/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*
* Do not modify this file. This file is generated from the kms-2014-11-01.normal.json service model.
*/
using System;
using System.Collections.Generic;
using System.Xml.Serialization;
using System.Text;
using System.IO;
using System.Net;
using Amazon.Runtime;
using Amazon.Runtime.Internal;
namespace Amazon.KeyManagementService.Model
{
///
/// Container for the parameters to the Decrypt operation.
/// Decrypts ciphertext that was encrypted by a KMS key using any of the following operations:
///
///
///
/// You can use this operation to decrypt ciphertext that was encrypted under a symmetric
/// encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric,
/// you must specify the KMS key and the encryption algorithm that was used to encrypt
/// the ciphertext. For information about asymmetric KMS keys, see Asymmetric
/// KMS keys in the Key Management Service Developer Guide.
///
///
///
/// The Decrypt operation also decrypts ciphertext that was encrypted outside
/// of KMS by the public key in an KMS asymmetric KMS key. However, it cannot decrypt
/// symmetric ciphertext produced by other libraries, such as the Amazon
/// Web Services Encryption SDK or Amazon
/// S3 client-side encryption. These libraries return a ciphertext format that is
/// incompatible with KMS.
///
///
///
/// If the ciphertext was encrypted under a symmetric encryption KMS key, the KeyId
/// parameter is optional. KMS can get this information from metadata that it adds to
/// the symmetric ciphertext blob. This feature adds durability to your implementation
/// by ensuring that authorized users can decrypt ciphertext decades after it was encrypted,
/// even if they've lost track of the key ID. However, specifying the KMS key is always
/// recommended as a best practice. When you use the KeyId parameter to specify
/// a KMS key, KMS only uses the KMS key you specify. If the ciphertext was encrypted
/// under a different KMS key, the Decrypt operation fails. This practice
/// ensures that you use the KMS key that you intend.
///
///
///
/// Whenever possible, use key policies to give users permission to call the Decrypt
/// operation on a particular KMS key, instead of using &IAM; policies. Otherwise,
/// you might create an &IAM; policy that gives the user Decrypt permission
/// on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys
/// in other accounts if the key policy for the cross-account KMS key permits it. If you
/// must use an IAM policy for Decrypt permissions, limit the user to particular
/// KMS keys or particular trusted accounts. For details, see Best
/// practices for IAM policies in the Key Management Service Developer Guide.
///
///
///
/// Decrypt also supports Amazon
/// Web Services Nitro Enclaves, which provide an isolated compute environment in
/// Amazon EC2. To call Decrypt for a Nitro enclave, use the Amazon
/// Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient
/// parameter to provide the attestation document for the enclave. Instead of the plaintext
/// data, the response includes the plaintext data encrypted with the public key from
/// the attestation document (CiphertextForRecipient).For information about
/// the interaction between KMS and Amazon Web Services Nitro Enclaves, see How
/// Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer
/// Guide..
///
///
///
/// The KMS key that you use for this operation must be in a compatible key state. For
/// details, see Key
/// states of KMS keys in the Key Management Service Developer Guide.
///
///
///
/// Cross-account use: Yes. If you use the KeyId parameter to identify
/// a KMS key in a different Amazon Web Services account, specify the key ARN or the alias
/// ARN of the KMS key.
///
///
///
/// Required permissions: kms:Decrypt
/// (key policy)
///
///
///
/// Related operations:
///
///
///
public partial class DecryptRequest : AmazonKeyManagementServiceRequest
{
private MemoryStream _ciphertextBlob;
private bool? _dryRun;
private EncryptionAlgorithmSpec _encryptionAlgorithm;
private Dictionary _encryptionContext = new Dictionary();
private List _grantTokens = new List();
private string _keyId;
private RecipientInfo _recipient;
///
/// Gets and sets the property CiphertextBlob.
///
/// Ciphertext to be decrypted. The blob includes metadata.
///
///
[AWSProperty(Required=true, Min=1, Max=6144)]
public MemoryStream CiphertextBlob
{
get { return this._ciphertextBlob; }
set { this._ciphertextBlob = value; }
}
// Check to see if CiphertextBlob property is set
internal bool IsSetCiphertextBlob()
{
return this._ciphertextBlob != null;
}
///
/// Gets and sets the property DryRun.
///
/// Checks if your request will succeed. DryRun is an optional parameter.
///
///
///
///
/// To learn more about how to use this parameter, see Testing
/// your KMS API calls in the Key Management Service Developer Guide.
///
///
public bool DryRun
{
get { return this._dryRun.GetValueOrDefault(); }
set { this._dryRun = value; }
}
// Check to see if DryRun property is set
internal bool IsSetDryRun()
{
return this._dryRun.HasValue;
}
///
/// Gets and sets the property EncryptionAlgorithm.
///
/// Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify
/// the same algorithm that was used to encrypt the data. If you specify a different algorithm,
/// the Decrypt operation fails.
///
///
///
/// This parameter is required only when the ciphertext was encrypted under an asymmetric
/// KMS key. The default value, SYMMETRIC_DEFAULT, represents the only supported
/// algorithm that is valid for symmetric encryption KMS keys.
///
///
public EncryptionAlgorithmSpec EncryptionAlgorithm
{
get { return this._encryptionAlgorithm; }
set { this._encryptionAlgorithm = value; }
}
// Check to see if EncryptionAlgorithm property is set
internal bool IsSetEncryptionAlgorithm()
{
return this._encryptionAlgorithm != null;
}
///
/// Gets and sets the property EncryptionContext.
///
/// Specifies the encryption context to use when decrypting the data. An encryption context
/// is valid only for cryptographic
/// operations with a symmetric encryption KMS key. The standard asymmetric encryption
/// algorithms and HMAC algorithms that KMS uses do not support an encryption context.
///
///
///
/// An encryption context is a collection of non-secret key-value pairs that represent
/// additional authenticated data. When you use an encryption context to encrypt data,
/// you must specify the same (an exact case-sensitive match) encryption context to decrypt
/// the data. An encryption context is supported only on operations with symmetric encryption
/// KMS keys. On operations with symmetric encryption KMS keys, an encryption context
/// is optional, but it is strongly recommended.
///
///
///
/// For more information, see Encryption
/// context in the Key Management Service Developer Guide.
///
///
public Dictionary EncryptionContext
{
get { return this._encryptionContext; }
set { this._encryptionContext = value; }
}
// Check to see if EncryptionContext property is set
internal bool IsSetEncryptionContext()
{
return this._encryptionContext != null && this._encryptionContext.Count > 0;
}
///
/// Gets and sets the property GrantTokens.
///
/// A list of grant tokens.
///
///
///
/// Use a grant token when your permission to call this operation comes from a new grant
/// that has not yet achieved eventual consistency. For more information, see Grant
/// token and Using
/// a grant token in the Key Management Service Developer Guide.
///
///
[AWSProperty(Min=0, Max=10)]
public List GrantTokens
{
get { return this._grantTokens; }
set { this._grantTokens = value; }
}
// Check to see if GrantTokens property is set
internal bool IsSetGrantTokens()
{
return this._grantTokens != null && this._grantTokens.Count > 0;
}
///
/// Gets and sets the property KeyId.
///
/// Specifies the KMS key that KMS uses to decrypt the ciphertext.
///
///
///
/// Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you identify
/// a different KMS key, the Decrypt operation throws an IncorrectKeyException.
///
///
///
/// This parameter is required only when the ciphertext was encrypted under an asymmetric
/// KMS key. If you used a symmetric encryption KMS key, KMS can get the KMS key from
/// metadata that it adds to the symmetric ciphertext blob. However, it is always recommended
/// as a best practice. This practice ensures that you use the KMS key that you intend.
///
///
///
/// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using
/// an alias name, prefix it with "alias/". To specify a KMS key in a different
/// Amazon Web Services account, you must use the key ARN or alias ARN.
///
///
///
/// For example:
///
/// -
///
/// Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
///
/// -
///
/// Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
///
///
/// -
///
/// Alias name:
alias/ExampleAlias
///
/// -
///
/// Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
///
///
///
/// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
/// To get the alias name and alias ARN, use ListAliases.
///
///
[AWSProperty(Min=1, Max=2048)]
public string KeyId
{
get { return this._keyId; }
set { this._keyId = value; }
}
// Check to see if KeyId property is set
internal bool IsSetKeyId()
{
return this._keyId != null;
}
///
/// Gets and sets the property Recipient.
///
/// A signed attestation
/// document from an Amazon Web Services Nitro enclave and the encryption algorithm
/// to use with the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
///
///
///
///
/// This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves.
/// To include this parameter, use the Amazon
/// Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
///
///
///
/// When you use this parameter, instead of returning the plaintext data, KMS encrypts
/// the plaintext data with the public key in the attestation document, and returns the
/// resulting ciphertext in the CiphertextForRecipient field in the response.
/// This ciphertext can be decrypted only with the private key in the enclave. The Plaintext
/// field in the response is null or empty.
///
///
///
/// For information about the interaction between KMS and Amazon Web Services Nitro Enclaves,
/// see How
/// Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer
/// Guide.
///
///
public RecipientInfo Recipient
{
get { return this._recipient; }
set { this._recipient = value; }
}
// Check to see if Recipient property is set
internal bool IsSetRecipient()
{
return this._recipient != null;
}
}
}