/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*
* Do not modify this file. This file is generated from the kms-2014-11-01.normal.json service model.
*/
using System;
using System.Collections.Generic;
using System.Xml.Serialization;
using System.Text;
using System.IO;
using System.Net;
using Amazon.Runtime;
using Amazon.Runtime.Internal;
namespace Amazon.KeyManagementService.Model
{
///
/// Container for the parameters to the GenerateDataKeyPair operation.
/// Returns a unique asymmetric data key pair for use outside of KMS. This operation returns
/// a plaintext public key, a plaintext private key, and a copy of the private key that
/// is encrypted under the symmetric encryption KMS key you specify. You can use the data
/// key pair to perform asymmetric cryptography and implement digital signatures outside
/// of KMS. The bytes in the keys are random; they not related to the caller or to the
/// KMS key that is used to encrypt the private key.
///
///
///
/// You can use the public key that GenerateDataKeyPair returns to encrypt
/// data or verify a signature outside of KMS. Then, store the encrypted private key with
/// the data. When you are ready to decrypt data or sign a message, you can use the Decrypt
/// operation to decrypt the encrypted private key.
///
///
///
/// To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
/// the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS
/// key in a custom key store. To get the type and origin of your KMS key, use the DescribeKey
/// operation.
///
///
///
/// Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC)
/// data key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends
/// that you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption
/// or signing, but not both. However, KMS cannot enforce any restrictions on the use
/// of data key pairs outside of KMS.
///
///
///
/// If you are using the data key pair to encrypt data, or for any operation where you
/// don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext
/// operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public
/// key and an encrypted private key, but omits the plaintext private key that you need
/// only to decrypt ciphertext or sign a message. Later, when you need to decrypt the
/// data or sign a message, use the Decrypt operation to decrypt the encrypted
/// private key in the data key pair.
///
///
///
/// GenerateDataKeyPair returns a unique data key pair for each request.
/// The bytes in the keys are random; they are not related to the caller or the KMS key
/// that is used to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo,
/// as specified in RFC 5280. The private
/// key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC
/// 5958.
///
///
///
/// GenerateDataKeyPair also supports Amazon
/// Web Services Nitro Enclaves, which provide an isolated compute environment in
/// Amazon EC2. To call GenerateDataKeyPair for an Amazon Web Services Nitro
/// enclave, use the Amazon
/// Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient
/// parameter to provide the attestation document for the enclave. GenerateDataKeyPair
/// returns the public data key and a copy of the private data key encrypted under the
/// specified KMS key, as usual. But instead of a plaintext copy of the private data key
/// (PrivateKeyPlaintext), the response includes a copy of the private data
/// key encrypted under the public key from the attestation document (CiphertextForRecipient).
/// For information about the interaction between KMS and Amazon Web Services Nitro Enclaves,
/// see How
/// Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer
/// Guide..
///
///
///
/// You can use an optional encryption context to add additional security to the encryption
/// operation. If you specify an EncryptionContext, you must specify the
/// same encryption context (a case-sensitive exact match) when decrypting the encrypted
/// data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException.
/// For more information, see Encryption
/// Context in the Key Management Service Developer Guide.
///
///
///
/// The KMS key that you use for this operation must be in a compatible key state. For
/// details, see Key
/// states of KMS keys in the Key Management Service Developer Guide.
///
///
///
/// Cross-account use: Yes. To perform this operation with a KMS key in a different
/// Amazon Web Services account, specify the key ARN or alias ARN in the value of the
/// KeyId parameter.
///
///
///
/// Required permissions: kms:GenerateDataKeyPair
/// (key policy)
///
///
///
/// Related operations:
///
///
///
public partial class GenerateDataKeyPairRequest : AmazonKeyManagementServiceRequest
{
private bool? _dryRun;
private Dictionary _encryptionContext = new Dictionary();
private List _grantTokens = new List();
private string _keyId;
private DataKeyPairSpec _keyPairSpec;
private RecipientInfo _recipient;
///
/// Gets and sets the property DryRun.
///
/// Checks if your request will succeed. DryRun is an optional parameter.
///
///
///
///
/// To learn more about how to use this parameter, see Testing
/// your KMS API calls in the Key Management Service Developer Guide.
///
///
public bool DryRun
{
get { return this._dryRun.GetValueOrDefault(); }
set { this._dryRun = value; }
}
// Check to see if DryRun property is set
internal bool IsSetDryRun()
{
return this._dryRun.HasValue;
}
///
/// Gets and sets the property EncryptionContext.
///
/// Specifies the encryption context that will be used when encrypting the private key
/// in the data key pair.
///
///
///
/// Do not include confidential or sensitive information in this field. This field may
/// be displayed in plaintext in CloudTrail logs and other output.
///
///
///
/// An encryption context is a collection of non-secret key-value pairs that represent
/// additional authenticated data. When you use an encryption context to encrypt data,
/// you must specify the same (an exact case-sensitive match) encryption context to decrypt
/// the data. An encryption context is supported only on operations with symmetric encryption
/// KMS keys. On operations with symmetric encryption KMS keys, an encryption context
/// is optional, but it is strongly recommended.
///
///
///
/// For more information, see Encryption
/// context in the Key Management Service Developer Guide.
///
///
public Dictionary EncryptionContext
{
get { return this._encryptionContext; }
set { this._encryptionContext = value; }
}
// Check to see if EncryptionContext property is set
internal bool IsSetEncryptionContext()
{
return this._encryptionContext != null && this._encryptionContext.Count > 0;
}
///
/// Gets and sets the property GrantTokens.
///
/// A list of grant tokens.
///
///
///
/// Use a grant token when your permission to call this operation comes from a new grant
/// that has not yet achieved eventual consistency. For more information, see Grant
/// token and Using
/// a grant token in the Key Management Service Developer Guide.
///
///
[AWSProperty(Min=0, Max=10)]
public List GrantTokens
{
get { return this._grantTokens; }
set { this._grantTokens = value; }
}
// Check to see if GrantTokens property is set
internal bool IsSetGrantTokens()
{
return this._grantTokens != null && this._grantTokens.Count > 0;
}
///
/// Gets and sets the property KeyId.
///
/// Specifies the symmetric encryption KMS key that encrypts the private key in the data
/// key pair. You cannot specify an asymmetric KMS key or a KMS key in a custom key store.
/// To get the type and origin of your KMS key, use the DescribeKey operation.
///
///
///
/// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using
/// an alias name, prefix it with "alias/". To specify a KMS key in a different
/// Amazon Web Services account, you must use the key ARN or alias ARN.
///
///
///
/// For example:
///
/// -
///
/// Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
///
/// -
///
/// Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
///
///
/// -
///
/// Alias name:
alias/ExampleAlias
///
/// -
///
/// Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
///
///
///
/// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
/// To get the alias name and alias ARN, use ListAliases.
///
///
[AWSProperty(Required=true, Min=1, Max=2048)]
public string KeyId
{
get { return this._keyId; }
set { this._keyId = value; }
}
// Check to see if KeyId property is set
internal bool IsSetKeyId()
{
return this._keyId != null;
}
///
/// Gets and sets the property KeyPairSpec.
///
/// Determines the type of data key pair that is generated.
///
///
///
/// The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys to encrypt
/// and decrypt or to sign and verify (but not both), and the rule that permits you to
/// use ECC KMS keys only to sign and verify, are not effective on data key pairs, which
/// are used outside of KMS. The SM2 key spec is only available in China Regions.
///
///
[AWSProperty(Required=true)]
public DataKeyPairSpec KeyPairSpec
{
get { return this._keyPairSpec; }
set { this._keyPairSpec = value; }
}
// Check to see if KeyPairSpec property is set
internal bool IsSetKeyPairSpec()
{
return this._keyPairSpec != null;
}
///
/// Gets and sets the property Recipient.
///
/// A signed attestation
/// document from an Amazon Web Services Nitro enclave and the encryption algorithm
/// to use with the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
///
///
///
///
/// This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves.
/// To include this parameter, use the Amazon
/// Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
///
///
///
/// When you use this parameter, instead of returning a plaintext copy of the private
/// data key, KMS encrypts the plaintext private data key under the public key in the
/// attestation document, and returns the resulting ciphertext in the CiphertextForRecipient
/// field in the response. This ciphertext can be decrypted only with the private key
/// in the enclave. The CiphertextBlob field in the response contains a copy
/// of the private data key encrypted under the KMS key specified by the KeyId
/// parameter. The PrivateKeyPlaintext field in the response is null or empty.
///
///
///
/// For information about the interaction between KMS and Amazon Web Services Nitro Enclaves,
/// see How
/// Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer
/// Guide.
///
///
public RecipientInfo Recipient
{
get { return this._recipient; }
set { this._recipient = value; }
}
// Check to see if Recipient property is set
internal bool IsSetRecipient()
{
return this._recipient != null;
}
}
}