomKeyStoreRequest = CreateCustomKeyStoreRequest ( nameonly CustomKeyStoreName: CustomKeyStoreNameType , nameonly CloudHsmClusterId: CloudHsmClusterIdType , nameonly TrustAnchorCertificate: TrustAnchorCertificateType , nameonly KeyStorePassword: KeyStorePasswordType ) datatype CreateCustomKeyStoreResponse = CreateCustomKeyStoreResponse ( nameonly CustomKeyStoreId: Option ) datatype CreateGrantRequest = CreateGrantRequest ( nameonly KeyId: KeyIdType , nameonly GranteePrincipal: PrincipalIdType , nameonly RetiringPrincipal: Option , nameonly Operations: GrantOperationList , nameonly Constraints: Option , nameonly GrantTokens: Option , nameonly Name: Option ) datatype CreateGrantResponse = CreateGrantResponse ( nameonly GrantToken: Option , nameonly GrantId: Option ) datatype CreateKeyRequest = CreateKeyRequest ( nameonly Policy: Option , nameonly Description: Option , nameonly KeyUsage: Option , nameonly CustomerMasterKeySpec: Option , nameonly KeySpec: Option , nameonly Origin: Option , nameonly CustomKeyStoreId: Option , nameonly BypassPolicyLockoutSafetyCheck: Option , nameonly Tags: Option , nameonly MultiRegion: Option ) datatype CreateKeyResponse = CreateKeyResponse ( nameonly KeyMetadata: Option ) datatype CustomerMasterKeySpec = | RSA_2048 | RSA_3072 | RSA_4096 | ECC_NIST_P256 | ECC_NIST_P384 | ECC_NIST_P521 | ECC_SECG_P256K1 | SYMMETRIC_DEFAULT class CustomKeyStoreHasCMKsException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type CustomKeyStoreIdType = x: string | IsValid_CustomKeyStoreIdType(x) witness * predicate method IsValid_CustomKeyStoreIdType(x: string) { ( 1 <= |x| <= 64 ) } class CustomKeyStoreInvalidStateException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class CustomKeyStoreNameInUseException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type CustomKeyStoreNameType = x: string | IsValid_CustomKeyStoreNameType(x) witness * predicate method IsValid_CustomKeyStoreNameType(x: string) { ( 1 <= |x| <= 256 ) } class CustomKeyStoreNotFoundException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type CustomKeyStoresList = seq datatype CustomKeyStoresListEntry = CustomKeyStoresListEntry ( nameonly CustomKeyStoreId: Option , nameonly CustomKeyStoreName: Option , nameonly CloudHsmClusterId: Option , nameonly TrustAnchorCertificate: Option , nameonly ConnectionState: Option , nameonly ConnectionErrorCode: Option , nameonly CreationDate: Option ) datatype DataKeyPairSpec = | RSA_2048 | RSA_3072 | RSA_4096 | ECC_NIST_P256 | ECC_NIST_P384 | ECC_NIST_P521 | ECC_SECG_P256K1 datatype DataKeySpec = | AES_256 | AES_128 datatype DecryptRequest = DecryptRequest ( nameonly CiphertextBlob: CiphertextType , nameonly EncryptionContext: Option , nameonly GrantTokens: Option , nameonly KeyId: Option , nameonly EncryptionAlgorithm: Option ) datatype DecryptResponse = DecryptResponse ( nameonly KeyId: Option , nameonly Plaintext: Option , nameonly EncryptionAlgorithm: Option ) datatype DeleteAliasRequest = DeleteAliasRequest ( nameonly AliasName: AliasNameType ) datatype DeleteCustomKeyStoreRequest = DeleteCustomKeyStoreRequest ( nameonly CustomKeyStoreId: CustomKeyStoreIdType ) datatype DeleteCustomKeyStoreResponse = DeleteCustomKeyStoreResponse ( ) datatype DeleteImportedKeyMaterialRequest = DeleteImportedKeyMaterialRequest ( nameonly KeyId: KeyIdType ) class DependencyTimeoutException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } datatype DescribeCustomKeyStoresRequest = DescribeCustomKeyStoresRequest ( nameonly CustomKeyStoreId: Option , nameonly CustomKeyStoreName: Option , nameonly Limit: Option , nameonly Marker: Option ) datatype DescribeCustomKeyStoresResponse = DescribeCustomKeyStoresResponse ( nameonly CustomKeyStores: Option , nameonly NextMarker: Option , nameonly Truncated: Option ) datatype DescribeKeyRequest = DescribeKeyRequest ( nameonly KeyId: KeyIdType , nameonly GrantTokens: Option ) datatype DescribeKeyResponse = DescribeKeyResponse ( nameonly KeyMetadata: Option ) type DescriptionType = x: string | IsValid_DescriptionType(x) witness * predicate method IsValid_DescriptionType(x: string) { ( 0 <= |x| <= 8192 ) } class DisabledException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } datatype DisableKeyRequest = DisableKeyRequest ( nameonly KeyId: KeyIdType ) datatype DisableKeyRotationRequest = DisableKeyRotationRequest ( nameonly KeyId: KeyIdType ) datatype DisconnectCustomKeyStoreRequest = DisconnectCustomKeyStoreRequest ( nameonly CustomKeyStoreId: CustomKeyStoreIdType ) datatype DisconnectCustomKeyStoreResponse = DisconnectCustomKeyStoreResponse ( ) datatype EnableKeyRequest = EnableKeyRequest ( nameonly KeyId: KeyIdType ) datatype EnableKeyRotationRequest = EnableKeyRotationRequest ( nameonly KeyId: KeyIdType ) datatype EncryptionAlgorithmSpec = | SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 type EncryptionAlgorithmSpecList = seq type EncryptionContextKey = string type EncryptionContextType = map type EncryptionContextValue = string datatype EncryptRequest = EncryptRequest ( nameonly KeyId: KeyIdType , nameonly Plaintext: PlaintextType , nameonly EncryptionContext: Option , nameonly GrantTokens: Option , nameonly EncryptionAlgorithm: Option ) datatype EncryptResponse = EncryptResponse ( nameonly CiphertextBlob: Option , nameonly KeyId: Option , nameonly EncryptionAlgorithm: Option ) type ErrorMessageType = string datatype ExpirationModelType = | KEY_MATERIAL_EXPIRES | KEY_MATERIAL_DOES_NOT_EXPIRE class ExpiredImportTokenException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } datatype GenerateDataKeyPairRequest = GenerateDataKeyPairRequest ( nameonly EncryptionContext: Option , nameonly KeyId: KeyIdType , nameonly KeyPairSpec: DataKeyPairSpec , nameonly GrantTokens: Option ) datatype GenerateDataKeyPairResponse = GenerateDataKeyPairResponse ( nameonly PrivateKeyCiphertextBlob: Option , nameonly PrivateKeyPlaintext: Option , nameonly PublicKey: Option , nameonly KeyId: Option , nameonly KeyPairSpec: Option ) datatype GenerateDataKeyPairWithoutPlaintextRequest = GenerateDataKeyPairWithoutPlaintextRequest ( nameonly EncryptionContext: Option , nameonly KeyId: KeyIdType , nameonly KeyPairSpec: DataKeyPairSpec , nameonly GrantTokens: Option ) datatype GenerateDataKeyPairWithoutPlaintextResponse = GenerateDataKeyPairWithoutPlaintextResponse ( nameonly PrivateKeyCiphertextBlob: Option , nameonly PublicKey: Option , nameonly KeyId: Option , nameonly KeyPairSpec: Option ) datatype GenerateDataKeyRequest = GenerateDataKeyRequest ( nameonly KeyId: KeyIdType , nameonly EncryptionContext: Option , nameonly NumberOfBytes: Option , nameonly KeySpec: Option , nameonly GrantTokens: Option ) datatype GenerateDataKeyResponse = GenerateDataKeyResponse ( nameonly CiphertextBlob: Option , nameonly Plaintext: Option , nameonly KeyId: Option ) datatype GenerateDataKeyWithoutPlaintextRequest = GenerateDataKeyWithoutPlaintextRequest ( nameonly KeyId: KeyIdType , nameonly EncryptionContext: Option , nameonly KeySpec: Option , nameonly NumberOfBytes: Option , nameonly GrantTokens: Option ) datatype GenerateDataKeyWithoutPlaintextResponse = GenerateDataKeyWithoutPlaintextResponse ( nameonly CiphertextBlob: Option , nameonly KeyId: Option ) datatype GenerateRandomRequest = GenerateRandomRequest ( nameonly NumberOfBytes: Option , nameonly CustomKeyStoreId: Option ) datatype GenerateRandomResponse = GenerateRandomResponse ( nameonly Plaintext: Option ) datatype GetKeyPolicyRequest = GetKeyPolicyRequest ( nameonly KeyId: KeyIdType , nameonly PolicyName: PolicyNameType ) datatype GetKeyPolicyResponse = GetKeyPolicyResponse ( nameonly Policy: Option ) datatype GetKeyRotationStatusRequest = GetKeyRotationStatusRequest ( nameonly KeyId: KeyIdType ) datatype GetKeyRotationStatusResponse = GetKeyRotationStatusResponse ( nameonly KeyRotationEnabled: Option ) datatype GetParametersForImportRequest = GetParametersForImportRequest ( nameonly KeyId: KeyIdType , nameonly WrappingAlgorithm: AlgorithmSpec , nameonly WrappingKeySpec: WrappingKeySpec ) datatype GetParametersForImportResponse = GetParametersForImportResponse ( nameonly KeyId: Option , nameonly ImportToken: Option , nameonly PublicKey: Option , nameonly ParametersValidTo: Option ) datatype GetPublicKeyRequest = GetPublicKeyRequest ( nameonly KeyId: KeyIdType , nameonly GrantTokens: Option ) datatype GetPublicKeyResponse = GetPublicKeyResponse ( nameonly KeyId: Option , nameonly PublicKey: Option , nameonly CustomerMasterKeySpec: Option , nameonly KeySpec: Option , nameonly KeyUsage: Option , nameonly EncryptionAlgorithms: Option , nameonly SigningAlgorithms: Option ) datatype GrantConstraints = GrantConstraints ( nameonly EncryptionContextSubset: Option , nameonly EncryptionContextEquals: Option ) type GrantIdType = x: string | IsValid_GrantIdType(x) witness * predicate method IsValid_GrantIdType(x: string) { ( 1 <= |x| <= 128 ) } type GrantList = seq datatype GrantListEntry = GrantListEntry ( nameonly KeyId: Option , nameonly GrantId: Option , nameonly Name: Option , nameonly CreationDate: Option , nameonly GranteePrincipal: Option , nameonly RetiringPrincipal: Option , nameonly IssuingAccount: Option , nameonly Operations: Option , nameonly Constraints: Option ) type GrantNameType = x: string | IsValid_GrantNameType(x) witness * predicate method IsValid_GrantNameType(x: string) { ( 1 <= |x| <= 256 ) } datatype GrantOperation = | Decrypt | Encrypt | GenerateDataKey | GenerateDataKeyWithoutPlaintext | ReEncryptFrom | ReEncryptTo | Sign | Verify | GetPublicKey | CreateGrant | RetireGrant | DescribeKey | GenerateDataKeyPair | GenerateDataKeyPairWithoutPlaintext type GrantOperationList = seq type GrantTokenList = x: seq | IsValid_GrantTokenList(x) witness * predicate method IsValid_GrantTokenList(x: seq) { ( 0 <= |x| <= 10 ) } type GrantTokenType = x: string | IsValid_GrantTokenType(x) witness * predicate method IsValid_GrantTokenType(x: string) { ( 1 <= |x| <= 8192 ) } datatype ImportKeyMaterialRequest = ImportKeyMaterialRequest ( nameonly KeyId: KeyIdType , nameonly ImportToken: CiphertextType , nameonly EncryptedKeyMaterial: CiphertextType , nameonly ValidTo: Option , nameonly ExpirationModel: Option ) datatype ImportKeyMaterialResponse = ImportKeyMaterialResponse ( ) class IncorrectKeyException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class IncorrectKeyMaterialException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class IncorrectTrustAnchorException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class InvalidAliasNameException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class InvalidArnException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class InvalidCiphertextException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class InvalidGrantIdException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class InvalidGrantTokenException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class InvalidImportTokenException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class InvalidKeyUsageException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class InvalidMarkerException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type KeyIdType = x: string | IsValid_KeyIdType(x) witness * predicate method IsValid_KeyIdType(x: string) { ( 1 <= |x| <= 2048 ) } type KeyList = seq datatype KeyListEntry = KeyListEntry ( nameonly KeyId: Option , nameonly KeyArn: Option ) trait IKeyManagementServiceClient { predicate {:opaque} CancelKeyDeletionCalledWith ( input: CancelKeyDeletionRequest ) {true} predicate {:opaque} CancelKeyDeletionSucceededWith ( input: CancelKeyDeletionRequest , output: CancelKeyDeletionResponse ) {true} method CancelKeyDeletion ( input: CancelKeyDeletionRequest ) returns ( output: Result ) ensures CancelKeyDeletionCalledWith ( input ) ensures output.Success? ==> CancelKeyDeletionSucceededWith ( input , output.value ) predicate {:opaque} ConnectCustomKeyStoreCalledWith ( input: ConnectCustomKeyStoreRequest ) {true} predicate {:opaque} ConnectCustomKeyStoreSucceededWith ( input: ConnectCustomKeyStoreRequest , output: ConnectCustomKeyStoreResponse ) {true} method ConnectCustomKeyStore ( input: ConnectCustomKeyStoreRequest ) returns ( output: Result ) ensures ConnectCustomKeyStoreCalledWith ( input ) ensures output.Success? ==> ConnectCustomKeyStoreSucceededWith ( input , output.value ) predicate {:opaque} CreateAliasCalledWith ( input: CreateAliasRequest ) {true} predicate {:opaque} CreateAliasSucceededWith ( input: CreateAliasRequest ) {true} method CreateAlias ( input: CreateAliasRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures CreateAliasCalledWith ( input ) ensures output.Success? ==> CreateAliasSucceededWith ( input ) predicate {:opaque} CreateCustomKeyStoreCalledWith ( input: CreateCustomKeyStoreRequest ) {true} predicate {:opaque} CreateCustomKeyStoreSucceededWith ( input: CreateCustomKeyStoreRequest , output: CreateCustomKeyStoreResponse ) {true} method CreateCustomKeyStore ( input: CreateCustomKeyStoreRequest ) returns ( output: Result ) ensures CreateCustomKeyStoreCalledWith ( input ) ensures output.Success? ==> CreateCustomKeyStoreSucceededWith ( input , output.value ) predicate {:opaque} CreateGrantCalledWith ( input: CreateGrantRequest ) {true} predicate {:opaque} CreateGrantSucceededWith ( input: CreateGrantRequest , output: CreateGrantResponse ) {true} method CreateGrant ( input: CreateGrantRequest ) returns ( output: Result ) ensures CreateGrantCalledWith ( input ) ensures output.Success? ==> CreateGrantSucceededWith ( input , output.value ) predicate {:opaque} CreateKeyCalledWith ( input: CreateKeyRequest ) {true} predicate {:opaque} CreateKeySucceededWith ( input: CreateKeyRequest , output: CreateKeyResponse ) {true} method CreateKey ( input: CreateKeyRequest ) returns ( output: Result ) ensures CreateKeyCalledWith ( input ) ensures output.Success? ==> CreateKeySucceededWith ( input , output.value ) predicate {:opaque} DecryptCalledWith ( input: DecryptRequest ) {true} predicate {:opaque} DecryptSucceededWith ( input: DecryptRequest , output: DecryptResponse ) {true} method Decrypt ( input: DecryptRequest ) returns ( output: Result ) ensures DecryptCalledWith ( input ) ensures output.Success? ==> DecryptSucceededWith ( input , output.value ) predicate {:opaque} DeleteAliasCalledWith ( input: DeleteAliasRequest ) {true} predicate {:opaque} DeleteAliasSucceededWith ( input: DeleteAliasRequest ) {true} method DeleteAlias ( input: DeleteAliasRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures DeleteAliasCalledWith ( input ) ensures output.Success? ==> DeleteAliasSucceededWith ( input ) predicate {:opaque} DeleteCustomKeyStoreCalledWith ( input: DeleteCustomKeyStoreRequest ) {true} predicate {:opaque} DeleteCustomKeyStoreSucceededWith ( input: DeleteCustomKeyStoreRequest , output: DeleteCustomKeyStoreResponse ) {true} method DeleteCustomKeyStore ( input: DeleteCustomKeyStoreRequest ) returns ( output: Result ) ensures DeleteCustomKeyStoreCalledWith ( input ) ensures output.Success? ==> DeleteCustomKeyStoreSucceededWith ( input , output.value ) predicate {:opaque} DeleteImportedKeyMaterialCalledWith ( input: DeleteImportedKeyMaterialRequest ) {true} predicate {:opaque} DeleteImportedKeyMaterialSucceededWith ( input: DeleteImportedKeyMaterialRequest ) {true} method DeleteImportedKeyMaterial ( input: DeleteImportedKeyMaterialRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures DeleteImportedKeyMaterialCalledWith ( input ) ensures output.Success? ==> DeleteImportedKeyMaterialSucceededWith ( input ) predicate {:opaque} DescribeCustomKeyStoresCalledWith ( input: DescribeCustomKeyStoresRequest ) {true} predicate {:opaque} DescribeCustomKeyStoresSucceededWith ( input: DescribeCustomKeyStoresRequest , output: DescribeCustomKeyStoresResponse ) {true} method DescribeCustomKeyStores ( input: DescribeCustomKeyStoresRequest ) returns ( output: Result ) ensures DescribeCustomKeyStoresCalledWith ( input ) ensures output.Success? ==> DescribeCustomKeyStoresSucceededWith ( input , output.value ) predicate {:opaque} DescribeKeyCalledWith ( input: DescribeKeyRequest ) {true} predicate {:opaque} DescribeKeySucceededWith ( input: DescribeKeyRequest , output: DescribeKeyResponse ) {true} method DescribeKey ( input: DescribeKeyRequest ) returns ( output: Result ) ensures DescribeKeyCalledWith ( input ) ensures output.Success? ==> DescribeKeySucceededWith ( input , output.value ) predicate {:opaque} DisableKeyCalledWith ( input: DisableKeyRequest ) {true} predicate {:opaque} DisableKeySucceededWith ( input: DisableKeyRequest ) {true} method DisableKey ( input: DisableKeyRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures DisableKeyCalledWith ( input ) ensures output.Success? ==> DisableKeySucceededWith ( input ) predicate {:opaque} DisableKeyRotationCalledWith ( input: DisableKeyRotationRequest ) {true} predicate {:opaque} DisableKeyRotationSucceededWith ( input: DisableKeyRotationRequest ) {true} method DisableKeyRotation ( input: DisableKeyRotationRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures DisableKeyRotationCalledWith ( input ) ensures output.Success? ==> DisableKeyRotationSucceededWith ( input ) predicate {:opaque} DisconnectCustomKeyStoreCalledWith ( input: DisconnectCustomKeyStoreRequest ) {true} predicate {:opaque} DisconnectCustomKeyStoreSucceededWith ( input: DisconnectCustomKeyStoreRequest , output: DisconnectCustomKeyStoreResponse ) {true} method DisconnectCustomKeyStore ( input: DisconnectCustomKeyStoreRequest ) returns ( output: Result ) ensures DisconnectCustomKeyStoreCalledWith ( input ) ensures output.Success? ==> DisconnectCustomKeyStoreSucceededWith ( input , output.value ) predicate {:opaque} EnableKeyCalledWith ( input: EnableKeyRequest ) {true} predicate {:opaque} EnableKeySucceededWith ( input: EnableKeyRequest ) {true} method EnableKey ( input: EnableKeyRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures EnableKeyCalledWith ( input ) ensures output.Success? ==> EnableKeySucceededWith ( input ) predicate {:opaque} EnableKeyRotationCalledWith ( input: EnableKeyRotationRequest ) {true} predicate {:opaque} EnableKeyRotationSucceededWith ( input: EnableKeyRotationRequest ) {true} method EnableKeyRotation ( input: EnableKeyRotationRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures EnableKeyRotationCalledWith ( input ) ensures output.Success? ==> EnableKeyRotationSucceededWith ( input ) predicate {:opaque} EncryptCalledWith ( input: EncryptRequest ) {true} predicate {:opaque} EncryptSucceededWith ( input: EncryptRequest , output: EncryptResponse ) {true} method Encrypt ( input: EncryptRequest ) returns ( output: Result ) ensures EncryptCalledWith ( input ) ensures output.Success? ==> EncryptSucceededWith ( input , output.value ) predicate {:opaque} GenerateDataKeyCalledWith ( input: GenerateDataKeyRequest ) {true} predicate {:opaque} GenerateDataKeySucceededWith ( input: GenerateDataKeyRequest , output: GenerateDataKeyResponse ) {true} method GenerateDataKey ( input: GenerateDataKeyRequest ) returns ( output: Result ) ensures GenerateDataKeyCalledWith ( input ) ensures output.Success? ==> GenerateDataKeySucceededWith ( input , output.value ) predicate {:opaque} GenerateDataKeyPairCalledWith ( input: GenerateDataKeyPairRequest ) {true} predicate {:opaque} GenerateDataKeyPairSucceededWith ( input: GenerateDataKeyPairRequest , output: GenerateDataKeyPairResponse ) {true} method GenerateDataKeyPair ( input: GenerateDataKeyPairRequest ) returns ( output: Result ) ensures GenerateDataKeyPairCalledWith ( input ) ensures output.Success? ==> GenerateDataKeyPairSucceededWith ( input , output.value ) predicate {:opaque} GenerateDataKeyPairWithoutPlaintextCalledWith ( input: GenerateDataKeyPairWithoutPlaintextRequest ) {true} predicate {:opaque} GenerateDataKeyPairWithoutPlaintextSucceededWith ( input: GenerateDataKeyPairWithoutPlaintextRequest , output: GenerateDataKeyPairWithoutPlaintextResponse ) {true} method GenerateDataKeyPairWithoutPlaintext ( input: GenerateDataKeyPairWithoutPlaintextRequest ) returns ( output: Result ) ensures GenerateDataKeyPairWithoutPlaintextCalledWith ( input ) ensures output.Success? ==> GenerateDataKeyPairWithoutPlaintextSucceededWith ( input , output.value ) predicate {:opaque} GenerateDataKeyWithoutPlaintextCalledWith ( input: GenerateDataKeyWithoutPlaintextRequest ) {true} predicate {:opaque} GenerateDataKeyWithoutPlaintextSucceededWith ( input: GenerateDataKeyWithoutPlaintextRequest , output: GenerateDataKeyWithoutPlaintextResponse ) {true} method GenerateDataKeyWithoutPlaintext ( input: GenerateDataKeyWithoutPlaintextRequest ) returns ( output: Result ) ensures GenerateDataKeyWithoutPlaintextCalledWith ( input ) ensures output.Success? ==> GenerateDataKeyWithoutPlaintextSucceededWith ( input , output.value ) predicate {:opaque} GenerateRandomCalledWith ( input: GenerateRandomRequest ) {true} predicate {:opaque} GenerateRandomSucceededWith ( input: GenerateRandomRequest , output: GenerateRandomResponse ) {true} method GenerateRandom ( input: GenerateRandomRequest ) returns ( output: Result ) ensures GenerateRandomCalledWith ( input ) ensures output.Success? ==> GenerateRandomSucceededWith ( input , output.value ) predicate {:opaque} GetKeyPolicyCalledWith ( input: GetKeyPolicyRequest ) {true} predicate {:opaque} GetKeyPolicySucceededWith ( input: GetKeyPolicyRequest , output: GetKeyPolicyResponse ) {true} method GetKeyPolicy ( input: GetKeyPolicyRequest ) returns ( output: Result ) ensures GetKeyPolicyCalledWith ( input ) ensures output.Success? ==> GetKeyPolicySucceededWith ( input , output.value ) predicate {:opaque} GetKeyRotationStatusCalledWith ( input: GetKeyRotationStatusRequest ) {true} predicate {:opaque} GetKeyRotationStatusSucceededWith ( input: GetKeyRotationStatusRequest , output: GetKeyRotationStatusResponse ) {true} method GetKeyRotationStatus ( input: GetKeyRotationStatusRequest ) returns ( output: Result ) ensures GetKeyRotationStatusCalledWith ( input ) ensures output.Success? ==> GetKeyRotationStatusSucceededWith ( input , output.value ) predicate {:opaque} GetParametersForImportCalledWith ( input: GetParametersForImportRequest ) {true} predicate {:opaque} GetParametersForImportSucceededWith ( input: GetParametersForImportRequest , output: GetParametersForImportResponse ) {true} method GetParametersForImport ( input: GetParametersForImportRequest ) returns ( output: Result ) ensures GetParametersForImportCalledWith ( input ) ensures output.Success? ==> GetParametersForImportSucceededWith ( input , output.value ) predicate {:opaque} GetPublicKeyCalledWith ( input: GetPublicKeyRequest ) {true} predicate {:opaque} GetPublicKeySucceededWith ( input: GetPublicKeyRequest , output: GetPublicKeyResponse ) {true} method GetPublicKey ( input: GetPublicKeyRequest ) returns ( output: Result ) ensures GetPublicKeyCalledWith ( input ) ensures output.Success? ==> GetPublicKeySucceededWith ( input , output.value ) predicate {:opaque} ImportKeyMaterialCalledWith ( input: ImportKeyMaterialRequest ) {true} predicate {:opaque} ImportKeyMaterialSucceededWith ( input: ImportKeyMaterialRequest , output: ImportKeyMaterialResponse ) {true} method ImportKeyMaterial ( input: ImportKeyMaterialRequest ) returns ( output: Result ) ensures ImportKeyMaterialCalledWith ( input ) ensures output.Success? ==> ImportKeyMaterialSucceededWith ( input , output.value ) predicate {:opaque} ListAliasesCalledWith ( input: ListAliasesRequest ) {true} predicate {:opaque} ListAliasesSucceededWith ( input: ListAliasesRequest , output: ListAliasesResponse ) {true} method ListAliases ( input: ListAliasesRequest ) returns ( output: Result ) ensures ListAliasesCalledWith ( input ) ensures output.Success? ==> ListAliasesSucceededWith ( input , output.value ) predicate {:opaque} ListGrantsCalledWith ( input: ListGrantsRequest ) {true} predicate {:opaque} ListGrantsSucceededWith ( input: ListGrantsRequest , output: ListGrantsResponse ) {true} method ListGrants ( input: ListGrantsRequest ) returns ( output: Result ) ensures ListGrantsCalledWith ( input ) ensures output.Success? ==> ListGrantsSucceededWith ( input , output.value ) predicate {:opaque} ListKeyPoliciesCalledWith ( input: ListKeyPoliciesRequest ) {true} predicate {:opaque} ListKeyPoliciesSucceededWith ( input: ListKeyPoliciesRequest , output: ListKeyPoliciesResponse ) {true} method ListKeyPolicies ( input: ListKeyPoliciesRequest ) returns ( output: Result ) ensures ListKeyPoliciesCalledWith ( input ) ensures output.Success? ==> ListKeyPoliciesSucceededWith ( input , output.value ) predicate {:opaque} ListResourceTagsCalledWith ( input: ListResourceTagsRequest ) {true} predicate {:opaque} ListResourceTagsSucceededWith ( input: ListResourceTagsRequest , output: ListResourceTagsResponse ) {true} method ListResourceTags ( input: ListResourceTagsRequest ) returns ( output: Result ) ensures ListResourceTagsCalledWith ( input ) ensures output.Success? ==> ListResourceTagsSucceededWith ( input , output.value ) predicate {:opaque} PutKeyPolicyCalledWith ( input: PutKeyPolicyRequest ) {true} predicate {:opaque} PutKeyPolicySucceededWith ( input: PutKeyPolicyRequest ) {true} method PutKeyPolicy ( input: PutKeyPolicyRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures PutKeyPolicyCalledWith ( input ) ensures output.Success? ==> PutKeyPolicySucceededWith ( input ) predicate {:opaque} ReEncryptCalledWith ( input: ReEncryptRequest ) {true} predicate {:opaque} ReEncryptSucceededWith ( input: ReEncryptRequest , output: ReEncryptResponse ) {true} method ReEncrypt ( input: ReEncryptRequest ) returns ( output: Result ) ensures ReEncryptCalledWith ( input ) ensures output.Success? ==> ReEncryptSucceededWith ( input , output.value ) predicate {:opaque} ReplicateKeyCalledWith ( input: ReplicateKeyRequest ) {true} predicate {:opaque} ReplicateKeySucceededWith ( input: ReplicateKeyRequest , output: ReplicateKeyResponse ) {true} method ReplicateKey ( input: ReplicateKeyRequest ) returns ( output: Result ) ensures ReplicateKeyCalledWith ( input ) ensures output.Success? ==> ReplicateKeySucceededWith ( input , output.value ) predicate {:opaque} RetireGrantCalledWith ( input: RetireGrantRequest ) {true} predicate {:opaque} RetireGrantSucceededWith ( input: RetireGrantRequest ) {true} method RetireGrant ( input: RetireGrantRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures RetireGrantCalledWith ( input ) ensures output.Success? ==> RetireGrantSucceededWith ( input ) predicate {:opaque} RevokeGrantCalledWith ( input: RevokeGrantRequest ) {true} predicate {:opaque} RevokeGrantSucceededWith ( input: RevokeGrantRequest ) {true} method RevokeGrant ( input: RevokeGrantRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures RevokeGrantCalledWith ( input ) ensures output.Success? ==> RevokeGrantSucceededWith ( input ) predicate {:opaque} ScheduleKeyDeletionCalledWith ( input: ScheduleKeyDeletionRequest ) {true} predicate {:opaque} ScheduleKeyDeletionSucceededWith ( input: ScheduleKeyDeletionRequest , output: ScheduleKeyDeletionResponse ) {true} method ScheduleKeyDeletion ( input: ScheduleKeyDeletionRequest ) returns ( output: Result ) ensures ScheduleKeyDeletionCalledWith ( input ) ensures output.Success? ==> ScheduleKeyDeletionSucceededWith ( input , output.value ) predicate {:opaque} SignCalledWith ( input: SignRequest ) {true} predicate {:opaque} SignSucceededWith ( input: SignRequest , output: SignResponse ) {true} method Sign ( input: SignRequest ) returns ( output: Result ) ensures SignCalledWith ( input ) ensures output.Success? ==> SignSucceededWith ( input , output.value ) predicate {:opaque} TagResourceCalledWith ( input: TagResourceRequest ) {true} predicate {:opaque} TagResourceSucceededWith ( input: TagResourceRequest ) {true} method TagResource ( input: TagResourceRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures TagResourceCalledWith ( input ) ensures output.Success? ==> TagResourceSucceededWith ( input ) predicate {:opaque} UntagResourceCalledWith ( input: UntagResourceRequest ) {true} predicate {:opaque} UntagResourceSucceededWith ( input: UntagResourceRequest ) {true} method UntagResource ( input: UntagResourceRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures UntagResourceCalledWith ( input ) ensures output.Success? ==> UntagResourceSucceededWith ( input ) predicate {:opaque} UpdateAliasCalledWith ( input: UpdateAliasRequest ) {true} predicate {:opaque} UpdateAliasSucceededWith ( input: UpdateAliasRequest ) {true} method UpdateAlias ( input: UpdateAliasRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures UpdateAliasCalledWith ( input ) ensures output.Success? ==> UpdateAliasSucceededWith ( input ) predicate {:opaque} UpdateCustomKeyStoreCalledWith ( input: UpdateCustomKeyStoreRequest ) {true} predicate {:opaque} UpdateCustomKeyStoreSucceededWith ( input: UpdateCustomKeyStoreRequest , output: UpdateCustomKeyStoreResponse ) {true} method UpdateCustomKeyStore ( input: UpdateCustomKeyStoreRequest ) returns ( output: Result ) ensures UpdateCustomKeyStoreCalledWith ( input ) ensures output.Success? ==> UpdateCustomKeyStoreSucceededWith ( input , output.value ) predicate {:opaque} UpdateKeyDescriptionCalledWith ( input: UpdateKeyDescriptionRequest ) {true} predicate {:opaque} UpdateKeyDescriptionSucceededWith ( input: UpdateKeyDescriptionRequest ) {true} method UpdateKeyDescription ( input: UpdateKeyDescriptionRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures UpdateKeyDescriptionCalledWith ( input ) ensures output.Success? ==> UpdateKeyDescriptionSucceededWith ( input ) predicate {:opaque} UpdatePrimaryRegionCalledWith ( input: UpdatePrimaryRegionRequest ) {true} predicate {:opaque} UpdatePrimaryRegionSucceededWith ( input: UpdatePrimaryRegionRequest ) {true} method UpdatePrimaryRegion ( input: UpdatePrimaryRegionRequest ) returns ( output: Result<(), IKeyManagementServiceException> ) ensures UpdatePrimaryRegionCalledWith ( input ) ensures output.Success? ==> UpdatePrimaryRegionSucceededWith ( input ) predicate {:opaque} VerifyCalledWith ( input: VerifyRequest ) {true} predicate {:opaque} VerifySucceededWith ( input: VerifyRequest , output: VerifyResponse ) {true} method Verify ( input: VerifyRequest ) returns ( output: Result ) ensures VerifyCalledWith ( input ) ensures output.Success? ==> VerifySucceededWith ( input , output.value ) } trait IKeyManagementServiceException { function method GetMessage(): (message: string) reads this } class UnknownKeyManagementServiceError extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } datatype KeyManagerType = | AWS | CUSTOMER datatype KeyMetadata = KeyMetadata ( nameonly AWSAccountId: Option , nameonly KeyId: KeyIdType , nameonly Arn: Option , nameonly CreationDate: Option , nameonly Enabled: Option , nameonly Description: Option , nameonly KeyUsage: Option , nameonly KeyState: Option , nameonly DeletionDate: Option , nameonly ValidTo: Option , nameonly Origin: Option , nameonly CustomKeyStoreId: Option , nameonly CloudHsmClusterId: Option , nameonly ExpirationModel: Option , nameonly KeyManager: Option , nameonly CustomerMasterKeySpec: Option , nameonly KeySpec: Option , nameonly EncryptionAlgorithms: Option , nameonly SigningAlgorithms: Option , nameonly MultiRegion: Option , nameonly MultiRegionConfiguration: Option , nameonly PendingDeletionWindowInDays: Option ) datatype KeySpec = | RSA_2048 | RSA_3072 | RSA_4096 | ECC_NIST_P256 | ECC_NIST_P384 | ECC_NIST_P521 | ECC_SECG_P256K1 | SYMMETRIC_DEFAULT datatype KeyState = | Creating | Enabled | Disabled | PendingDeletion | PendingImport | PendingReplicaDeletion | Unavailable | Updating type KeyStorePasswordType = x: string | IsValid_KeyStorePasswordType(x) witness * predicate method IsValid_KeyStorePasswordType(x: string) { ( 7 <= |x| <= 32 ) } class KeyUnavailableException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } datatype KeyUsageType = | SIGN_VERIFY | ENCRYPT_DECRYPT class KMSInternalException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class KMSInvalidSignatureException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class KMSInvalidStateException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } class LimitExceededException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type LimitType = x: int32 | IsValid_LimitType(x) witness * predicate method IsValid_LimitType(x: int32) { ( 1 <= x <= 1000 ) } datatype ListAliasesRequest = ListAliasesRequest ( nameonly KeyId: Option , nameonly Limit: Option , nameonly Marker: Option ) datatype ListAliasesResponse = ListAliasesResponse ( nameonly Aliases: Option , nameonly NextMarker: Option , nameonly Truncated: Option ) datatype ListGrantsRequest = ListGrantsRequest ( nameonly Limit: Option , nameonly Marker: Option , nameonly KeyId: KeyIdType , nameonly GrantId: Option , nameonly GranteePrincipal: Option ) datatype ListGrantsResponse = ListGrantsResponse ( nameonly Grants: Option , nameonly NextMarker: Option , nameonly Truncated: Option ) datatype ListKeyPoliciesRequest = ListKeyPoliciesRequest ( nameonly KeyId: KeyIdType , nameonly Limit: Option , nameonly Marker: Option ) datatype ListKeyPoliciesResponse = ListKeyPoliciesResponse ( nameonly PolicyNames: Option , nameonly NextMarker: Option , nameonly Truncated: Option ) datatype ListKeysRequest = ListKeysRequest ( nameonly Limit: Option , nameonly Marker: Option ) datatype ListResourceTagsRequest = ListResourceTagsRequest ( nameonly KeyId: KeyIdType , nameonly Limit: Option , nameonly Marker: Option ) datatype ListResourceTagsResponse = ListResourceTagsResponse ( nameonly Tags: Option , nameonly NextMarker: Option , nameonly Truncated: Option ) datatype ListRetirableGrantsRequest = ListRetirableGrantsRequest ( nameonly Limit: Option , nameonly Marker: Option , nameonly RetiringPrincipal: PrincipalIdType ) class MalformedPolicyDocumentException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type MarkerType = x: string | IsValid_MarkerType(x) witness * predicate method IsValid_MarkerType(x: string) { ( 1 <= |x| <= 1024 ) } datatype MessageType = | RAW | DIGEST datatype MultiRegionConfiguration = MultiRegionConfiguration ( nameonly MultiRegionKeyType: Option , nameonly PrimaryKey: Option , nameonly ReplicaKeys: Option ) datatype MultiRegionKey = MultiRegionKey ( nameonly Arn: Option , nameonly Region: Option ) type MultiRegionKeyList = seq datatype MultiRegionKeyType = | PRIMARY | REPLICA class NotFoundException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type NullableBooleanType = bool type NumberOfBytesType = x: int32 | IsValid_NumberOfBytesType(x) witness * predicate method IsValid_NumberOfBytesType(x: int32) { ( 1 <= x <= 1024 ) } datatype OriginType = | AWS_KMS | EXTERNAL | AWS_CLOUDHSM type PendingWindowInDaysType = x: int32 | IsValid_PendingWindowInDaysType(x) witness * predicate method IsValid_PendingWindowInDaysType(x: int32) { ( 1 <= x <= 365 ) } type PlaintextType = x: seq | IsValid_PlaintextType(x) witness * predicate method IsValid_PlaintextType(x: seq) { ( 1 <= |x| <= 4096 ) } type PolicyNameList = seq type PolicyNameType = x: string | IsValid_PolicyNameType(x) witness * predicate method IsValid_PolicyNameType(x: string) { ( 1 <= |x| <= 128 ) } type PolicyType = x: string | IsValid_PolicyType(x) witness * predicate method IsValid_PolicyType(x: string) { ( 1 <= |x| <= 131072 ) } type PrincipalIdType = x: string | IsValid_PrincipalIdType(x) witness * predicate method IsValid_PrincipalIdType(x: string) { ( 1 <= |x| <= 256 ) } type PublicKeyType = x: seq | IsValid_PublicKeyType(x) witness * predicate method IsValid_PublicKeyType(x: seq) { ( 1 <= |x| <= 8192 ) } datatype PutKeyPolicyRequest = PutKeyPolicyRequest ( nameonly KeyId: KeyIdType , nameonly PolicyName: PolicyNameType , nameonly Policy: PolicyType , nameonly BypassPolicyLockoutSafetyCheck: Option ) datatype ReEncryptRequest = ReEncryptRequest ( nameonly CiphertextBlob: CiphertextType , nameonly SourceEncryptionContext: Option , nameonly SourceKeyId: Option , nameonly DestinationKeyId: KeyIdType , nameonly DestinationEncryptionContext: Option , nameonly SourceEncryptionAlgorithm: Option , nameonly DestinationEncryptionAlgorithm: Option , nameonly GrantTokens: Option ) datatype ReEncryptResponse = ReEncryptResponse ( nameonly CiphertextBlob: Option , nameonly SourceKeyId: Option , nameonly KeyId: Option , nameonly SourceEncryptionAlgorithm: Option , nameonly DestinationEncryptionAlgorithm: Option ) type RegionType = x: string | IsValid_RegionType(x) witness * predicate method IsValid_RegionType(x: string) { ( 1 <= |x| <= 32 ) } datatype ReplicateKeyRequest = ReplicateKeyRequest ( nameonly KeyId: KeyIdType , nameonly ReplicaRegion: RegionType , nameonly Policy: Option , nameonly BypassPolicyLockoutSafetyCheck: Option , nameonly Description: Option , nameonly Tags: Option ) datatype ReplicateKeyResponse = ReplicateKeyResponse ( nameonly ReplicaKeyMetadata: Option , nameonly ReplicaPolicy: Option , nameonly ReplicaTags: Option ) datatype RetireGrantRequest = RetireGrantRequest ( nameonly GrantToken: Option , nameonly KeyId: Option , nameonly GrantId: Option ) datatype RevokeGrantRequest = RevokeGrantRequest ( nameonly KeyId: KeyIdType , nameonly GrantId: GrantIdType ) datatype ScheduleKeyDeletionRequest = ScheduleKeyDeletionRequest ( nameonly KeyId: KeyIdType , nameonly PendingWindowInDays: Option ) datatype ScheduleKeyDeletionResponse = ScheduleKeyDeletionResponse ( nameonly KeyId: Option , nameonly DeletionDate: Option , nameonly KeyState: Option , nameonly PendingWindowInDays: Option ) datatype SigningAlgorithmSpec = | RSASSA_PSS_SHA_256 | RSASSA_PSS_SHA_384 | RSASSA_PSS_SHA_512 | RSASSA_PKCS1_V1_5_SHA_256 | RSASSA_PKCS1_V1_5_SHA_384 | RSASSA_PKCS1_V1_5_SHA_512 | ECDSA_SHA_256 | ECDSA_SHA_384 | ECDSA_SHA_512 type SigningAlgorithmSpecList = seq datatype SignRequest = SignRequest ( nameonly KeyId: KeyIdType , nameonly Message: PlaintextType , nameonly MessageType: Option , nameonly GrantTokens: Option , nameonly SigningAlgorithm: SigningAlgorithmSpec ) datatype SignResponse = SignResponse ( nameonly KeyId: Option , nameonly Signature: Option , nameonly SigningAlgorithm: Option ) datatype Tag = Tag ( nameonly TagKey: TagKeyType , nameonly TagValue: TagValueType ) class TagException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } type TagKeyList = seq type TagKeyType = x: string | IsValid_TagKeyType(x) witness * predicate method IsValid_TagKeyType(x: string) { ( 1 <= |x| <= 128 ) } type TagList = seq datatype TagResourceRequest = TagResourceRequest ( nameonly KeyId: KeyIdType , nameonly Tags: TagList ) type TagValueType = x: string | IsValid_TagValueType(x) witness * predicate method IsValid_TagValueType(x: string) { ( 0 <= |x| <= 256 ) } type TrustAnchorCertificateType = x: string | IsValid_TrustAnchorCertificateType(x) witness * predicate method IsValid_TrustAnchorCertificateType(x: string) { ( 1 <= |x| <= 5000 ) } class UnsupportedOperationException extends IKeyManagementServiceException { var message: string constructor (message: string) { this.message := message; } function method GetMessage(): (message: string) reads this { this.message } } datatype UntagResourceRequest = UntagResourceRequest ( nameonly KeyId: KeyIdType , nameonly TagKeys: TagKeyList ) datatype UpdateAliasRequest = UpdateAliasRequest ( nameonly AliasName: AliasNameType , nameonly TargetKeyId: KeyIdType ) datatype UpdateCustomKeyStoreRequest = UpdateCustomKeyStoreRequest ( nameonly CustomKeyStoreId: CustomKeyStoreIdType , nameonly NewCustomKeyStoreName: Option , nameonly KeyStorePassword: Option , nameonly CloudHsmClusterId: Option ) datatype UpdateCustomKeyStoreResponse = UpdateCustomKeyStoreResponse ( ) datatype UpdateKeyDescriptionRequest = UpdateKeyDescriptionRequest ( nameonly KeyId: KeyIdType , nameonly Description: DescriptionType ) datatype UpdatePrimaryRegionRequest = UpdatePrimaryRegionRequest ( nameonly KeyId: KeyIdType , nameonly PrimaryRegion: RegionType ) datatype VerifyRequest = VerifyRequest ( nameonly KeyId: KeyIdType , nameonly Message: PlaintextType , nameonly MessageType: Option , nameonly Signature: CiphertextType , nameonly SigningAlgorithm: SigningAlgorithmSpec , nameonly GrantTokens: Option ) datatype VerifyResponse = VerifyResponse ( nameonly KeyId: Option , nameonly SignatureValid: Option , nameonly SigningAlgorithm: Option ) datatype WrappingKeySpec = | RSA_2048 }