software.amazon.awssdk.services.kms.model.DecryptRequest Maven / Gradle / Ivy
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package software.amazon.awssdk.services.kms.model;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import software.amazon.awssdk.annotations.Generated;
import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.core.SdkField;
import software.amazon.awssdk.core.SdkPojo;
import software.amazon.awssdk.core.protocol.MarshallLocation;
import software.amazon.awssdk.core.protocol.MarshallingType;
import software.amazon.awssdk.core.traits.ListTrait;
import software.amazon.awssdk.core.traits.LocationTrait;
import software.amazon.awssdk.core.traits.MapTrait;
import software.amazon.awssdk.core.util.DefaultSdkAutoConstructList;
import software.amazon.awssdk.core.util.DefaultSdkAutoConstructMap;
import software.amazon.awssdk.core.util.SdkAutoConstructList;
import software.amazon.awssdk.core.util.SdkAutoConstructMap;
import software.amazon.awssdk.utils.ToString;
import software.amazon.awssdk.utils.builder.CopyableBuilder;
import software.amazon.awssdk.utils.builder.ToCopyableBuilder;
/**
*/
@Generated("software.amazon.awssdk:codegen")
public final class DecryptRequest extends KmsRequest implements ToCopyableBuilder {
private static final SdkField CIPHERTEXT_BLOB_FIELD = SdkField. builder(MarshallingType.SDK_BYTES)
.memberName("CiphertextBlob").getter(getter(DecryptRequest::ciphertextBlob)).setter(setter(Builder::ciphertextBlob))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("CiphertextBlob").build()).build();
private static final SdkField> ENCRYPTION_CONTEXT_FIELD = SdkField
.> builder(MarshallingType.MAP)
.memberName("EncryptionContext")
.getter(getter(DecryptRequest::encryptionContext))
.setter(setter(Builder::encryptionContext))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("EncryptionContext").build(),
MapTrait.builder()
.keyLocationName("key")
.valueLocationName("value")
.valueFieldInfo(
SdkField. builder(MarshallingType.STRING)
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD)
.locationName("value").build()).build()).build()).build();
private static final SdkField> GRANT_TOKENS_FIELD = SdkField
.> builder(MarshallingType.LIST)
.memberName("GrantTokens")
.getter(getter(DecryptRequest::grantTokens))
.setter(setter(Builder::grantTokens))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("GrantTokens").build(),
ListTrait
.builder()
.memberLocationName(null)
.memberFieldInfo(
SdkField. builder(MarshallingType.STRING)
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD)
.locationName("member").build()).build()).build()).build();
private static final SdkField KEY_ID_FIELD = SdkField. builder(MarshallingType.STRING).memberName("KeyId")
.getter(getter(DecryptRequest::keyId)).setter(setter(Builder::keyId))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("KeyId").build()).build();
private static final SdkField ENCRYPTION_ALGORITHM_FIELD = SdkField. builder(MarshallingType.STRING)
.memberName("EncryptionAlgorithm").getter(getter(DecryptRequest::encryptionAlgorithmAsString))
.setter(setter(Builder::encryptionAlgorithm))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("EncryptionAlgorithm").build())
.build();
private static final SdkField RECIPIENT_FIELD = SdkField. builder(MarshallingType.SDK_POJO)
.memberName("Recipient").getter(getter(DecryptRequest::recipient)).setter(setter(Builder::recipient))
.constructor(RecipientInfo::builder)
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("Recipient").build()).build();
private static final SdkField DRY_RUN_FIELD = SdkField. builder(MarshallingType.BOOLEAN)
.memberName("DryRun").getter(getter(DecryptRequest::dryRun)).setter(setter(Builder::dryRun))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("DryRun").build()).build();
private static final List> SDK_FIELDS = Collections.unmodifiableList(Arrays.asList(CIPHERTEXT_BLOB_FIELD,
ENCRYPTION_CONTEXT_FIELD, GRANT_TOKENS_FIELD, KEY_ID_FIELD, ENCRYPTION_ALGORITHM_FIELD, RECIPIENT_FIELD,
DRY_RUN_FIELD));
private final SdkBytes ciphertextBlob;
private final Map encryptionContext;
private final List grantTokens;
private final String keyId;
private final String encryptionAlgorithm;
private final RecipientInfo recipient;
private final Boolean dryRun;
private DecryptRequest(BuilderImpl builder) {
super(builder);
this.ciphertextBlob = builder.ciphertextBlob;
this.encryptionContext = builder.encryptionContext;
this.grantTokens = builder.grantTokens;
this.keyId = builder.keyId;
this.encryptionAlgorithm = builder.encryptionAlgorithm;
this.recipient = builder.recipient;
this.dryRun = builder.dryRun;
}
/**
*
* Ciphertext to be decrypted. The blob includes metadata.
*
*
* @return Ciphertext to be decrypted. The blob includes metadata.
*/
public final SdkBytes ciphertextBlob() {
return ciphertextBlob;
}
/**
* For responses, this returns true if the service returned a value for the EncryptionContext property. This DOES
* NOT check that the value is non-empty (for which, you should check the {@code isEmpty()} method on the property).
* This is useful because the SDK will never return a null collection or map, but you may need to differentiate
* between the service returning nothing (or null) and the service returning an empty collection or map. For
* requests, this returns true if a value for the property was specified in the request builder, and false if a
* value was not specified.
*/
public final boolean hasEncryptionContext() {
return encryptionContext != null && !(encryptionContext instanceof SdkAutoConstructMap);
}
/**
*
* Specifies the encryption context to use when decrypting the data. An encryption context is valid only for cryptographic
* operations with a symmetric encryption KMS key. The standard asymmetric encryption algorithms and HMAC
* algorithms that KMS uses do not support an encryption context.
*
*
* An encryption context is a collection of non-secret key-value pairs that represent additional
* authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact
* case-sensitive match) encryption context to decrypt the data. An encryption context is supported only on
* operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS keys, an encryption
* context is optional, but it is strongly recommended.
*
*
* For more information, see Encryption context
* in the Key Management Service Developer Guide.
*
*
* Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
*
*
* This method will never return null. If you would like to know whether the service returned this field (so that
* you can differentiate between null and empty), you can use the {@link #hasEncryptionContext} method.
*
*
* @return Specifies the encryption context to use when decrypting the data. An encryption context is valid only for
*
* cryptographic operations with a symmetric encryption KMS key. The standard asymmetric encryption
* algorithms and HMAC algorithms that KMS uses do not support an encryption context.
*
* An encryption context is a collection of non-secret key-value pairs that represent additional
* authenticated data. When you use an encryption context to encrypt data, you must specify the same (an
* exact case-sensitive match) encryption context to decrypt the data. An encryption context is supported
* only on operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS keys,
* an encryption context is optional, but it is strongly recommended.
*
*
* For more information, see Encryption
* context in the Key Management Service Developer Guide.
*/
public final Map encryptionContext() {
return encryptionContext;
}
/**
* For responses, this returns true if the service returned a value for the GrantTokens property. This DOES NOT
* check that the value is non-empty (for which, you should check the {@code isEmpty()} method on the property).
* This is useful because the SDK will never return a null collection or map, but you may need to differentiate
* between the service returning nothing (or null) and the service returning an empty collection or map. For
* requests, this returns true if a value for the property was specified in the request builder, and false if a
* value was not specified.
*/
public final boolean hasGrantTokens() {
return grantTokens != null && !(grantTokens instanceof SdkAutoConstructList);
}
/**
*
* A list of grant tokens.
*
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved
* eventual consistency. For more information, see Grant token and Using a grant
* token in the Key Management Service Developer Guide.
*
*
* Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
*
*
* This method will never return null. If you would like to know whether the service returned this field (so that
* you can differentiate between null and empty), you can use the {@link #hasGrantTokens} method.
*
*
* @return A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token and
* Using
* a grant token in the Key Management Service Developer Guide.
*/
public final List grantTokens() {
return grantTokens;
}
/**
*
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
*
* Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you identify a different KMS key, the
* Decrypt operation throws an IncorrectKeyException.
*
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. If you used a
* symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext
* blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key that
* you intend.
*
*
* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with
* "alias/". To specify a KMS key in a different Amazon Web Services account, you must use the key ARN
* or alias ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Alias name: alias/ExampleAlias
*
*
* -
*
* Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name and
* alias ARN, use ListAliases.
*
*
* @return Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
* Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you identify a different KMS
* key, the Decrypt operation throws an IncorrectKeyException.
*
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. If you
* used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric
* ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use
* the KMS key that you intend.
*
*
* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix
* it with "alias/". To specify a KMS key in a different Amazon Web Services account, you must
* use the key ARN or alias ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Alias name: alias/ExampleAlias
*
*
* -
*
* Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias
* name and alias ARN, use ListAliases.
*/
public final String keyId() {
return keyId;
}
/**
*
* Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify the same algorithm that
* was used to encrypt the data. If you specify a different algorithm, the Decrypt operation fails.
*
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. The default value,
* SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid for symmetric encryption
* KMS keys.
*
*
* If the service returns an enum value that is not available in the current SDK version,
* {@link #encryptionAlgorithm} will return {@link EncryptionAlgorithmSpec#UNKNOWN_TO_SDK_VERSION}. The raw value
* returned by the service is available from {@link #encryptionAlgorithmAsString}.
*
*
* @return Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify the same
* algorithm that was used to encrypt the data. If you specify a different algorithm, the
* Decrypt operation fails.
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. The
* default value, SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid for
* symmetric encryption KMS keys.
* @see EncryptionAlgorithmSpec
*/
public final EncryptionAlgorithmSpec encryptionAlgorithm() {
return EncryptionAlgorithmSpec.fromValue(encryptionAlgorithm);
}
/**
*
* Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify the same algorithm that
* was used to encrypt the data. If you specify a different algorithm, the Decrypt operation fails.
*
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. The default value,
* SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid for symmetric encryption
* KMS keys.
*
*
* If the service returns an enum value that is not available in the current SDK version,
* {@link #encryptionAlgorithm} will return {@link EncryptionAlgorithmSpec#UNKNOWN_TO_SDK_VERSION}. The raw value
* returned by the service is available from {@link #encryptionAlgorithmAsString}.
*
*
* @return Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify the same
* algorithm that was used to encrypt the data. If you specify a different algorithm, the
* Decrypt operation fails.
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. The
* default value, SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid for
* symmetric encryption KMS keys.
* @see EncryptionAlgorithmSpec
*/
public final String encryptionAlgorithmAsString() {
return encryptionAlgorithm;
}
/**
*
* A signed attestation
* document from an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's
* public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
*
*
* This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
* parameter, use the Amazon Web Services
* Nitro Enclaves SDK or any Amazon Web Services SDK.
*
*
* When you use this parameter, instead of returning the plaintext data, KMS encrypts the plaintext data with the
* public key in the attestation document, and returns the resulting ciphertext in the
* CiphertextForRecipient field in the response. This ciphertext can be decrypted only with the private
* key in the enclave. The Plaintext field in the response is null or empty.
*
*
* For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services
* Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
*
*
* @return A signed attestation document from an Amazon Web Services Nitro enclave and the encryption algorithm to use
* with the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
*
*
* This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include
* this parameter, use the Amazon Web
* Services Nitro Enclaves SDK or any Amazon Web Services SDK.
*
*
* When you use this parameter, instead of returning the plaintext data, KMS encrypts the plaintext data
* with the public key in the attestation document, and returns the resulting ciphertext in the
* CiphertextForRecipient field in the response. This ciphertext can be decrypted only with the
* private key in the enclave. The Plaintext field in the response is null or empty.
*
*
* For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web
* Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
*/
public final RecipientInfo recipient() {
return recipient;
}
/**
*
* Checks if your request will succeed. DryRun is an optional parameter.
*
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*
*
* @return Checks if your request will succeed. DryRun is an optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*/
public final Boolean dryRun() {
return dryRun;
}
@Override
public Builder toBuilder() {
return new BuilderImpl(this);
}
public static Builder builder() {
return new BuilderImpl();
}
public static Class serializableBuilderClass() {
return BuilderImpl.class;
}
@Override
public final int hashCode() {
int hashCode = 1;
hashCode = 31 * hashCode + super.hashCode();
hashCode = 31 * hashCode + Objects.hashCode(ciphertextBlob());
hashCode = 31 * hashCode + Objects.hashCode(hasEncryptionContext() ? encryptionContext() : null);
hashCode = 31 * hashCode + Objects.hashCode(hasGrantTokens() ? grantTokens() : null);
hashCode = 31 * hashCode + Objects.hashCode(keyId());
hashCode = 31 * hashCode + Objects.hashCode(encryptionAlgorithmAsString());
hashCode = 31 * hashCode + Objects.hashCode(recipient());
hashCode = 31 * hashCode + Objects.hashCode(dryRun());
return hashCode;
}
@Override
public final boolean equals(Object obj) {
return super.equals(obj) && equalsBySdkFields(obj);
}
@Override
public final boolean equalsBySdkFields(Object obj) {
if (this == obj) {
return true;
}
if (obj == null) {
return false;
}
if (!(obj instanceof DecryptRequest)) {
return false;
}
DecryptRequest other = (DecryptRequest) obj;
return Objects.equals(ciphertextBlob(), other.ciphertextBlob()) && hasEncryptionContext() == other.hasEncryptionContext()
&& Objects.equals(encryptionContext(), other.encryptionContext()) && hasGrantTokens() == other.hasGrantTokens()
&& Objects.equals(grantTokens(), other.grantTokens()) && Objects.equals(keyId(), other.keyId())
&& Objects.equals(encryptionAlgorithmAsString(), other.encryptionAlgorithmAsString())
&& Objects.equals(recipient(), other.recipient()) && Objects.equals(dryRun(), other.dryRun());
}
/**
* Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be
* redacted from this string using a placeholder value.
*/
@Override
public final String toString() {
return ToString.builder("DecryptRequest").add("CiphertextBlob", ciphertextBlob())
.add("EncryptionContext", hasEncryptionContext() ? encryptionContext() : null)
.add("GrantTokens", hasGrantTokens() ? grantTokens() : null).add("KeyId", keyId())
.add("EncryptionAlgorithm", encryptionAlgorithmAsString()).add("Recipient", recipient()).add("DryRun", dryRun())
.build();
}
public final Optional getValueForField(String fieldName, Class clazz) {
switch (fieldName) {
case "CiphertextBlob":
return Optional.ofNullable(clazz.cast(ciphertextBlob()));
case "EncryptionContext":
return Optional.ofNullable(clazz.cast(encryptionContext()));
case "GrantTokens":
return Optional.ofNullable(clazz.cast(grantTokens()));
case "KeyId":
return Optional.ofNullable(clazz.cast(keyId()));
case "EncryptionAlgorithm":
return Optional.ofNullable(clazz.cast(encryptionAlgorithmAsString()));
case "Recipient":
return Optional.ofNullable(clazz.cast(recipient()));
case "DryRun":
return Optional.ofNullable(clazz.cast(dryRun()));
default:
return Optional.empty();
}
}
@Override
public final List> sdkFields() {
return SDK_FIELDS;
}
private static Function getter(Function g) {
return obj -> g.apply((DecryptRequest) obj);
}
private static BiConsumer setter(BiConsumer s) {
return (obj, val) -> s.accept((Builder) obj, val);
}
public interface Builder extends KmsRequest.Builder, SdkPojo, CopyableBuilder {
/**
*
* Ciphertext to be decrypted. The blob includes metadata.
*
*
* @param ciphertextBlob
* Ciphertext to be decrypted. The blob includes metadata.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder ciphertextBlob(SdkBytes ciphertextBlob);
/**
*
* Specifies the encryption context to use when decrypting the data. An encryption context is valid only for
* cryptographic operations with a symmetric encryption KMS key. The standard asymmetric encryption
* algorithms and HMAC algorithms that KMS uses do not support an encryption context.
*
*
* An encryption context is a collection of non-secret key-value pairs that represent additional
* authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact
* case-sensitive match) encryption context to decrypt the data. An encryption context is supported only on
* operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS keys, an
* encryption context is optional, but it is strongly recommended.
*
*
* For more information, see Encryption
* context in the Key Management Service Developer Guide.
*
*
* @param encryptionContext
* Specifies the encryption context to use when decrypting the data. An encryption context is valid only
* for cryptographic operations with a symmetric encryption KMS key. The standard asymmetric encryption
* algorithms and HMAC algorithms that KMS uses do not support an encryption context.
*
* An encryption context is a collection of non-secret key-value pairs that represent additional
* authenticated data. When you use an encryption context to encrypt data, you must specify the same (an
* exact case-sensitive match) encryption context to decrypt the data. An encryption context is supported
* only on operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS
* keys, an encryption context is optional, but it is strongly recommended.
*
*
* For more information, see Encryption
* context in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder encryptionContext(Map encryptionContext);
/**
*
* A list of grant tokens.
*
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token and Using a
* grant token in the Key Management Service Developer Guide.
*
*
* @param grantTokens
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token
* and Using
* a grant token in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder grantTokens(Collection grantTokens);
/**
*
* A list of grant tokens.
*
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token and Using a
* grant token in the Key Management Service Developer Guide.
*
*
* @param grantTokens
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token
* and Using
* a grant token in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder grantTokens(String... grantTokens);
/**
*
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
*
* Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you identify a different KMS key,
* the Decrypt operation throws an IncorrectKeyException.
*
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. If you used a
* symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the symmetric ciphertext
* blob. However, it is always recommended as a best practice. This practice ensures that you use the KMS key
* that you intend.
*
*
* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it
* with "alias/". To specify a KMS key in a different Amazon Web Services account, you must use the
* key ARN or alias ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Alias name: alias/ExampleAlias
*
*
* -
*
* Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name
* and alias ARN, use ListAliases.
*
*
* @param keyId
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
* Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you identify a different KMS
* key, the Decrypt operation throws an IncorrectKeyException.
*
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. If you
* used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to the
* symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures
* that you use the KMS key that you intend.
*
*
* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name,
* prefix it with "alias/". To specify a KMS key in a different Amazon Web Services account,
* you must use the key ARN or alias ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Alias name: alias/ExampleAlias
*
*
* -
*
* Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the
* alias name and alias ARN, use ListAliases.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder keyId(String keyId);
/**
*
* Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify the same algorithm
* that was used to encrypt the data. If you specify a different algorithm, the Decrypt operation
* fails.
*
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. The default
* value, SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid for symmetric
* encryption KMS keys.
*
*
* @param encryptionAlgorithm
* Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify the same
* algorithm that was used to encrypt the data. If you specify a different algorithm, the
* Decrypt operation fails.
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. The
* default value, SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid
* for symmetric encryption KMS keys.
* @see EncryptionAlgorithmSpec
* @return Returns a reference to this object so that method calls can be chained together.
* @see EncryptionAlgorithmSpec
*/
Builder encryptionAlgorithm(String encryptionAlgorithm);
/**
*
* Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify the same algorithm
* that was used to encrypt the data. If you specify a different algorithm, the Decrypt operation
* fails.
*
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. The default
* value, SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid for symmetric
* encryption KMS keys.
*
*
* @param encryptionAlgorithm
* Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify the same
* algorithm that was used to encrypt the data. If you specify a different algorithm, the
* Decrypt operation fails.
*
* This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. The
* default value, SYMMETRIC_DEFAULT, represents the only supported algorithm that is valid
* for symmetric encryption KMS keys.
* @see EncryptionAlgorithmSpec
* @return Returns a reference to this object so that method calls can be chained together.
* @see EncryptionAlgorithmSpec
*/
Builder encryptionAlgorithm(EncryptionAlgorithmSpec encryptionAlgorithm);
/**
*
* A signed attestation document from an Amazon Web Services Nitro enclave and the encryption algorithm to use with
* the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
*
*
* This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
* parameter, use the Amazon Web Services
* Nitro Enclaves SDK or any Amazon Web Services SDK.
*
*
* When you use this parameter, instead of returning the plaintext data, KMS encrypts the plaintext data with
* the public key in the attestation document, and returns the resulting ciphertext in the
* CiphertextForRecipient field in the response. This ciphertext can be decrypted only with the
* private key in the enclave. The Plaintext field in the response is null or empty.
*
*
* For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web
* Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
*
*
* @param recipient
* A signed attestation document from an Amazon Web Services Nitro enclave and the encryption algorithm to
* use with the enclave's public key. The only valid encryption algorithm is
* RSAES_OAEP_SHA_256.
*
* This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include
* this parameter, use the Amazon Web
* Services Nitro Enclaves SDK or any Amazon Web Services SDK.
*
*
* When you use this parameter, instead of returning the plaintext data, KMS encrypts the plaintext data
* with the public key in the attestation document, and returns the resulting ciphertext in the
* CiphertextForRecipient field in the response. This ciphertext can be decrypted only with
* the private key in the enclave. The Plaintext field in the response is null or empty.
*
*
* For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon
* Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder recipient(RecipientInfo recipient);
/**
*
* A signed attestation document from an Amazon Web Services Nitro enclave and the encryption algorithm to use with
* the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
*
*
* This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
* parameter, use the Amazon Web Services
* Nitro Enclaves SDK or any Amazon Web Services SDK.
*
*
* When you use this parameter, instead of returning the plaintext data, KMS encrypts the plaintext data with
* the public key in the attestation document, and returns the resulting ciphertext in the
* CiphertextForRecipient field in the response. This ciphertext can be decrypted only with the
* private key in the enclave. The Plaintext field in the response is null or empty.
*
*
* For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web
* Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
*
* This is a convenience method that creates an instance of the {@link RecipientInfo.Builder} avoiding the need
* to create one manually via {@link RecipientInfo#builder()}.
*
*
* When the {@link Consumer} completes, {@link RecipientInfo.Builder#build()} is called immediately and its
* result is passed to {@link #recipient(RecipientInfo)}.
*
* @param recipient
* a consumer that will call methods on {@link RecipientInfo.Builder}
* @return Returns a reference to this object so that method calls can be chained together.
* @see #recipient(RecipientInfo)
*/
default Builder recipient(Consumer recipient) {
return recipient(RecipientInfo.builder().applyMutation(recipient).build());
}
/**
*
* Checks if your request will succeed. DryRun is an optional parameter.
*
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*
*
* @param dryRun
* Checks if your request will succeed. DryRun is an optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS
* API calls in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder dryRun(Boolean dryRun);
@Override
Builder overrideConfiguration(AwsRequestOverrideConfiguration overrideConfiguration);
@Override
Builder overrideConfiguration(Consumer builderConsumer);
}
static final class BuilderImpl extends KmsRequest.BuilderImpl implements Builder {
private SdkBytes ciphertextBlob;
private Map encryptionContext = DefaultSdkAutoConstructMap.getInstance();
private List grantTokens = DefaultSdkAutoConstructList.getInstance();
private String keyId;
private String encryptionAlgorithm;
private RecipientInfo recipient;
private Boolean dryRun;
private BuilderImpl() {
}
private BuilderImpl(DecryptRequest model) {
super(model);
ciphertextBlob(model.ciphertextBlob);
encryptionContext(model.encryptionContext);
grantTokens(model.grantTokens);
keyId(model.keyId);
encryptionAlgorithm(model.encryptionAlgorithm);
recipient(model.recipient);
dryRun(model.dryRun);
}
public final ByteBuffer getCiphertextBlob() {
return ciphertextBlob == null ? null : ciphertextBlob.asByteBuffer();
}
public final void setCiphertextBlob(ByteBuffer ciphertextBlob) {
ciphertextBlob(ciphertextBlob == null ? null : SdkBytes.fromByteBuffer(ciphertextBlob));
}
@Override
public final Builder ciphertextBlob(SdkBytes ciphertextBlob) {
this.ciphertextBlob = ciphertextBlob;
return this;
}
public final Map getEncryptionContext() {
if (encryptionContext instanceof SdkAutoConstructMap) {
return null;
}
return encryptionContext;
}
public final void setEncryptionContext(Map encryptionContext) {
this.encryptionContext = EncryptionContextTypeCopier.copy(encryptionContext);
}
@Override
public final Builder encryptionContext(Map encryptionContext) {
this.encryptionContext = EncryptionContextTypeCopier.copy(encryptionContext);
return this;
}
public final Collection getGrantTokens() {
if (grantTokens instanceof SdkAutoConstructList) {
return null;
}
return grantTokens;
}
public final void setGrantTokens(Collection grantTokens) {
this.grantTokens = GrantTokenListCopier.copy(grantTokens);
}
@Override
public final Builder grantTokens(Collection grantTokens) {
this.grantTokens = GrantTokenListCopier.copy(grantTokens);
return this;
}
@Override
@SafeVarargs
public final Builder grantTokens(String... grantTokens) {
grantTokens(Arrays.asList(grantTokens));
return this;
}
public final String getKeyId() {
return keyId;
}
public final void setKeyId(String keyId) {
this.keyId = keyId;
}
@Override
public final Builder keyId(String keyId) {
this.keyId = keyId;
return this;
}
public final String getEncryptionAlgorithm() {
return encryptionAlgorithm;
}
public final void setEncryptionAlgorithm(String encryptionAlgorithm) {
this.encryptionAlgorithm = encryptionAlgorithm;
}
@Override
public final Builder encryptionAlgorithm(String encryptionAlgorithm) {
this.encryptionAlgorithm = encryptionAlgorithm;
return this;
}
@Override
public final Builder encryptionAlgorithm(EncryptionAlgorithmSpec encryptionAlgorithm) {
this.encryptionAlgorithm(encryptionAlgorithm == null ? null : encryptionAlgorithm.toString());
return this;
}
public final RecipientInfo.Builder getRecipient() {
return recipient != null ? recipient.toBuilder() : null;
}
public final void setRecipient(RecipientInfo.BuilderImpl recipient) {
this.recipient = recipient != null ? recipient.build() : null;
}
@Override
public final Builder recipient(RecipientInfo recipient) {
this.recipient = recipient;
return this;
}
public final Boolean getDryRun() {
return dryRun;
}
public final void setDryRun(Boolean dryRun) {
this.dryRun = dryRun;
}
@Override
public final Builder dryRun(Boolean dryRun) {
this.dryRun = dryRun;
return this;
}
@Override
public Builder overrideConfiguration(AwsRequestOverrideConfiguration overrideConfiguration) {
super.overrideConfiguration(overrideConfiguration);
return this;
}
@Override
public Builder overrideConfiguration(Consumer builderConsumer) {
super.overrideConfiguration(builderConsumer);
return this;
}
@Override
public DecryptRequest build() {
return new DecryptRequest(this);
}
@Override
public List> sdkFields() {
return SDK_FIELDS;
}
}
}