# RecipientRequest

Specifies an attestation document, which includes information about requesting enclave and the public key to be used to re-encrypt the response, and the encryption algorithm to be used for the encryption.

```json
{
	"AttestationDocument": "Base64EncodedContent",
	"KeyEncryptionAlgorithm": "RSAES_OAEP_SHA_256"
}
```

## AttestationDocument

`AttestationDocument` is generated by the NitroSecureModule of an [AWS Nitro
Enclave](https://aws.amazon.com/ec2/nitro/nitro-enclaves/), as part of the [Cryptographic Attestation
capability](https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html).

If the AWS KMS key policy contains [AWS Nitro Enclaves specific key
policies](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-nitro-enclaves), the
attestation document will be read and validated (signature and format) and the PCRs are compared to
those in the key policy to determine whether the requesting enclave has permission to use the key.

When used in the context of a `RecipientRequest`, the `AttestationDocument` must include a RSA2048 key encoded as a
DER SubjectPublicKeyInfo structure ([RFC 5280](https://tools.ietf.org/html/rfc5280#section-4.1.2.7)). The public key
included in the `AttestationDocument` is used to re-encrypt the data before it is return to the enclave in the `CiphertextForRecipient` response parameter.
The encrypted data is not returned in the `Plaintext` response paramater.

Type: Base64-encoded binary data object

Required: Yes


## KeyEncryptionAlgorithm

Specifies the encryption algorithm to be used to re-encrypt the data. Only `RSAES_OAEP_SHA_256` is supported.

Valid values: `RSAES_OAEP_SHA_256`

Type: String

Required: Yes