/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*
* Do not modify this file. This file is generated from the kms-2014-11-01.normal.json service model.
*/
using System;
using System.Collections.Generic;
using System.Xml.Serialization;
using System.Text;
using System.IO;
using System.Net;
using Amazon.Runtime;
using Amazon.Runtime.Internal;
namespace Amazon.KeyManagementService.Model
{
///
/// Container for the parameters to the Sign operation.
/// Creates a digital signature
/// for a message or message digest by using the private key in an asymmetric signing
/// KMS key. To verify the signature, use the Verify operation, or use the public
/// key in the same asymmetric KMS key outside of KMS. For information about asymmetric
/// KMS keys, see Asymmetric
/// KMS keys in the Key Management Service Developer Guide.
///
///
///
/// Digital signatures are generated and verified by using asymmetric key pair, such as
/// an RSA or ECC pair that is represented by an asymmetric KMS key. The key owner (or
/// an authorized user) uses their private key to sign a message. Anyone with the public
/// key can verify that the message was signed with that particular private key and that
/// the message hasn't changed since it was signed.
///
///
///
/// To use the Sign operation, provide the following information:
///
/// -
///
/// Use the
KeyId parameter to identify an asymmetric KMS key with a KeyUsage
/// value of SIGN_VERIFY. To get the KeyUsage value of a KMS
/// key, use the DescribeKey operation. The caller must have kms:Sign
/// permission on the KMS key.
///
/// -
///
/// Use the
Message parameter to specify the message or message digest to
/// sign. You can submit messages of up to 4096 bytes. To sign a larger message, generate
/// a hash digest of the message, and then provide the hash digest in the Message
/// parameter. To indicate whether the message is a full message or a digest, use the
/// MessageType parameter.
///
/// -
///
/// Choose a signing algorithm that is compatible with the KMS key.
///
///
///
/// When signing a message, be sure to record the KMS key and the signing algorithm. This
/// information is required to verify the signature.
///
///
///
/// Best practices recommend that you limit the time during which any signature is effective.
/// This deters an attack where the actor uses a signed message to establish validity
/// repeatedly or long after the message is superseded. Signatures do not include a timestamp,
/// but you can include a timestamp in the signed message to help you detect when its
/// time to refresh the signature.
///
///
///
/// To verify the signature that this operation generates, use the Verify operation.
/// Or use the GetPublicKey operation to download the public key and then use the
/// public key to verify the signature outside of KMS.
///
///
///
/// The KMS key that you use for this operation must be in a compatible key state. For
/// details, see Key
/// states of KMS keys in the Key Management Service Developer Guide.
///
///
///
/// Cross-account use: Yes. To perform this operation with a KMS key in a different
/// Amazon Web Services account, specify the key ARN or alias ARN in the value of the
/// KeyId parameter.
///
///
///
/// Required permissions: kms:Sign
/// (key policy)
///
///
///
/// Related operations: Verify
///
///
public partial class SignRequest : AmazonKeyManagementServiceRequest
{
private bool? _dryRun;
private List _grantTokens = new List();
private string _keyId;
private MemoryStream _message;
private MessageType _messageType;
private SigningAlgorithmSpec _signingAlgorithm;
///
/// Gets and sets the property DryRun.
///
/// Checks if your request will succeed. DryRun is an optional parameter.
///
///
///
///
/// To learn more about how to use this parameter, see Testing
/// your KMS API calls in the Key Management Service Developer Guide.
///
///
public bool DryRun
{
get { return this._dryRun.GetValueOrDefault(); }
set { this._dryRun = value; }
}
// Check to see if DryRun property is set
internal bool IsSetDryRun()
{
return this._dryRun.HasValue;
}
///
/// Gets and sets the property GrantTokens.
///
/// A list of grant tokens.
///
///
///
/// Use a grant token when your permission to call this operation comes from a new grant
/// that has not yet achieved eventual consistency. For more information, see Grant
/// token and Using
/// a grant token in the Key Management Service Developer Guide.
///
///
[AWSProperty(Min=0, Max=10)]
public List GrantTokens
{
get { return this._grantTokens; }
set { this._grantTokens = value; }
}
// Check to see if GrantTokens property is set
internal bool IsSetGrantTokens()
{
return this._grantTokens != null && this._grantTokens.Count > 0;
}
///
/// Gets and sets the property KeyId.
///
/// Identifies an asymmetric KMS key. KMS uses the private key in the asymmetric KMS key
/// to sign the message. The KeyUsage type of the KMS key must be SIGN_VERIFY.
/// To find the KeyUsage of a KMS key, use the DescribeKey operation.
///
///
///
/// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using
/// an alias name, prefix it with "alias/". To specify a KMS key in a different
/// Amazon Web Services account, you must use the key ARN or alias ARN.
///
///
///
/// For example:
///
/// -
///
/// Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
///
/// -
///
/// Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
///
///
/// -
///
/// Alias name:
alias/ExampleAlias
///
/// -
///
/// Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
///
///
///
/// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
/// To get the alias name and alias ARN, use ListAliases.
///
///
[AWSProperty(Required=true, Min=1, Max=2048)]
public string KeyId
{
get { return this._keyId; }
set { this._keyId = value; }
}
// Check to see if KeyId property is set
internal bool IsSetKeyId()
{
return this._keyId != null;
}
///
/// Gets and sets the property Message.
///
/// Specifies the message or message digest to sign. Messages can be 0-4096 bytes. To
/// sign a larger message, provide a message digest.
///
///
///
/// If you provide a message digest, use the DIGEST value of MessageType
/// to prevent the digest from being hashed again while signing.
///
///
[AWSProperty(Required=true, Sensitive=true, Min=1, Max=4096)]
public MemoryStream Message
{
get { return this._message; }
set { this._message = value; }
}
// Check to see if Message property is set
internal bool IsSetMessage()
{
return this._message != null;
}
///
/// Gets and sets the property MessageType.
///
/// Tells KMS whether the value of the Message parameter should be hashed
/// as part of the signing algorithm. Use RAW for unhashed messages; use
/// DIGEST for message digests, which are already hashed.
///
///
///
/// When the value of MessageType is RAW, KMS uses the standard
/// signing algorithm, which begins with a hash function. When the value is DIGEST,
/// KMS skips the hashing step in the signing algorithm.
///
///
///
/// Use the DIGEST value only when the value of the Message
/// parameter is a message digest. If you use the DIGEST value with an unhashed
/// message, the security of the signing operation can be compromised.
///
///
///
/// When the value of MessageTypeis DIGEST, the length of the
/// Message value must match the length of hashed messages for the specified
/// signing algorithm.
///
///
///
/// You can submit a message digest and omit the MessageType or specify RAW
/// so the digest is hashed again while signing. However, this can cause verification
/// failures when verifying with a system that assumes a single hash.
///
///
///
/// The hashing algorithm in that Sign uses is based on the SigningAlgorithm
/// value.
///
/// -
///
/// Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
///
///
-
///
/// Signing algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
///
///
-
///
/// Signing algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
///
///
-
///
/// SM2DSA uses the SM3 hashing algorithm. For details, see Offline
/// verification with SM2 key pairs.
///
///
///
public MessageType MessageType
{
get { return this._messageType; }
set { this._messageType = value; }
}
// Check to see if MessageType property is set
internal bool IsSetMessageType()
{
return this._messageType != null;
}
///
/// Gets and sets the property SigningAlgorithm.
///
/// Specifies the signing algorithm to use when signing the message.
///
///
///
/// Choose an algorithm that is compatible with the type and size of the specified asymmetric
/// KMS key. When signing with RSA key pairs, RSASSA-PSS algorithms are preferred. We
/// include RSASSA-PKCS1-v1_5 algorithms for compatibility with existing applications.
///
///
[AWSProperty(Required=true)]
public SigningAlgorithmSpec SigningAlgorithm
{
get { return this._signingAlgorithm; }
set { this._signingAlgorithm = value; }
}
// Check to see if SigningAlgorithm property is set
internal bool IsSetSigningAlgorithm()
{
return this._signingAlgorithm != null;
}
}
}