diff --git a/CHANGELOG.md b/CHANGELOG.md index 49a79d1..7f57014 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## NOT RELEASED +### Added + +- AWS api-change: This feature allows customers to use their keys stored in KMS to derive a shared secret which can then be used to establish a secured channel for communication, provide proof of possession, or establish trust with other parties. + ### Changed - Add `Accept: application/json` header in request to fix incompatibility with 3rd party providers diff --git a/composer.json b/composer.json index 8d4671a..e946b91 100644 --- a/composer.json +++ b/composer.json @@ -28,7 +28,7 @@ }, "extra": { "branch-alias": { - "dev-master": "1.4-dev" + "dev-master": "1.5-dev" } } } diff --git a/src/Enum/KeyAgreementAlgorithmSpec.php b/src/Enum/KeyAgreementAlgorithmSpec.php new file mode 100644 index 0000000..6482a1d --- /dev/null +++ b/src/Enum/KeyAgreementAlgorithmSpec.php @@ -0,0 +1,15 @@ + true, + ][$value]); + } +} diff --git a/src/Enum/KeyUsageType.php b/src/Enum/KeyUsageType.php index 5102bb2..d8ccb09 100644 --- a/src/Enum/KeyUsageType.php +++ b/src/Enum/KeyUsageType.php @@ -6,6 +6,7 @@ final class KeyUsageType { public const ENCRYPT_DECRYPT = 'ENCRYPT_DECRYPT'; public const GENERATE_VERIFY_MAC = 'GENERATE_VERIFY_MAC'; + public const KEY_AGREEMENT = 'KEY_AGREEMENT'; public const SIGN_VERIFY = 'SIGN_VERIFY'; public static function exists(string $value): bool @@ -13,6 +14,7 @@ public static function exists(string $value): bool return isset([ self::ENCRYPT_DECRYPT => true, self::GENERATE_VERIFY_MAC => true, + self::KEY_AGREEMENT => true, self::SIGN_VERIFY => true, ][$value]); } diff --git a/src/Exception/InvalidKeyUsageException.php b/src/Exception/InvalidKeyUsageException.php index 404d8a0..6ea7c40 100644 --- a/src/Exception/InvalidKeyUsageException.php +++ b/src/Exception/InvalidKeyUsageException.php @@ -13,8 +13,8 @@ * * For encrypting, decrypting, re-encrypting, and generating data keys, the `KeyUsage` must be `ENCRYPT_DECRYPT`. For * signing and verifying messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and verifying message - * authentication codes (MACs), the `KeyUsage` must be `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use - * the DescribeKey operation. + * authentication codes (MACs), the `KeyUsage` must be `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the + * `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the DescribeKey operation. * * To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation. */ diff --git a/src/Input/CreateKeyRequest.php b/src/Input/CreateKeyRequest.php index e5c1347..f7aff24 100644 --- a/src/Input/CreateKeyRequest.php +++ b/src/Input/CreateKeyRequest.php @@ -67,9 +67,11 @@ final class CreateKeyRequest extends Input * * - For symmetric encryption KMS keys, omit the parameter or specify `ENCRYPT_DECRYPT`. * - For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`. - * - For asymmetric KMS keys with RSA key material, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. - * - For asymmetric KMS keys with ECC key material, specify `SIGN_VERIFY`. - * - For asymmetric KMS keys with SM2 key material (China Regions only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. + * - For asymmetric KMS keys with RSA key pairs, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. + * - For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`. + * - For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify `SIGN_VERIFY`. + * - For asymmetric KMS keys with SM2 key pairs (China Regions only), specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or + * `KEY_AGREEMENT`. * * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations * @@ -115,25 +117,25 @@ final class CreateKeyRequest extends Input * - `HMAC_384` * - `HMAC_512` * - * - Asymmetric RSA key pairs + * - Asymmetric RSA key pairs (encryption and decryption -or- signing and verification) * * - `RSA_2048` * - `RSA_3072` * - `RSA_4096` * - * - Asymmetric NIST-recommended elliptic curve key pairs + * - Asymmetric NIST-recommended elliptic curve key pairs (signing and verification -or- deriving shared secrets) * * - `ECC_NIST_P256` (secp256r1) * - `ECC_NIST_P384` (secp384r1) * - `ECC_NIST_P521` (secp521r1) * - * - Other asymmetric elliptic curve key pairs + * - Other asymmetric elliptic curve key pairs (signing and verification) * * - `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies. * - * - SM2 key pairs (China Regions only) + * - SM2 key pairs (encryption and decryption -or- signing and verification -or- deriving shared secrets) * - * - `SM2` + * - `SM2` (China Regions only) * * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm diff --git a/src/KmsClient.php b/src/KmsClient.php index 93d7a21..26d11d7 100644 --- a/src/KmsClient.php +++ b/src/KmsClient.php @@ -183,10 +183,13 @@ public function createAlias($input): Result * * Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions * only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey - * operation to download the public key so it can be used outside of KMS. KMS keys with RSA or SM2 key pairs can be - * used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with ECC key pairs can be used - * only to sign and verify messages. For information about asymmetric KMS keys, see Asymmetric KMS keys [^3] in the - * *Key Management Service Developer Guide*. + * operation to download the public key so it can be used outside of KMS. Each KMS key can have only one key usage. + * KMS keys with RSA key pairs can be used to encrypt and decrypt data or sign and verify messages (but not both). KMS + * keys with NIST-recommended ECC key pairs can be used to sign and verify messages or derive shared secrets (but not + * both). KMS keys with `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS keys with SM2 key pairs + * (China Regions only) can be used to either encrypt and decrypt data, sign and verify messages, or derive shared + * secrets (you must choose one key usage type). For information about asymmetric KMS keys, see Asymmetric KMS keys + * [^3] in the *Key Management Service Developer Guide*. * * - `HMAC KMS key`: * diff --git a/src/Result/CreateKeyResponse.php b/src/Result/CreateKeyResponse.php index 47a82e3..ac26351 100644 --- a/src/Result/CreateKeyResponse.php +++ b/src/Result/CreateKeyResponse.php @@ -5,6 +5,7 @@ use AsyncAws\Core\Response; use AsyncAws\Core\Result; use AsyncAws\Kms\Enum\EncryptionAlgorithmSpec; +use AsyncAws\Kms\Enum\KeyAgreementAlgorithmSpec; use AsyncAws\Kms\Enum\MacAlgorithmSpec; use AsyncAws\Kms\Enum\SigningAlgorithmSpec; use AsyncAws\Kms\ValueObject\KeyMetadata; @@ -51,6 +52,22 @@ private function populateResultEncryptionAlgorithmSpecList(array $json): array return $items; } + /** + * @return list + */ + private function populateResultKeyAgreementAlgorithmSpecList(array $json): array + { + $items = []; + foreach ($json as $item) { + $a = isset($item) ? (string) $item : null; + if (null !== $a) { + $items[] = $a; + } + } + + return $items; + } + private function populateResultKeyMetadata(array $json): KeyMetadata { return new KeyMetadata([ @@ -73,6 +90,7 @@ private function populateResultKeyMetadata(array $json): KeyMetadata 'KeySpec' => isset($json['KeySpec']) ? (string) $json['KeySpec'] : null, 'EncryptionAlgorithms' => !isset($json['EncryptionAlgorithms']) ? null : $this->populateResultEncryptionAlgorithmSpecList($json['EncryptionAlgorithms']), 'SigningAlgorithms' => !isset($json['SigningAlgorithms']) ? null : $this->populateResultSigningAlgorithmSpecList($json['SigningAlgorithms']), + 'KeyAgreementAlgorithms' => !isset($json['KeyAgreementAlgorithms']) ? null : $this->populateResultKeyAgreementAlgorithmSpecList($json['KeyAgreementAlgorithms']), 'MultiRegion' => isset($json['MultiRegion']) ? filter_var($json['MultiRegion'], \FILTER_VALIDATE_BOOLEAN) : null, 'MultiRegionConfiguration' => empty($json['MultiRegionConfiguration']) ? null : $this->populateResultMultiRegionConfiguration($json['MultiRegionConfiguration']), 'PendingDeletionWindowInDays' => isset($json['PendingDeletionWindowInDays']) ? (int) $json['PendingDeletionWindowInDays'] : null, diff --git a/src/ValueObject/KeyMetadata.php b/src/ValueObject/KeyMetadata.php index 6dfaaad..9c0314f 100644 --- a/src/ValueObject/KeyMetadata.php +++ b/src/ValueObject/KeyMetadata.php @@ -6,6 +6,7 @@ use AsyncAws\Kms\Enum\CustomerMasterKeySpec; use AsyncAws\Kms\Enum\EncryptionAlgorithmSpec; use AsyncAws\Kms\Enum\ExpirationModelType; +use AsyncAws\Kms\Enum\KeyAgreementAlgorithmSpec; use AsyncAws\Kms\Enum\KeyManagerType; use AsyncAws\Kms\Enum\KeySpec; use AsyncAws\Kms\Enum\KeyState; @@ -194,6 +195,13 @@ final class KeyMetadata */ private $signingAlgorithms; + /** + * The key agreement algorithm used to derive a shared secret. + * + * @var list|null + */ + private $keyAgreementAlgorithms; + /** * Indicates whether the KMS key is a multi-Region (`True`) or regional (`False`) key. This value is `True` for * multi-Region primary and replica keys and `False` for regional KMS keys. @@ -280,6 +288,7 @@ final class KeyMetadata * KeySpec?: null|KeySpec::*, * EncryptionAlgorithms?: null|array, * SigningAlgorithms?: null|array, + * KeyAgreementAlgorithms?: null|array, * MultiRegion?: null|bool, * MultiRegionConfiguration?: null|MultiRegionConfiguration|array, * PendingDeletionWindowInDays?: null|int, @@ -308,6 +317,7 @@ public function __construct(array $input) $this->keySpec = $input['KeySpec'] ?? null; $this->encryptionAlgorithms = $input['EncryptionAlgorithms'] ?? null; $this->signingAlgorithms = $input['SigningAlgorithms'] ?? null; + $this->keyAgreementAlgorithms = $input['KeyAgreementAlgorithms'] ?? null; $this->multiRegion = $input['MultiRegion'] ?? null; $this->multiRegionConfiguration = isset($input['MultiRegionConfiguration']) ? MultiRegionConfiguration::create($input['MultiRegionConfiguration']) : null; $this->pendingDeletionWindowInDays = $input['PendingDeletionWindowInDays'] ?? null; @@ -336,6 +346,7 @@ public function __construct(array $input) * KeySpec?: null|KeySpec::*, * EncryptionAlgorithms?: null|array, * SigningAlgorithms?: null|array, + * KeyAgreementAlgorithms?: null|array, * MultiRegion?: null|bool, * MultiRegionConfiguration?: null|MultiRegionConfiguration|array, * PendingDeletionWindowInDays?: null|int, @@ -416,6 +427,14 @@ public function getExpirationModel(): ?string return $this->expirationModel; } + /** + * @return list + */ + public function getKeyAgreementAlgorithms(): array + { + return $this->keyAgreementAlgorithms ?? []; + } + public function getKeyId(): string { return $this->keyId;