diff --git a/.changelog/0a689c9ea8914d8b945ddd89a233ea1b.json b/.changelog/0a689c9ea8914d8b945ddd89a233ea1b.json new file mode 100644 index 00000000000..31135105468 --- /dev/null +++ b/.changelog/0a689c9ea8914d8b945ddd89a233ea1b.json @@ -0,0 +1,8 @@ +{ + "id": "0a689c9e-a891-4d8b-945d-dd89a233ea1b", + "type": "feature", + "description": "AWS Backup - Features: Add VaultType to the output of DescribeRecoveryPoint, ListRecoveryPointByBackupVault API and add ResourceType to the input of ListRestoreJobs API", + "modules": [ + "service/backup" + ] +} \ No newline at end of file diff --git a/.changelog/1e67e3154d614506929c3dec3f349711.json b/.changelog/1e67e3154d614506929c3dec3f349711.json new file mode 100644 index 00000000000..c328cb3ca17 --- /dev/null +++ b/.changelog/1e67e3154d614506929c3dec3f349711.json @@ -0,0 +1,8 @@ +{ + "id": "1e67e315-4d61-4506-929c-3dec3f349711", + "type": "documentation", + "description": "Documentation updates for Trust and Safety features.", + "modules": [ + "service/comprehend" + ] +} \ No newline at end of file diff --git a/.changelog/3ba7a6e6523f4c99b252e8344f001f81.json b/.changelog/3ba7a6e6523f4c99b252e8344f001f81.json new file mode 100644 index 00000000000..e8f60b4b7fe --- /dev/null +++ b/.changelog/3ba7a6e6523f4c99b252e8344f001f81.json @@ -0,0 +1,8 @@ +{ + "id": "3ba7a6e6-523f-4c99-b252-e8344f001f81", + "type": "feature", + "description": "AWS Payment Cryptography IPEK feature release", + "modules": [ + "service/paymentcryptography" + ] +} \ No newline at end of file diff --git a/.changelog/58b30d20b2724eecbc6d8da405a5b25d.json b/.changelog/58b30d20b2724eecbc6d8da405a5b25d.json new file mode 100644 index 00000000000..7fff4f81149 --- /dev/null +++ b/.changelog/58b30d20b2724eecbc6d8da405a5b25d.json @@ -0,0 +1,8 @@ +{ + "id": "58b30d20-b272-4eec-bc6d-8da405a5b25d", + "type": "feature", + "description": "Releasing Tagging Support for Instance Management APIS", + "modules": [ + "service/connect" + ] +} \ No newline at end of file diff --git a/.changelog/e5989f85eb414e4c83e72d13fe2730cb.json b/.changelog/e5989f85eb414e4c83e72d13fe2730cb.json new file mode 100644 index 00000000000..7740cbc52a5 --- /dev/null +++ b/.changelog/e5989f85eb414e4c83e72d13fe2730cb.json @@ -0,0 +1,8 @@ +{ + "id": "e5989f85-eb41-4e4c-83e7-2d13fe2730cb", + "type": "feature", + "description": "Releasing the new cpuManufacturer attribute within the DescribeInstanceTypes API response which notifies our customers with information on who the Manufacturer is for the processor attached to the instance, for example: Intel.", + "modules": [ + "service/ec2" + ] +} \ No newline at end of file diff --git a/service/backup/api_op_DescribeRecoveryPoint.go b/service/backup/api_op_DescribeRecoveryPoint.go index c728e2efd07..f68d8b4a238 100644 --- a/service/backup/api_op_DescribeRecoveryPoint.go +++ b/service/backup/api_op_DescribeRecoveryPoint.go @@ -191,6 +191,9 @@ type DescribeRecoveryPointOutput struct { // . StorageClass types.StorageClass + // This is the type of vault in which the described recovery point is stored. + VaultType types.VaultType + // Metadata pertaining to the operation's result. ResultMetadata middleware.Metadata diff --git a/service/backup/api_op_ListBackupJobs.go b/service/backup/api_op_ListBackupJobs.go index 053ac617e5c..92a37cd419f 100644 --- a/service/backup/api_op_ListBackupJobs.go +++ b/service/backup/api_op_ListBackupJobs.go @@ -74,6 +74,7 @@ type ListBackupJobsInput struct { // Returns only backup jobs for the specified resources: // - Aurora for Amazon Aurora + // - CloudFormation for CloudFormation // - DocumentDB for Amazon DocumentDB (with MongoDB compatibility) // - DynamoDB for Amazon DynamoDB // - EBS for Amazon Elastic Block Store @@ -81,9 +82,12 @@ type ListBackupJobsInput struct { // - EFS for Amazon Elastic File System // - FSx for Amazon FSx // - Neptune for Amazon Neptune + // - Redshift for Amazon Redshift // - RDS for Amazon Relational Database Service + // - SAP HANA on Amazon EC2 for SAP HANA databases // - Storage Gateway for Storage Gateway // - S3 for Amazon S3 + // - Timestream for Amazon Timestream // - VirtualMachine for virtual machines ByResourceType *string diff --git a/service/backup/api_op_ListCopyJobs.go b/service/backup/api_op_ListCopyJobs.go index 1641239e5b2..4f914ffee8c 100644 --- a/service/backup/api_op_ListCopyJobs.go +++ b/service/backup/api_op_ListCopyJobs.go @@ -71,6 +71,7 @@ type ListCopyJobsInput struct { // Returns only backup jobs for the specified resources: // - Aurora for Amazon Aurora + // - CloudFormation for CloudFormation // - DocumentDB for Amazon DocumentDB (with MongoDB compatibility) // - DynamoDB for Amazon DynamoDB // - EBS for Amazon Elastic Block Store @@ -78,9 +79,12 @@ type ListCopyJobsInput struct { // - EFS for Amazon Elastic File System // - FSx for Amazon FSx // - Neptune for Amazon Neptune + // - Redshift for Amazon Redshift // - RDS for Amazon Relational Database Service + // - SAP HANA on Amazon EC2 for SAP HANA databases // - Storage Gateway for Storage Gateway // - S3 for Amazon S3 + // - Timestream for Amazon Timestream // - VirtualMachine for virtual machines ByResourceType *string diff --git a/service/backup/api_op_ListRecoveryPointsByBackupVault.go b/service/backup/api_op_ListRecoveryPointsByBackupVault.go index 8d97a0d6268..1480022c2c5 100644 --- a/service/backup/api_op_ListRecoveryPointsByBackupVault.go +++ b/service/backup/api_op_ListRecoveryPointsByBackupVault.go @@ -60,7 +60,23 @@ type ListRecoveryPointsByBackupVaultInput struct { // Name (ARN). ByResourceArn *string - // Returns only recovery points that match the specified resource type. + // Returns only recovery points that match the specified resource type(s): + // - Aurora for Amazon Aurora + // - CloudFormation for CloudFormation + // - DocumentDB for Amazon DocumentDB (with MongoDB compatibility) + // - DynamoDB for Amazon DynamoDB + // - EBS for Amazon Elastic Block Store + // - EC2 for Amazon Elastic Compute Cloud + // - EFS for Amazon Elastic File System + // - FSx for Amazon FSx + // - Neptune for Amazon Neptune + // - Redshift for Amazon Redshift + // - RDS for Amazon Relational Database Service + // - SAP HANA on Amazon EC2 for SAP HANA databases + // - Storage Gateway for Storage Gateway + // - S3 for Amazon S3 + // - Timestream for Amazon Timestream + // - VirtualMachine for virtual machines ByResourceType *string // The maximum number of items to be returned. diff --git a/service/backup/api_op_ListRestoreJobs.go b/service/backup/api_op_ListRestoreJobs.go index 3a09137c836..e862a33e4c7 100644 --- a/service/backup/api_op_ListRestoreJobs.go +++ b/service/backup/api_op_ListRestoreJobs.go @@ -50,6 +50,25 @@ type ListRestoreJobsInput struct { // Returns only restore jobs that were created before the specified date. ByCreatedBefore *time.Time + // Include this parameter to return only restore jobs for the specified resources: + // - Aurora for Amazon Aurora + // - CloudFormation for CloudFormation + // - DocumentDB for Amazon DocumentDB (with MongoDB compatibility) + // - DynamoDB for Amazon DynamoDB + // - EBS for Amazon Elastic Block Store + // - EC2 for Amazon Elastic Compute Cloud + // - EFS for Amazon Elastic File System + // - FSx for Amazon FSx + // - Neptune for Amazon Neptune + // - Redshift for Amazon Redshift + // - RDS for Amazon Relational Database Service + // - SAP HANA on Amazon EC2 for SAP HANA databases + // - Storage Gateway for Storage Gateway + // - S3 for Amazon S3 + // - Timestream for Amazon Timestream + // - VirtualMachine for virtual machines + ByResourceType *string + // This returns only restore testing jobs that match the specified resource Amazon // Resource Name (ARN). ByRestoreTestingPlanArn *string diff --git a/service/backup/api_op_UpdateRegionSettings.go b/service/backup/api_op_UpdateRegionSettings.go index 1e6710318e7..4565b7161e4 100644 --- a/service/backup/api_op_UpdateRegionSettings.go +++ b/service/backup/api_op_UpdateRegionSettings.go @@ -11,12 +11,8 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Updates the current service opt-in settings for the Region. If service-opt-in -// is enabled for a service, Backup tries to protect that service's resources in -// this Region, when the resource is included in an on-demand backup or scheduled -// backup plan. Otherwise, Backup does not try to protect that service's resources -// in this Region. Use the DescribeRegionSettings API to determine the resource -// types that are supported. +// Updates the current service opt-in settings for the Region. Use the +// DescribeRegionSettings API to determine the resource types that are supported. func (c *Client) UpdateRegionSettings(ctx context.Context, params *UpdateRegionSettingsInput, optFns ...func(*Options)) (*UpdateRegionSettingsOutput, error) { if params == nil { params = &UpdateRegionSettingsInput{} @@ -42,6 +38,13 @@ type UpdateRegionSettingsInput struct { ResourceTypeManagementPreference map[string]bool // Updates the list of services along with the opt-in preferences for the Region. + // If resource assignments are only based on tags, then service opt-in settings are + // applied. If a resource type is explicitly assigned to a backup plan, such as + // Amazon S3, Amazon EC2, or Amazon RDS, it will be included in the backup even if + // the opt-in is not enabled for that particular service. If both a resource type + // and tags are specified in a resource assignment, the resource type specified in + // the backup plan takes priority over the tag condition. Service opt-in settings + // are disregarded in this situation. ResourceTypeOptInPreference map[string]bool noSmithyDocumentSerde diff --git a/service/backup/deserializers.go b/service/backup/deserializers.go index eb06c07826e..5dbb578b2aa 100644 --- a/service/backup/deserializers.go +++ b/service/backup/deserializers.go @@ -4919,6 +4919,15 @@ func awsRestjson1_deserializeOpDocumentDescribeRecoveryPointOutput(v **DescribeR sv.StorageClass = types.StorageClass(jtv) } + case "VaultType": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected VaultType to be of type string, got %T instead", value) + } + sv.VaultType = types.VaultType(jtv) + } + default: _, _ = key, value @@ -19665,6 +19674,15 @@ func awsRestjson1_deserializeDocumentRecoveryPointByBackupVault(v **types.Recove sv.StatusMessage = ptr.String(jtv) } + case "VaultType": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected VaultType to be of type string, got %T instead", value) + } + sv.VaultType = types.VaultType(jtv) + } + default: _, _ = key, value diff --git a/service/backup/serializers.go b/service/backup/serializers.go index a2d0f1bab7e..177553c0fa4 100644 --- a/service/backup/serializers.go +++ b/service/backup/serializers.go @@ -4973,6 +4973,10 @@ func awsRestjson1_serializeOpHttpBindingsListRestoreJobsInput(v *ListRestoreJobs encoder.SetQuery("createdBefore").String(smithytime.FormatDateTime(*v.ByCreatedBefore)) } + if v.ByResourceType != nil { + encoder.SetQuery("resourceType").String(*v.ByResourceType) + } + if v.ByRestoreTestingPlanArn != nil { encoder.SetQuery("restoreTestingPlanArn").String(*v.ByRestoreTestingPlanArn) } diff --git a/service/backup/types/types.go b/service/backup/types/types.go index da10369f196..54250c6bc4d 100644 --- a/service/backup/types/types.go +++ b/service/backup/types/types.go @@ -1238,6 +1238,9 @@ type RecoveryPointByBackupVault struct { // A message explaining the reason of the recovery point deletion failure. StatusMessage *string + // This is the type of vault in which the described recovery point is stored. + VaultType VaultType + noSmithyDocumentSerde } diff --git a/service/comprehend/api_op_ClassifyDocument.go b/service/comprehend/api_op_ClassifyDocument.go index a3bbed9a4bf..4871e8de85c 100644 --- a/service/comprehend/api_op_ClassifyDocument.go +++ b/service/comprehend/api_op_ClassifyDocument.go @@ -16,17 +16,18 @@ import ( // ClassifyDocument supports the following model types: // - Custom classifier - a custom model that you have created and trained. For // input, you can provide plain text, a single-page document (PDF, Word, or image), -// or Textract API output. For more information, see Custom classification (https://docs.aws.amazon.com/comprehend/latest/dg/how-document-classification.html) +// or Amazon Textract API output. For more information, see Custom classification (https://docs.aws.amazon.com/comprehend/latest/dg/how-document-classification.html) // in the Amazon Comprehend Developer Guide. -// - Prompt classifier - Amazon Comprehend provides a model for classifying -// prompts. For input, you provide English plain text input. For prompt -// classification, the response includes only the Classes field. For more -// information about prompt classifiers, see Prompt classifiers (https://docs.aws.amazon.com/comprehend/latest/dg/prompt-classification.html) +// - Prompt safety classifier - Amazon Comprehend provides a pre-trained model +// for classifying input prompts for generative AI applications. For input, you +// provide English plain text input. For prompt safety classification, the response +// includes only the Classes field. For more information about prompt safety +// classifiers, see Prompt safety classification (https://docs.aws.amazon.com/comprehend/latest/dg/trust-safety.html#prompt-classification) // in the Amazon Comprehend Developer Guide. // // If the system detects errors while processing a page in the input document, the -// API response includes an entry in Errors that describes the errors. If the -// system detects a document-level error in your input document, the API returns an +// API response includes an Errors field that describes the errors. If the system +// detects a document-level error in your input document, the API returns an // InvalidRequestException error response. For details about this exception, see // Errors in semi-structured documents (https://docs.aws.amazon.com/comprehend/latest/dg/idp-inputs-sync-err.html) // in the Comprehend Developer Guide. @@ -47,10 +48,12 @@ func (c *Client) ClassifyDocument(ctx context.Context, params *ClassifyDocumentI type ClassifyDocumentInput struct { - // The Amazon Resource Number (ARN) of the endpoint. For prompt classification, - // Amazon Comprehend provides the endpoint ARN: zzz . For custom classification, - // you create an endpoint for your custom model. For more information, see Using - // Amazon Comprehend endpoints (https://docs.aws.amazon.com/comprehend/latest/dg/using-endpoints.html) + // The Amazon Resource Number (ARN) of the endpoint. For prompt safety + // classification, Amazon Comprehend provides the endpoint ARN. For more + // information about prompt safety classifiers, see Prompt safety classification (https://docs.aws.amazon.com/comprehend/latest/dg/trust-safety.html#prompt-classification) + // in the Amazon Comprehend Developer Guide For custom classification, you create + // an endpoint for your custom model. For more information, see Using Amazon + // Comprehend endpoints (https://docs.aws.amazon.com/comprehend/latest/dg/using-endpoints.html) // . // // This member is required. @@ -59,11 +62,12 @@ type ClassifyDocumentInput struct { // Use the Bytes parameter to input a text, PDF, Word or image file. When you // classify a document using a custom model, you can also use the Bytes parameter // to input an Amazon Textract DetectDocumentText or AnalyzeDocument output file. - // To classify a document using the prompt classifier, use the Text parameter for - // input. Provide the input document as a sequence of base64-encoded bytes. If your - // code uses an Amazon Web Services SDK to classify documents, the SDK may encode - // the document file bytes for you. The maximum length of this field depends on the - // input document type. For details, see Inputs for real-time custom analysis (https://docs.aws.amazon.com/comprehend/latest/dg/idp-inputs-sync.html) + // To classify a document using the prompt safety classifier, use the Text + // parameter for input. Provide the input document as a sequence of base64-encoded + // bytes. If your code uses an Amazon Web Services SDK to classify documents, the + // SDK may encode the document file bytes for you. The maximum length of this field + // depends on the input document type. For details, see Inputs for real-time + // custom analysis (https://docs.aws.amazon.com/comprehend/latest/dg/idp-inputs-sync.html) // in the Comprehend Developer Guide. If you use the Bytes parameter, do not use // the Text parameter. Bytes []byte @@ -81,13 +85,13 @@ type ClassifyDocumentInput struct { type ClassifyDocumentOutput struct { - // The classes used by the document being analyzed. These are used for multi-class - // trained models. Individual classes are mutually exclusive and each document is - // expected to have only a single class assigned to it. For example, an animal can - // be a dog or a cat, but not both at the same time. For prompt classification, the - // response includes a single class ( UNDESIRED_PROMPT ), along with a confidence - // score. A higher confidence score indicates that the input prompt is undesired in - // nature. + // The classes used by the document being analyzed. These are used for models + // trained in multi-class mode. Individual classes are mutually exclusive and each + // document is expected to have only a single class assigned to it. For example, an + // animal can be a dog or a cat, but not both at the same time. For prompt safety + // classification, the response includes only two classes (SAFE_PROMPT and + // UNSAFE_PROMPT), along with a confidence score for each class. The value range of + // the score is zero to one, where one is the highest confidence. Classes []types.DocumentClass // Extraction information about the document. This field is present in the @@ -102,7 +106,7 @@ type ClassifyDocumentOutput struct { // The field is empty if the system encountered no errors. Errors []types.ErrorsListItem - // The labels used the document being analyzed. These are used for multi-label + // The labels used in the document being analyzed. These are used for multi-label // trained models. Individual labels represent different categories that are // related in some manner and are not mutually exclusive. For example, a movie can // be just an action movie, or it can be an action movie, a science fiction movie, diff --git a/service/comprehend/api_op_CreateDocumentClassifier.go b/service/comprehend/api_op_CreateDocumentClassifier.go index f00b715e54f..4b80677d8c9 100644 --- a/service/comprehend/api_op_CreateDocumentClassifier.go +++ b/service/comprehend/api_op_CreateDocumentClassifier.go @@ -61,10 +61,11 @@ type CreateDocumentClassifierInput struct { ClientRequestToken *string // Indicates the mode in which the classifier will be trained. The classifier can - // be trained in multi-class mode, which identifies one and only one class for each - // document, or multi-label mode, which identifies one or more labels for each - // document. In multi-label mode, multiple labels for an individual document are - // separated by a delimiter. The default delimiter between labels is a pipe (|). + // be trained in multi-class (single-label) mode or multi-label mode. Multi-class + // mode identifies a single class label for each document and multi-label mode + // identifies one or more class labels for each document. Multiple labels for an + // individual document are separated by a delimiter. The default delimiter between + // labels is a pipe (|). Mode types.DocumentClassifierMode // ID for the KMS key that Amazon Comprehend uses to encrypt trained custom diff --git a/service/comprehend/api_op_DetectToxicContent.go b/service/comprehend/api_op_DetectToxicContent.go index 8ffbf043394..2c690a6b229 100644 --- a/service/comprehend/api_op_DetectToxicContent.go +++ b/service/comprehend/api_op_DetectToxicContent.go @@ -13,11 +13,10 @@ import ( ) // Performs toxicity analysis on the list of text strings that you provide as -// input. The analysis uses the order of strings in the list to determine context -// when predicting toxicity. The API response contains a results list that matches -// the size of the input list. For more information about toxicity detection, see -// Toxicity detection (https://docs.aws.amazon.com/comprehend/latest/dg/toxicity-detection.html) -// in the Amazon Comprehend Developer Guide +// input. The API response contains a results list that matches the size of the +// input list. For more information about toxicity detection, see Toxicity +// detection (https://docs.aws.amazon.com/comprehend/latest/dg/toxicity-detection.html) +// in the Amazon Comprehend Developer Guide. func (c *Client) DetectToxicContent(ctx context.Context, params *DetectToxicContentInput, optFns ...func(*Options)) (*DetectToxicContentOutput, error) { if params == nil { params = &DetectToxicContentInput{} @@ -41,7 +40,8 @@ type DetectToxicContentInput struct { // This member is required. LanguageCode types.LanguageCode - // A list of up to 10 text strings. The maximum size for the list is 10 KB. + // A list of up to 10 text strings. Each string has a maximum size of 1 KB, and + // the maximum size of the list is 10 KB. // // This member is required. TextSegments []types.TextSegment diff --git a/service/comprehend/api_op_StartDocumentClassificationJob.go b/service/comprehend/api_op_StartDocumentClassificationJob.go index adb18013d22..d734a6d37ad 100644 --- a/service/comprehend/api_op_StartDocumentClassificationJob.go +++ b/service/comprehend/api_op_StartDocumentClassificationJob.go @@ -12,8 +12,9 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Starts an asynchronous document classification job. Use the -// DescribeDocumentClassificationJob operation to track the progress of the job. +// Starts an asynchronous document classification job using a custom +// classification model. Use the DescribeDocumentClassificationJob operation to +// track the progress of the job. func (c *Client) StartDocumentClassificationJob(ctx context.Context, params *StartDocumentClassificationJobInput, optFns ...func(*Options)) (*StartDocumentClassificationJobOutput, error) { if params == nil { params = &StartDocumentClassificationJobInput{} diff --git a/service/comprehend/types/errors.go b/service/comprehend/types/errors.go index 6f5b9eab90c..82c667c8860 100644 --- a/service/comprehend/types/errors.go +++ b/service/comprehend/types/errors.go @@ -410,9 +410,8 @@ func (e *TooManyTagsException) ErrorCode() string { } func (e *TooManyTagsException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } -// Amazon Comprehend can't process the language of the input text. For custom -// entity recognition APIs, only English, Spanish, French, Italian, German, or -// Portuguese are accepted. For a list of supported languages, Supported languages (https://docs.aws.amazon.com/comprehend/latest/dg/supported-languages.html) +// Amazon Comprehend can't process the language of the input text. For a list of +// supported languages, Supported languages (https://docs.aws.amazon.com/comprehend/latest/dg/supported-languages.html) // in the Comprehend Developer Guide. type UnsupportedLanguageException struct { Message *string diff --git a/service/comprehend/types/types.go b/service/comprehend/types/types.go index ac1089446eb..d50666f2541 100644 --- a/service/comprehend/types/types.go +++ b/service/comprehend/types/types.go @@ -1003,9 +1003,9 @@ type DocumentReaderConfig struct { // Specifies the type of Amazon Textract features to apply. If you chose // TEXTRACT_ANALYZE_DOCUMENT as the read action, you must specify one or both of // the following values: - // - TABLES - Returns information about any tables that are detected in the input - // document. - // - FORMS - Returns information and the data from any forms that are detected in + // - TABLES - Returns additional information about any tables that are detected + // in the input document. + // - FORMS - Returns additional information about any forms that are detected in // the input document. FeatureTypes []DocumentReadFeatureTypes @@ -1674,8 +1674,8 @@ type EntityTypesListItem struct { // An entity type within a labeled training dataset that Amazon Comprehend uses to // train a custom entity recognizer. Entity types must not contain the following // invalid characters: \n (line break), \\n (escaped line break, \r (carriage - // return), \\r (escaped carriage return), \t (tab), \\t (escaped tab), space, and - // , (comma). + // return), \\r (escaped carriage return), \t (tab), \\t (escaped tab), and , + // (comma). // // This member is required. Type *string @@ -2004,18 +2004,25 @@ type InputDataConfig struct { noSmithyDocumentSerde } -// Provides additional detail about why the request failed: -// - Document size is too large - Check the size of your file and resubmit the -// request. -// - Document type is not supported - Check the file type and resubmit the -// request. -// - Too many pages in the document - Check the number of pages in your file and -// resubmit the request. -// - Access denied to Amazon Textract - Verify that your account has permission -// to use Amazon Textract API operations and resubmit the request. +// Provides additional detail about why the request failed. type InvalidRequestDetail struct { - // Reason code is INVALID_DOCUMENT . + // Reason codes include the following values: + // - DOCUMENT_SIZE_EXCEEDED - Document size is too large. Check the size of your + // file and resubmit the request. + // - UNSUPPORTED_DOC_TYPE - Document type is not supported. Check the file type + // and resubmit the request. + // - PAGE_LIMIT_EXCEEDED - Too many pages in the document. Check the number of + // pages in your file and resubmit the request. + // - TEXTRACT_ACCESS_DENIED - Access denied to Amazon Textract. Verify that your + // account has permission to use Amazon Textract API operations and resubmit the + // request. + // - NOT_TEXTRACT_JSON - Document is not Amazon Textract JSON format. Verify the + // format and resubmit the request. + // - MISMATCHED_TOTAL_PAGE_COUNT - Check the number of pages in your file and + // resubmit the request. + // - INVALID_DOCUMENT - Invalid document. Check the file and resubmit the + // request. Reason InvalidRequestDetailReason noSmithyDocumentSerde @@ -2781,13 +2788,14 @@ type ToxicContent struct { // Toxicity analysis result for one string. For more information about toxicity // detection, see Toxicity detection (https://docs.aws.amazon.com/comprehend/latest/dg/toxicity-detection.html) -// in the Amazon Comprehend Developer Guide +// in the Amazon Comprehend Developer Guide. type ToxicLabels struct { // Array of toxic content types identified in the string. Labels []ToxicContent - // Overall toxicity score for the string. + // Overall toxicity score for the string. Value range is zero to one, where one is + // the highest confidence. Toxicity *float32 noSmithyDocumentSerde diff --git a/service/connect/api_op_CreateInstance.go b/service/connect/api_op_CreateInstance.go index c39cff639bf..c7171b1498f 100644 --- a/service/connect/api_op_CreateInstance.go +++ b/service/connect/api_op_CreateInstance.go @@ -62,6 +62,10 @@ type CreateInstanceInput struct { // The name for your instance. InstanceAlias *string + // The tags used to organize, track, or control access for this resource. For + // example, { "tags": {"key1":"value1", "key2":"value2"} } . + Tags map[string]string + noSmithyDocumentSerde } diff --git a/service/connect/deserializers.go b/service/connect/deserializers.go index 5faf8fe1a5f..09378afea51 100644 --- a/service/connect/deserializers.go +++ b/service/connect/deserializers.go @@ -40543,6 +40543,11 @@ func awsRestjson1_deserializeDocumentInstance(v **types.Instance, value interfac return err } + case "Tags": + if err := awsRestjson1_deserializeDocumentTagMap(&sv.Tags, value); err != nil { + return err + } + default: _, _ = key, value diff --git a/service/connect/serializers.go b/service/connect/serializers.go index 540fb787bdb..dc5e022fc14 100644 --- a/service/connect/serializers.go +++ b/service/connect/serializers.go @@ -2464,6 +2464,13 @@ func awsRestjson1_serializeOpDocumentCreateInstanceInput(v *CreateInstanceInput, ok.Boolean(*v.OutboundCallsEnabled) } + if v.Tags != nil { + ok := object.Key("Tags") + if err := awsRestjson1_serializeDocumentTagMap(v.Tags, ok); err != nil { + return err + } + } + return nil } diff --git a/service/connect/types/types.go b/service/connect/types/types.go index b856fb92166..9a554ec9b6e 100644 --- a/service/connect/types/types.go +++ b/service/connect/types/types.go @@ -2075,6 +2075,9 @@ type Instance struct { // Relevant details why the instance was not successfully created. StatusReason *InstanceStatusReason + // The tags of an instance. + Tags map[string]string + noSmithyDocumentSerde } diff --git a/service/ec2/deserializers.go b/service/ec2/deserializers.go index 7718b8bdf42..01a513de680 100644 --- a/service/ec2/deserializers.go +++ b/service/ec2/deserializers.go @@ -108180,6 +108180,19 @@ func awsEc2query_deserializeDocumentProcessorInfo(v **types.ProcessorInfo, decod originalDecoder := decoder decoder = smithyxml.WrapNodeDecoder(originalDecoder.Decoder, t) switch { + case strings.EqualFold("manufacturer", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv := string(val) + sv.Manufacturer = ptr.String(xtv) + } + case strings.EqualFold("supportedArchitectures", t.Name.Local): nodeDecoder := smithyxml.WrapNodeDecoder(decoder.Decoder, t) if err := awsEc2query_deserializeDocumentArchitectureTypeList(&sv.SupportedArchitectures, nodeDecoder); err != nil { diff --git a/service/ec2/types/types.go b/service/ec2/types/types.go index 2f746fe5aab..937158500fe 100644 --- a/service/ec2/types/types.go +++ b/service/ec2/types/types.go @@ -11936,6 +11936,9 @@ type PrivateIpAddressSpecification struct { // Describes the processor used by the instance type. type ProcessorInfo struct { + // The manufacturer of the processor. + Manufacturer *string + // The architectures supported by the instance type. SupportedArchitectures []ArchitectureType diff --git a/service/paymentcryptography/api_op_CreateAlias.go b/service/paymentcryptography/api_op_CreateAlias.go index b8431e1ef89..da0f15e40ea 100644 --- a/service/paymentcryptography/api_op_CreateAlias.go +++ b/service/paymentcryptography/api_op_CreateAlias.go @@ -47,11 +47,11 @@ func (c *Client) CreateAlias(ctx context.Context, params *CreateAliasInput, optF type CreateAliasInput struct { - // A friendly name that you can use to refer a key. An alias must begin with alias/ - // followed by a name, for example alias/ExampleAlias . It can contain only + // A friendly name that you can use to refer to a key. An alias must begin with + // alias/ followed by a name, for example alias/ExampleAlias . It can contain only // alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). - // Don't include confidential or sensitive information in this field. This field - // may be displayed in plaintext in CloudTrail logs and other output. + // Don't include personal, confidential or sensitive information in this field. + // This field may be displayed in plaintext in CloudTrail logs and other output. // // This member is required. AliasName *string diff --git a/service/paymentcryptography/api_op_CreateKey.go b/service/paymentcryptography/api_op_CreateKey.go index 465c5b096dd..6f67fbf92bd 100644 --- a/service/paymentcryptography/api_op_CreateKey.go +++ b/service/paymentcryptography/api_op_CreateKey.go @@ -19,7 +19,7 @@ import ( // operations, an Amazon Web Services Payment Cryptography key includes metadata // such as the key ARN, key usage, key origin, creation date, description, and key // state. When you create a key, you specify both immutable and mutable data about -// the key. The immutable data contains key attributes that defines the scope and +// the key. The immutable data contains key attributes that define the scope and // cryptographic operations that you can perform using the key, for example key // class (example: SYMMETRIC_KEY ), key algorithm (example: TDES_2KEY ), key usage // (example: TR31_P0_PIN_ENCRYPTION_KEY ) and key modes of use (example: Encrypt ). @@ -65,26 +65,29 @@ type CreateKeyInput struct { KeyAttributes *types.KeyAttributes // Specifies whether to enable the key. If the key is enabled, it is activated for - // use within the service. If the key not enabled, then it is created but not + // use within the service. If the key is not enabled, then it is created but not // activated. The default value is enabled. Enabled *bool // The algorithm that Amazon Web Services Payment Cryptography uses to calculate - // the key check value (KCV) for DES and AES keys. For DES key, the KCV is computed - // by encrypting 8 bytes, each with value '00', with the key to be checked and - // retaining the 3 highest order bytes of the encrypted result. For AES key, the - // KCV is computed by encrypting 8 bytes, each with value '01', with the key to be - // checked and retaining the 3 highest order bytes of the encrypted result. + // the key check value (KCV). It is used to validate the key integrity. For TDES + // keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with + // the key to be checked and retaining the 3 highest order bytes of the encrypted + // result. For AES keys, the KCV is computed using a CMAC algorithm where the input + // data is 16 bytes of zero and retaining the 3 highest order bytes of the + // encrypted result. KeyCheckValueAlgorithm types.KeyCheckValueAlgorithm - // The tags to attach to the key. Each tag consists of a tag key and a tag value. - // Both the tag key and the tag value are required, but the tag value can be an - // empty (null) string. You can't have more than one tag on an Amazon Web Services - // Payment Cryptography key with the same tag key. To use this parameter, you must - // have TagResource permission. Don't include confidential or sensitive - // information in this field. This field may be displayed in plaintext in - // CloudTrail logs and other output. Tagging or untagging an Amazon Web Services - // Payment Cryptography key can allow or deny permission to the key. + // Assigns one or more tags to the Amazon Web Services Payment Cryptography key. + // Use this parameter to tag a key when it is created. To tag an existing Amazon + // Web Services Payment Cryptography key, use the TagResource operation. Each tag + // consists of a tag key and a tag value. Both the tag key and the tag value are + // required, but the tag value can be an empty (null) string. You can't have more + // than one tag on an Amazon Web Services Payment Cryptography key with the same + // tag key. Don't include personal, confidential or sensitive information in this + // field. This field may be displayed in plaintext in CloudTrail logs and other + // output. Tagging or untagging an Amazon Web Services Payment Cryptography key can + // allow or deny permission to the key. Tags []types.Tag noSmithyDocumentSerde diff --git a/service/paymentcryptography/api_op_DeleteKey.go b/service/paymentcryptography/api_op_DeleteKey.go index 9cf82c55163..a3a4fab782e 100644 --- a/service/paymentcryptography/api_op_DeleteKey.go +++ b/service/paymentcryptography/api_op_DeleteKey.go @@ -12,7 +12,7 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Deletes the key material and all metadata associated with Amazon Web Services +// Deletes the key material and metadata associated with Amazon Web Services // Payment Cryptography key. Key deletion is irreversible. After a key is deleted, // you can't perform cryptographic operations using the key. For example, you can't // decrypt data that was encrypted by a deleted Amazon Web Services Payment @@ -20,16 +20,13 @@ import ( // destructive, Amazon Web Services Payment Cryptography has a safety mechanism to // prevent accidental deletion of a key. When you call this operation, Amazon Web // Services Payment Cryptography disables the specified key but doesn't delete it -// until after a waiting period. The default waiting period is 7 days. To set a -// different waiting period, set DeleteKeyInDays . During the waiting period, the -// KeyState is DELETE_PENDING . After the key is deleted, the KeyState is -// DELETE_COMPLETE . If you delete key material, you can use ImportKey to reimport -// the same key material into the Amazon Web Services Payment Cryptography key. You -// should delete a key only when you are sure that you don't need to use it anymore -// and no other parties are utilizing this key. If you aren't sure, consider -// deactivating it instead by calling StopKeyUsage . Cross-account use: This -// operation can't be used across different Amazon Web Services accounts. Related -// operations: +// until after a waiting period set using DeleteKeyInDays . The default waiting +// period is 7 days. During the waiting period, the KeyState is DELETE_PENDING . +// After the key is deleted, the KeyState is DELETE_COMPLETE . You should delete a +// key only when you are sure that you don't need to use it anymore and no other +// parties are utilizing this key. If you aren't sure, consider deactivating it +// instead by calling StopKeyUsage . Cross-account use: This operation can't be +// used across different Amazon Web Services accounts. Related operations: // - RestoreKey // - StartKeyUsage // - StopKeyUsage diff --git a/service/paymentcryptography/api_op_ExportKey.go b/service/paymentcryptography/api_op_ExportKey.go index 13fe1327068..4fc19d95915 100644 --- a/service/paymentcryptography/api_op_ExportKey.go +++ b/service/paymentcryptography/api_op_ExportKey.go @@ -12,41 +12,82 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Exports a key from Amazon Web Services Payment Cryptography using either ANSI -// X9 TR-34 or TR-31 key export standard. Amazon Web Services Payment Cryptography -// simplifies main or root key exchange process by eliminating the need of a -// paper-based key exchange process. It takes a modern and secure approach based of -// the ANSI X9 TR-34 key exchange standard. You can use ExportKey to export main -// or root keys such as KEK (Key Encryption Key), using asymmetric key exchange -// technique following ANSI X9 TR-34 standard. The ANSI X9 TR-34 standard uses -// asymmetric keys to establishes bi-directional trust between the two parties -// exchanging keys. After which you can export working keys using the ANSI X9 TR-31 -// symmetric key exchange standard as mandated by PCI PIN. Using this operation, -// you can share your Amazon Web Services Payment Cryptography generated keys with -// other service partners to perform cryptographic operations outside of Amazon Web -// Services Payment Cryptography TR-34 key export Amazon Web Services Payment -// Cryptography uses TR-34 asymmetric key exchange standard to export main keys -// such as KEK. In TR-34 terminology, the sending party of the key is called Key -// Distribution Host (KDH) and the receiving party of the key is called Key -// Receiving Host (KRH). In key export process, KDH is Amazon Web Services Payment -// Cryptography which initiates key export. KRH is the user receiving the key. -// Before you initiate TR-34 key export, you must obtain an export token by calling -// GetParametersForExport . This operation also returns the signing key certificate -// that KDH uses to sign the wrapped key to generate a TR-34 wrapped key block. The -// export token expires after 7 days. Set the following parameters: -// CertificateAuthorityPublicKeyIdentifier The KeyARN of the certificate chain -// that will sign the wrapping key certificate. This must exist within Amazon Web -// Services Payment Cryptography before you initiate TR-34 key export. If it does -// not exist, you can import it by calling ImportKey for RootCertificatePublicKey . -// ExportToken Obtained from KDH by calling GetParametersForExport . -// WrappingKeyCertificate Amazon Web Services Payment Cryptography uses this to -// wrap the key under export. When this operation is successful, Amazon Web -// Services Payment Cryptography returns the TR-34 wrapped key block. TR-31 key -// export Amazon Web Services Payment Cryptography uses TR-31 symmetric key -// exchange standard to export working keys. In TR-31, you must use a main key such +// Exports a key from Amazon Web Services Payment Cryptography. Amazon Web +// Services Payment Cryptography simplifies key exchange by replacing the existing +// paper-based approach with a modern electronic approach. With ExportKey you can +// export symmetric keys using either symmetric and asymmetric key exchange +// mechanisms. Using this operation, you can share your Amazon Web Services Payment +// Cryptography generated keys with other service partners to perform cryptographic +// operations outside of Amazon Web Services Payment Cryptography For symmetric key +// exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm +// in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon +// Web Services Payment Cryptography supports ANSI X9 TR-34 norm . Asymmetric key +// exchange methods are typically used to establish bi-directional trust between +// the two parties exhanging keys and are used for initial key exchange such as Key +// Encryption Key (KEK). After which you can export working keys using symmetric +// method to perform various cryptographic operations within Amazon Web Services +// Payment Cryptography. The TR-34 norm is intended for exchanging 3DES keys only +// and keys are imported in a WrappedKeyBlock format. Key attributes (such as +// KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the +// key block. You can also use ExportKey functionality to generate and export an +// IPEK (Initial Pin Encryption Key) from Amazon Web Services Payment Cryptography +// using either TR-31 or TR-34 export key exchange. IPEK is generated from BDK +// (Base Derivation Key) and ExportDukptInitialKey attribute KSN ( KeySerialNumber +// ). The generated IPEK does not persist within Amazon Web Services Payment +// Cryptography and has to be re-generated each time during export. To export KEK +// or IPEK using TR-34 Using this operation, you can export initial key using TR-34 +// asymmetric key exchange. You can only export KEK generated within Amazon Web +// Services Payment Cryptography. In TR-34 terminology, the sending party of the +// key is called Key Distribution Host (KDH) and the receiving party of the key is +// called Key Receiving Device (KRD). During key export process, KDH is Amazon Web +// Services Payment Cryptography which initiates key export and KRD is the user +// receiving the key. To initiate TR-34 key export, the KRD must obtain an export +// token by calling GetParametersForExport . This operation also generates a key +// pair for the purpose of key export, signs the key and returns back the signing +// public key certificate (also known as KDH signing certificate) and root +// certificate chain. The KDH uses the private key to sign the the export payload +// and the signing public key certificate is provided to KRD to verify the +// signature. The KRD can import the root certificate into its Hardware Security +// Module (HSM), as required. The export token and the associated KDH signing +// certificate expires after 7 days. Next the KRD generates a key pair for the the +// purpose of encrypting the KDH key and provides the public key cerificate (also +// known as KRD wrapping certificate) back to KDH. The KRD will also import the +// root cerificate chain into Amazon Web Services Payment Cryptography by calling +// ImportKey for RootCertificatePublicKey . The KDH, Amazon Web Services Payment +// Cryptography, will use the KRD wrapping cerificate to encrypt (wrap) the key +// under export and signs it with signing private key to generate a TR-34 +// WrappedKeyBlock. For more information on TR-34 key export, see section +// Exporting symmetric keys (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-export.html) +// in the Amazon Web Services Payment Cryptography User Guide. Set the following +// parameters: +// - ExportAttributes : Specify export attributes in case of IPEK export. This +// parameter is optional for KEK export. +// - ExportKeyIdentifier : The KeyARN of the KEK or BDK (in case of IPEK) under +// export. +// - KeyMaterial : Use Tr34KeyBlock parameters. +// - CertificateAuthorityPublicKeyIdentifier : The KeyARN of the certificate +// chain that signed the KRD wrapping key certificate. +// - ExportToken : Obtained from KDH by calling GetParametersForImport . +// - WrappingKeyCertificate : The public key certificate in PEM format (base64 +// encoded) of the KRD wrapping key Amazon Web Services Payment Cryptography uses +// for encryption of the TR-34 export payload. This certificate must be signed by +// the root certificate (CertificateAuthorityPublicKeyIdentifier) imported into +// Amazon Web Services Payment Cryptography. +// +// When this operation is successful, Amazon Web Services Payment Cryptography +// returns the KEK or IPEK as a TR-34 WrappedKeyBlock. To export WK (Working Key) +// or IPEK using TR-31 Using this operation, you can export working keys or IPEK +// using TR-31 symmetric key exchange. In TR-31, you must use an initial key such // as KEK to encrypt or wrap the key under export. To establish a KEK, you can use -// CreateKey or ImportKey . When this operation is successful, Amazon Web Services -// Payment Cryptography returns a TR-31 wrapped key block. Cross-account use: This +// CreateKey or ImportKey . Set the following parameters: +// - ExportAttributes : Specify export attributes in case of IPEK export. This +// parameter is optional for KEK export. +// - ExportKeyIdentifier : The KeyARN of the KEK or BDK (in case of IPEK) under +// export. +// - KeyMaterial : Use Tr31KeyBlock parameters. +// +// When this operation is successful, Amazon Web Services Payment Cryptography +// returns the WK or IPEK as a TR-31 WrappedKeyBlock. Cross-account use: This // operation can't be used across different Amazon Web Services accounts. Related // operations: // - GetParametersForExport @@ -80,12 +121,16 @@ type ExportKeyInput struct { // This member is required. KeyMaterial types.ExportKeyMaterial + // The attributes for IPEK generation during export. + ExportAttributes *types.ExportAttributes + noSmithyDocumentSerde } type ExportKeyOutput struct { - // The key material under export as a TR-34 or TR-31 wrapped key block. + // The key material under export as a TR-34 WrappedKeyBlock or a TR-31 + // WrappedKeyBlock. WrappedKey *types.WrappedKey // Metadata pertaining to the operation's result. diff --git a/service/paymentcryptography/api_op_GetParametersForExport.go b/service/paymentcryptography/api_op_GetParametersForExport.go index f873d6cc185..1f9e5f48b79 100644 --- a/service/paymentcryptography/api_op_GetParametersForExport.go +++ b/service/paymentcryptography/api_op_GetParametersForExport.go @@ -48,8 +48,8 @@ type GetParametersForExportInput struct { KeyMaterialType types.KeyMaterialType // The signing key algorithm to generate a signing key certificate. This - // certificate signs the wrapped key under export within the TR-34 key block - // cryptogram. RSA_2048 is the only signing key algorithm allowed. + // certificate signs the wrapped key under export within the TR-34 key block. + // RSA_2048 is the only signing key algorithm allowed. // // This member is required. SigningKeyAlgorithm types.KeyAlgorithm @@ -77,14 +77,14 @@ type GetParametersForExportOutput struct { // This member is required. SigningKeyAlgorithm types.KeyAlgorithm - // The signing key certificate of the public key for signature within the TR-34 - // key block cryptogram. The certificate expires after 7 days. + // The signing key certificate in PEM format (base64 encoded) of the public key + // for signature within the TR-34 key block. The certificate expires after 7 days. // // This member is required. SigningKeyCertificate *string - // The certificate chain that signed the signing key certificate. This is the root - // certificate authority (CA) within your service account. + // The root certificate authority (CA) that signed the signing key certificate in + // PEM format (base64 encoded). // // This member is required. SigningKeyCertificateChain *string diff --git a/service/paymentcryptography/api_op_GetParametersForImport.go b/service/paymentcryptography/api_op_GetParametersForImport.go index ecd8c8a4e20..047c80d0b60 100644 --- a/service/paymentcryptography/api_op_GetParametersForImport.go +++ b/service/paymentcryptography/api_op_GetParametersForImport.go @@ -13,14 +13,13 @@ import ( "time" ) -// Gets the import token and the wrapping key certificate to initiate a TR-34 key -// import into Amazon Web Services Payment Cryptography. The wrapping key -// certificate wraps the key under import within the TR-34 key payload. The import -// token and wrapping key certificate must be in place and operational before -// calling ImportKey . The import token expires in 7 days. The same import token -// can be used to import multiple keys into your service account. Cross-account -// use: This operation can't be used across different Amazon Web Services accounts. -// Related operations: +// Gets the import token and the wrapping key certificate in PEM format (base64 +// encoded) to initiate a TR-34 WrappedKeyBlock. The wrapping key certificate wraps +// the key under import. The import token and wrapping key certificate must be in +// place and operational before calling ImportKey . The import token expires in 7 +// days. You can use the same import token to import multiple keys into your +// service account. Cross-account use: This operation can't be used across +// different Amazon Web Services accounts. Related operations: // - GetParametersForExport // - ImportKey func (c *Client) GetParametersForImport(ctx context.Context, params *GetParametersForImportInput, optFns ...func(*Options)) (*GetParametersForImportOutput, error) { @@ -40,16 +39,16 @@ func (c *Client) GetParametersForImport(ctx context.Context, params *GetParamete type GetParametersForImportInput struct { - // The key block format type such as TR-34 or TR-31 to use during key material - // import. Import token is only required for TR-34 key import TR34_KEY_BLOCK . - // Import token is not required for TR-31 key import. + // The method to use for key material import. Import token is only required for + // TR-34 WrappedKeyBlock ( TR34_KEY_BLOCK ). Import token is not required for + // TR-31, root public key cerificate or trusted public key certificate. // // This member is required. KeyMaterialType types.KeyMaterialType // The wrapping key algorithm to generate a wrapping key certificate. This - // certificate wraps the key under import within the TR-34 key block cryptogram. - // RSA_2048 is the only wrapping key algorithm allowed. + // certificate wraps the key under import. At this time, RSA_2048 , RSA_3072 , + // RSA_4096 are the only allowed algorithms for TR-34 WrappedKeyBlock import. // // This member is required. WrappingKeyAlgorithm types.KeyAlgorithm @@ -71,21 +70,19 @@ type GetParametersForImportOutput struct { // This member is required. ParametersValidUntilTimestamp *time.Time - // The algorithm of the wrapping key for use within TR-34 key block. RSA_2048 is - // the only wrapping key algorithm allowed. + // The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock. // // This member is required. WrappingKeyAlgorithm types.KeyAlgorithm - // The wrapping key certificate of the wrapping key for use within the TR-34 key - // block. The certificate expires in 7 days. + // The wrapping key certificate in PEM format (base64 encoded) of the wrapping key + // for use within the TR-34 key block. The certificate expires in 7 days. // // This member is required. WrappingKeyCertificate *string - // The Amazon Web Services Payment Cryptography certificate chain that signed the - // wrapping key certificate. This is the root certificate authority (CA) within - // your service account. + // The Amazon Web Services Payment Cryptography root certificate authority (CA) + // that signed the wrapping key certificate in PEM format (base64 encoded). // // This member is required. WrappingKeyCertificateChain *string diff --git a/service/paymentcryptography/api_op_GetPublicKeyCertificate.go b/service/paymentcryptography/api_op_GetPublicKeyCertificate.go index 93533175055..0d66fbd39ee 100644 --- a/service/paymentcryptography/api_op_GetPublicKeyCertificate.go +++ b/service/paymentcryptography/api_op_GetPublicKeyCertificate.go @@ -46,16 +46,15 @@ type GetPublicKeyCertificateInput struct { type GetPublicKeyCertificateOutput struct { - // The public key component of the asymmetric key pair in a certificate (PEM) - // format. It is signed by the root certificate authority (CA) within your service - // account. The certificate expires in 90 days. + // The public key component of the asymmetric key pair in a certificate PEM format + // (base64 encoded). It is signed by the root certificate authority (CA). The + // certificate expires in 90 days. // // This member is required. KeyCertificate *string - // The certificate chain that signed the public key certificate of the asymmetric - // key pair. This is the root certificate authority (CA) within your service - // account. + // The root certificate authority (CA) that signed the public key certificate in + // PEM format (base64 encoded) of the asymmetric key pair. // // This member is required. KeyCertificateChain *string diff --git a/service/paymentcryptography/api_op_ImportKey.go b/service/paymentcryptography/api_op_ImportKey.go index 516ab3150d2..8482dce7016 100644 --- a/service/paymentcryptography/api_op_ImportKey.go +++ b/service/paymentcryptography/api_op_ImportKey.go @@ -12,31 +12,39 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Imports keys and public key certificates into Amazon Web Services Payment -// Cryptography. Amazon Web Services Payment Cryptography simplifies main or root -// key exchange process by eliminating the need of a paper-based key exchange -// process. It takes a modern and secure approach based of the ANSI X9 TR-34 key -// exchange standard. You can use ImportKey to import main or root keys such as -// KEK (Key Encryption Key) using asymmetric key exchange technique following the -// ANSI X9 TR-34 standard. The ANSI X9 TR-34 standard uses asymmetric keys to -// establishes bi-directional trust between the two parties exchanging keys. After -// you have imported a main or root key, you can import working keys to perform -// various cryptographic operations within Amazon Web Services Payment Cryptography -// using the ANSI X9 TR-31 symmetric key exchange standard as mandated by PCI PIN. -// You can also import a root public key certificate, a self-signed certificate -// used to sign other public key certificates, or a trusted public key certificate -// under an already established root public key certificate. To import a public -// root key certificate Using this operation, you can import the public component -// (in PEM cerificate format) of your private root key. You can use the imported -// public root key certificate for digital signatures, for example signing wrapping -// key or signing key in TR-34, within your Amazon Web Services Payment -// Cryptography account. Set the following parameters: +// Imports symmetric keys and public key certificates in PEM format (base64 +// encoded) into Amazon Web Services Payment Cryptography. Amazon Web Services +// Payment Cryptography simplifies key exchange by replacing the existing +// paper-based approach with a modern electronic approach. With ImportKey you can +// import symmetric keys using either symmetric and asymmetric key exchange +// mechanisms. For symmetric key exchange, Amazon Web Services Payment Cryptography +// uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for +// asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI +// X9 TR-34 norm . Asymmetric key exchange methods are typically used to establish +// bi-directional trust between the two parties exhanging keys and are used for +// initial key exchange such as Key Encryption Key (KEK) or Zone Master Key (ZMK). +// After which you can import working keys using symmetric method to perform +// various cryptographic operations within Amazon Web Services Payment +// Cryptography. The TR-34 norm is intended for exchanging 3DES keys only and keys +// are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, +// KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block. +// You can also import a root public key certificate, used to sign other public key +// certificates, or a trusted public key certificate under an already established +// root public key certificate. To import a public root key certificate You can +// also import a root public key certificate, used to sign other public key +// certificates, or a trusted public key certificate under an already established +// root public key certificate. To import a public root key certificate Using this +// operation, you can import the public component (in PEM cerificate format) of +// your private root key. You can use the imported public root key certificate for +// digital signatures, for example signing wrapping key or signing key in TR-34, +// within your Amazon Web Services Payment Cryptography account. Set the following +// parameters: // - KeyMaterial : RootCertificatePublicKey // - KeyClass : PUBLIC_KEY // - KeyModesOfUse : Verify // - KeyUsage : TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE -// - PublicKeyCertificate : The certificate authority used to sign the root -// public key certificate. +// - PublicKeyCertificate : The public key certificate in PEM format (base64 +// encoded) of the private root key under import. // // To import a trusted public key certificate The root public key certificate must // be in place and operational before you import a trusted public key certificate. @@ -47,42 +55,52 @@ import ( // - KeyModesOfUse and KeyUsage : Corresponding to the cryptographic operations // such as wrap, sign, or encrypt that you will allow the trusted public key // certificate to perform. -// - PublicKeyCertificate : The certificate authority used to sign the trusted -// public key certificate. +// - PublicKeyCertificate : The trusted public key certificate in PEM format +// (base64 encoded) under import. // -// Import main keys Amazon Web Services Payment Cryptography uses TR-34 asymmetric -// key exchange standard to import main keys such as KEK. In TR-34 terminology, the -// sending party of the key is called Key Distribution Host (KDH) and the receiving -// party of the key is called Key Receiving Host (KRH). During the key import -// process, KDH is the user who initiates the key import and KRH is Amazon Web -// Services Payment Cryptography who receives the key. Before initiating TR-34 key -// import, you must obtain an import token by calling GetParametersForImport . This -// operation also returns the wrapping key certificate that KDH uses wrap key under -// import to generate a TR-34 wrapped key block. The import token expires after 7 -// days. Set the following parameters: -// - CertificateAuthorityPublicKeyIdentifier : The KeyArn of the certificate -// chain that will sign the signing key certificate and should exist within Amazon -// Web Services Payment Cryptography before initiating TR-34 key import. If it does -// not exist, you can import it by calling by calling ImportKey for -// RootCertificatePublicKey . -// - ImportToken : Obtained from KRH by calling GetParametersForImport . -// - WrappedKeyBlock : The TR-34 wrapped key block from KDH. It contains the KDH -// key under import, wrapped with KRH provided wrapping key certificate and signed -// by the KDH private signing key. This TR-34 key block is generated by the KDH +// To import KEK or ZMK using TR-34 Using this operation, you can import initial +// key using TR-34 asymmetric key exchange. In TR-34 terminology, the sending party +// of the key is called Key Distribution Host (KDH) and the receiving party of the +// key is called Key Receiving Device (KRD). During the key import process, KDH is +// the user who initiates the key import and KRD is Amazon Web Services Payment +// Cryptography who receives the key. To initiate TR-34 key import, the KDH must +// obtain an import token by calling GetParametersForImport . This operation +// generates an encryption keypair for the purpose of key import, signs the key and +// returns back the wrapping key certificate (also known as KRD wrapping +// certificate) and the root certificate chain. The KDH must trust and install the +// KRD wrapping certificate on its HSM and use it to encrypt (wrap) the KDH key +// during TR-34 WrappedKeyBlock generation. The import token and associated KRD +// wrapping certificate expires after 7 days. Next the KDH generates a key pair for +// the purpose of signing the encrypted KDH key and provides the public certificate +// of the signing key to Amazon Web Services Payment Cryptography. The KDH will +// also need to import the root certificate chain of the KDH signing certificate by +// calling ImportKey for RootCertificatePublicKey . For more information on TR-34 +// key import, see section Importing symmetric keys (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-import.html) +// in the Amazon Web Services Payment Cryptography User Guide. Set the following +// parameters: +// - KeyMaterial : Use Tr34KeyBlock parameters. +// - CertificateAuthorityPublicKeyIdentifier : The KeyARN of the certificate +// chain that signed the KDH signing key certificate. +// - ImportToken : Obtained from KRD by calling GetParametersForImport . +// - WrappedKeyBlock : The TR-34 wrapped key material from KDH. It contains the +// KDH key under import, wrapped with KRD wrapping certificate and signed by KDH +// signing private key. This TR-34 key block is typically generated by the KDH // Hardware Security Module (HSM) outside of Amazon Web Services Payment // Cryptography. -// - SigningKeyCertificate : The public component of the private key that signed -// the KDH TR-34 wrapped key block. In PEM certificate format. +// - SigningKeyCertificate : The public key certificate in PEM format (base64 +// encoded) of the KDH signing key generated under the root certificate +// (CertificateAuthorityPublicKeyIdentifier) imported in Amazon Web Services +// Payment Cryptography. // -// TR-34 is intended primarily to exchange 3DES keys. Your ability to export -// AES-128 and larger AES keys may be dependent on your source system. Import -// working keys Amazon Web Services Payment Cryptography uses TR-31 symmetric key -// exchange standard to import working keys. A KEK must be established within -// Amazon Web Services Payment Cryptography by using TR-34 key import. To initiate -// a TR-31 key import, set the following parameters: -// - WrappedKeyBlock : The key under import and encrypted using KEK. The TR-31 -// key block generated by your HSM outside of Amazon Web Services Payment -// Cryptography. +// To import WK (Working Key) using TR-31 Amazon Web Services Payment Cryptography +// uses TR-31 symmetric key exchange norm to import working keys. A KEK must be +// established within Amazon Web Services Payment Cryptography by using TR-34 key +// import or by using CreateKey . To initiate a TR-31 key import, set the following +// parameters: +// - KeyMaterial : Use Tr31KeyBlock parameters. +// - WrappedKeyBlock : The TR-31 wrapped key material. It contains the key under +// import, encrypted using KEK. The TR-31 key block is typically generated by a HSM +// outside of Amazon Web Services Payment Cryptography. // - WrappingKeyIdentifier : The KeyArn of the KEK that Amazon Web Services // Payment Cryptography uses to decrypt or unwrap the key under import. // @@ -117,24 +135,26 @@ type ImportKeyInput struct { Enabled *bool // The algorithm that Amazon Web Services Payment Cryptography uses to calculate - // the key check value (KCV) for DES and AES keys. For DES key, the KCV is computed - // by encrypting 8 bytes, each with value '00', with the key to be checked and - // retaining the 3 highest order bytes of the encrypted result. For AES key, the - // KCV is computed by encrypting 8 bytes, each with value '01', with the key to be - // checked and retaining the 3 highest order bytes of the encrypted result. + // the key check value (KCV). It is used to validate the key integrity. For TDES + // keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with + // the key to be checked and retaining the 3 highest order bytes of the encrypted + // result. For AES keys, the KCV is computed using a CMAC algorithm where the input + // data is 16 bytes of zero and retaining the 3 highest order bytes of the + // encrypted result. KeyCheckValueAlgorithm types.KeyCheckValueAlgorithm - // The tags to attach to the key. Each tag consists of a tag key and a tag value. - // Both the tag key and the tag value are required, but the tag value can be an - // empty (null) string. You can't have more than one tag on an Amazon Web Services - // Payment Cryptography key with the same tag key. You can't have more than one tag - // on an Amazon Web Services Payment Cryptography key with the same tag key. If you - // specify an existing tag key with a different tag value, Amazon Web Services - // Payment Cryptography replaces the current tag value with the specified one. To - // use this parameter, you must have TagResource permission. Don't include - // confidential or sensitive information in this field. This field may be displayed - // in plaintext in CloudTrail logs and other output. Tagging or untagging an Amazon - // Web Services Payment Cryptography key can allow or deny permission to the key. + // Assigns one or more tags to the Amazon Web Services Payment Cryptography key. + // Use this parameter to tag a key when it is imported. To tag an existing Amazon + // Web Services Payment Cryptography key, use the TagResource operation. Each tag + // consists of a tag key and a tag value. Both the tag key and the tag value are + // required, but the tag value can be an empty (null) string. You can't have more + // than one tag on an Amazon Web Services Payment Cryptography key with the same + // tag key. If you specify an existing tag key with a different tag value, Amazon + // Web Services Payment Cryptography replaces the current tag value with the + // specified one. Don't include personal, confidential or sensitive information in + // this field. This field may be displayed in plaintext in CloudTrail logs and + // other output. Tagging or untagging an Amazon Web Services Payment Cryptography + // key can allow or deny permission to the key. Tags []types.Tag noSmithyDocumentSerde diff --git a/service/paymentcryptography/api_op_ListKeys.go b/service/paymentcryptography/api_op_ListKeys.go index 99c10b4713f..03e62e1d672 100644 --- a/service/paymentcryptography/api_op_ListKeys.go +++ b/service/paymentcryptography/api_op_ListKeys.go @@ -45,7 +45,9 @@ type ListKeysInput struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, Amazon Web Services Payment Cryptography does not return more - // than the specified number of items, but it might return fewer. + // than the specified number of items, but it might return fewer. This value is + // optional. If you include a value, it must be between 1 and 100, inclusive. If + // you do not include a value, it defaults to 50. MaxResults *int32 // Use this parameter in a subsequent request after you receive a response with @@ -161,7 +163,9 @@ var _ ListKeysAPIClient = (*Client)(nil) type ListKeysPaginatorOptions struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, Amazon Web Services Payment Cryptography does not return more - // than the specified number of items, but it might return fewer. + // than the specified number of items, but it might return fewer. This value is + // optional. If you include a value, it must be between 1 and 100, inclusive. If + // you do not include a value, it defaults to 50. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/service/paymentcryptography/api_op_ListTagsForResource.go b/service/paymentcryptography/api_op_ListTagsForResource.go index ee59b8db3dc..4c4cb44e666 100644 --- a/service/paymentcryptography/api_op_ListTagsForResource.go +++ b/service/paymentcryptography/api_op_ListTagsForResource.go @@ -46,7 +46,9 @@ type ListTagsForResourceInput struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, Amazon Web Services Payment Cryptography does not return more - // than the specified number of items, but it might return fewer. + // than the specified number of items, but it might return fewer. This value is + // optional. If you include a value, it must be between 1 and 100, inclusive. If + // you do not include a value, it defaults to 50. MaxResults *int32 // Use this parameter in a subsequent request after you receive a response with @@ -167,7 +169,9 @@ var _ ListTagsForResourceAPIClient = (*Client)(nil) type ListTagsForResourcePaginatorOptions struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, Amazon Web Services Payment Cryptography does not return more - // than the specified number of items, but it might return fewer. + // than the specified number of items, but it might return fewer. This value is + // optional. If you include a value, it must be between 1 and 100, inclusive. If + // you do not include a value, it defaults to 50. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/service/paymentcryptography/api_op_TagResource.go b/service/paymentcryptography/api_op_TagResource.go index 5bfe4005216..547b0e806bc 100644 --- a/service/paymentcryptography/api_op_TagResource.go +++ b/service/paymentcryptography/api_op_TagResource.go @@ -50,11 +50,11 @@ type TagResourceInput struct { // Services Payment Cryptography key with the same tag key. If you specify an // existing tag key with a different tag value, Amazon Web Services Payment // Cryptography replaces the current tag value with the new one. Don't include - // confidential or sensitive information in this field. This field may be displayed - // in plaintext in CloudTrail logs and other output. To use this parameter, you - // must have TagResource permission in an IAM policy. Don't include confidential - // or sensitive information in this field. This field may be displayed in plaintext - // in CloudTrail logs and other output. + // personal, confidential or sensitive information in this field. This field may be + // displayed in plaintext in CloudTrail logs and other output. To use this + // parameter, you must have TagResource permission in an IAM policy. Don't include + // personal, confidential or sensitive information in this field. This field may be + // displayed in plaintext in CloudTrail logs and other output. // // This member is required. Tags []types.Tag diff --git a/service/paymentcryptography/deserializers.go b/service/paymentcryptography/deserializers.go index e17bc8a6ba5..6ec2e64535c 100644 --- a/service/paymentcryptography/deserializers.go +++ b/service/paymentcryptography/deserializers.go @@ -3865,6 +3865,24 @@ func awsAwsjson10_deserializeDocumentWrappedKey(v **types.WrappedKey, value inte for key, value := range shape { switch key { + case "KeyCheckValue": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected KeyCheckValue to be of type string, got %T instead", value) + } + sv.KeyCheckValue = ptr.String(jtv) + } + + case "KeyCheckValueAlgorithm": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected KeyCheckValueAlgorithm to be of type string, got %T instead", value) + } + sv.KeyCheckValueAlgorithm = types.KeyCheckValueAlgorithm(jtv) + } + case "KeyMaterial": if value != nil { jtv, ok := value.(string) diff --git a/service/paymentcryptography/doc.go b/service/paymentcryptography/doc.go index 2ec117b6a35..7e521bfdcbb 100644 --- a/service/paymentcryptography/doc.go +++ b/service/paymentcryptography/doc.go @@ -3,25 +3,25 @@ // Package paymentcryptography provides the API client, operations, and parameter // types for Payment Cryptography Control Plane. // -// You use the Amazon Web Services Payment Cryptography Control Plane to manage -// the encryption keys you use for payment-related cryptographic operations. You -// can create, import, export, share, manage, and delete keys. You can also manage -// Identity and Access Management (IAM) policies for keys. For more information, -// see Identity and access management (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/security-iam.html) +// Amazon Web Services Payment Cryptography Control Plane APIs manage encryption +// keys for use during payment-related cryptographic operations. You can create, +// import, export, share, manage, and delete keys. You can also manage Identity and +// Access Management (IAM) policies for keys. For more information, see Identity +// and access management (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/security-iam.html) // in the Amazon Web Services Payment Cryptography User Guide. To use encryption // keys for payment-related transaction processing and associated cryptographic // operations, you use the Amazon Web Services Payment Cryptography Data Plane (https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/Welcome.html) -// . You can encrypt, decrypt, generate, verify, and translate payment-related -// cryptographic operations. All Amazon Web Services Payment Cryptography API calls +// . You can perform actions like encrypt, decrypt, generate, and verify +// payment-related data. All Amazon Web Services Payment Cryptography API calls // must be signed and transmitted using Transport Layer Security (TLS). We // recommend you always use the latest supported TLS version for logging API -// requests. Amazon Web Services Payment Cryptography supports CloudTrail, a -// service that logs Amazon Web Services API calls and related events for your -// Amazon Web Services account and delivers them to an Amazon S3 bucket that you -// specify. By using the information collected by CloudTrail, you can determine -// what requests were made to Amazon Web Services Payment Cryptography, who made -// the request, when it was made, and so on. If you don't configure a trail, you can -// still view the most recent events in the CloudTrail console. For more -// information, see the CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/) +// requests. Amazon Web Services Payment Cryptography supports CloudTrail for +// control plane operations, a service that logs Amazon Web Services API calls and +// related events for your Amazon Web Services account and delivers them to an +// Amazon S3 bucket you specify. By using the information collected by CloudTrail, +// you can determine what requests were made to Amazon Web Services Payment +// Cryptography, who made the request, when it was made, and so on. If you don't +// configure a trail, you can still view the most recent events in the CloudTrail +// console. For more information, see the CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/) // . package paymentcryptography diff --git a/service/paymentcryptography/endpoints.go b/service/paymentcryptography/endpoints.go index 3971597723d..5f44216663f 100644 --- a/service/paymentcryptography/endpoints.go +++ b/service/paymentcryptography/endpoints.go @@ -366,7 +366,7 @@ func (r *resolver) ResolveEndpoint( } } if _UseFIPS == true { - if true == _PartitionResult.SupportsFIPS { + if _PartitionResult.SupportsFIPS == true { uriString := func() string { var out strings.Builder out.WriteString("https://controlplane.payment-cryptography-fips.") diff --git a/service/paymentcryptography/serializers.go b/service/paymentcryptography/serializers.go index bd0d0166435..3a5c0e79fbf 100644 --- a/service/paymentcryptography/serializers.go +++ b/service/paymentcryptography/serializers.go @@ -1114,6 +1114,37 @@ func (m *awsAwsjson10_serializeOpUpdateAlias) HandleSerialize(ctx context.Contex return next.HandleSerialize(ctx, in) } +func awsAwsjson10_serializeDocumentExportAttributes(v *types.ExportAttributes, value smithyjson.Value) error { + object := value.Object() + defer object.Close() + + if v.ExportDukptInitialKey != nil { + ok := object.Key("ExportDukptInitialKey") + if err := awsAwsjson10_serializeDocumentExportDukptInitialKey(v.ExportDukptInitialKey, ok); err != nil { + return err + } + } + + if len(v.KeyCheckValueAlgorithm) > 0 { + ok := object.Key("KeyCheckValueAlgorithm") + ok.String(string(v.KeyCheckValueAlgorithm)) + } + + return nil +} + +func awsAwsjson10_serializeDocumentExportDukptInitialKey(v *types.ExportDukptInitialKey, value smithyjson.Value) error { + object := value.Object() + defer object.Close() + + if v.KeySerialNumber != nil { + ok := object.Key("KeySerialNumber") + ok.String(*v.KeySerialNumber) + } + + return nil +} + func awsAwsjson10_serializeDocumentExportKeyMaterial(v types.ExportKeyMaterial, value smithyjson.Value) error { object := value.Object() defer object.Close() @@ -1523,6 +1554,13 @@ func awsAwsjson10_serializeOpDocumentExportKeyInput(v *ExportKeyInput, value smi object := value.Object() defer object.Close() + if v.ExportAttributes != nil { + ok := object.Key("ExportAttributes") + if err := awsAwsjson10_serializeDocumentExportAttributes(v.ExportAttributes, ok); err != nil { + return err + } + } + if v.ExportKeyIdentifier != nil { ok := object.Key("ExportKeyIdentifier") ok.String(*v.ExportKeyIdentifier) diff --git a/service/paymentcryptography/types/types.go b/service/paymentcryptography/types/types.go index 7e016830a57..ebcad4c60ce 100644 --- a/service/paymentcryptography/types/types.go +++ b/service/paymentcryptography/types/types.go @@ -23,8 +23,39 @@ type Alias struct { noSmithyDocumentSerde } +// The attributes for IPEK generation during export. +type ExportAttributes struct { + + // Parameter information for IPEK export. + ExportDukptInitialKey *ExportDukptInitialKey + + // The algorithm that Amazon Web Services Payment Cryptography uses to calculate + // the key check value (KCV). It is used to validate the key integrity. Specify KCV + // for IPEK export only. For TDES keys, the KCV is computed by encrypting 8 bytes, + // each with value of zero, with the key to be checked and retaining the 3 highest + // order bytes of the encrypted result. For AES keys, the KCV is computed using a + // CMAC algorithm where the input data is 16 bytes of zero and retaining the 3 + // highest order bytes of the encrypted result. + KeyCheckValueAlgorithm KeyCheckValueAlgorithm + + noSmithyDocumentSerde +} + +// Parameter information for IPEK generation during export. +type ExportDukptInitialKey struct { + + // The KSN for IPEK generation using DUKPT. KSN must be padded before sending to + // Amazon Web Services Payment Cryptography. KSN hex length should be 20 for a + // TDES_2KEY key or 24 for an AES key. + // + // This member is required. + KeySerialNumber *string + + noSmithyDocumentSerde +} + // Parameter information for key material export from Amazon Web Services Payment -// Cryptography. +// Cryptography using TR-31 or TR-34 key exchange method. // // The following types satisfy this interface: // @@ -34,7 +65,8 @@ type ExportKeyMaterial interface { isExportKeyMaterial() } -// Parameter information for key material export using TR-31 standard. +// Parameter information for key material export using symmetric TR-31 key +// exchange method. type ExportKeyMaterialMemberTr31KeyBlock struct { Value ExportTr31KeyBlock @@ -43,7 +75,8 @@ type ExportKeyMaterialMemberTr31KeyBlock struct { func (*ExportKeyMaterialMemberTr31KeyBlock) isExportKeyMaterial() {} -// Parameter information for key material export using TR-34 standard. +// Parameter information for key material export using the asymmetric TR-34 key +// exchange method. type ExportKeyMaterialMemberTr34KeyBlock struct { Value ExportTr34KeyBlock @@ -52,7 +85,8 @@ type ExportKeyMaterialMemberTr34KeyBlock struct { func (*ExportKeyMaterialMemberTr34KeyBlock) isExportKeyMaterial() {} -// Parameter information for key material export using TR-31 standard. +// Parameter information for key material export using symmetric TR-31 key +// exchange method. type ExportTr31KeyBlock struct { // The KeyARN of the the wrapping key. This key encrypts or wraps the key under @@ -64,7 +98,8 @@ type ExportTr31KeyBlock struct { noSmithyDocumentSerde } -// Parameter information for key material export using TR-34 standard. +// Parameter information for key material export using the asymmetric TR-34 key +// exchange method. type ExportTr34KeyBlock struct { // The KeyARN of the certificate chain that signs the wrapping key certificate @@ -102,7 +137,8 @@ type ExportTr34KeyBlock struct { noSmithyDocumentSerde } -// Parameter information for key material import. +// Parameter information for key material import into Amazon Web Services Payment +// Cryptography using TR-31 or TR-34 key exchange method. // // The following types satisfy this interface: // @@ -123,7 +159,8 @@ type ImportKeyMaterialMemberRootCertificatePublicKey struct { func (*ImportKeyMaterialMemberRootCertificatePublicKey) isImportKeyMaterial() {} -// Parameter information for key material import using TR-31 standard. +// Parameter information for key material import using symmetric TR-31 key +// exchange method. type ImportKeyMaterialMemberTr31KeyBlock struct { Value ImportTr31KeyBlock @@ -132,7 +169,8 @@ type ImportKeyMaterialMemberTr31KeyBlock struct { func (*ImportKeyMaterialMemberTr31KeyBlock) isImportKeyMaterial() {} -// Parameter information for key material import using TR-34 standard. +// Parameter information for key material import using the asymmetric TR-34 key +// exchange method. type ImportKeyMaterialMemberTr34KeyBlock struct { Value ImportTr34KeyBlock @@ -150,10 +188,11 @@ type ImportKeyMaterialMemberTrustedCertificatePublicKey struct { func (*ImportKeyMaterialMemberTrustedCertificatePublicKey) isImportKeyMaterial() {} -// Parameter information for key material import using TR-31 standard. +// Parameter information for key material import using symmetric TR-31 key +// exchange method. type ImportTr31KeyBlock struct { - // The TR-34 wrapped key block to import. + // The TR-31 wrapped key block to import. // // This member is required. WrappedKeyBlock *string @@ -167,7 +206,8 @@ type ImportTr31KeyBlock struct { noSmithyDocumentSerde } -// Parameter information for key material import using TR-34 standard. +// Parameter information for key material import using the asymmetric TR-34 key +// exchange method. type ImportTr34KeyBlock struct { // The KeyARN of the certificate chain that signs the signing key certificate @@ -176,9 +216,10 @@ type ImportTr34KeyBlock struct { // This member is required. CertificateAuthorityPublicKeyIdentifier *string - // The import token that initiates key import into Amazon Web Services Payment - // Cryptography. It expires after 7 days. You can use the same import token to - // import multiple keys to the same service account. + // The import token that initiates key import using the asymmetric TR-34 key + // exchange method into Amazon Web Services Payment Cryptography. It expires after + // 7 days. You can use the same import token to import multiple keys to the same + // service account. // // This member is required. ImportToken *string @@ -190,7 +231,7 @@ type ImportTr34KeyBlock struct { KeyBlockFormat Tr34KeyBlockFormat // The public key component in PEM certificate format of the private key that - // signs the KDH TR-34 wrapped key block. + // signs the KDH TR-34 WrappedKeyBlock. // // This member is required. SigningKeyCertificate *string @@ -240,21 +281,18 @@ type Key struct { KeyAttributes *KeyAttributes // The key check value (KCV) is used to check if all parties holding a given key - // have the same key or to detect that a key has changed. Amazon Web Services - // Payment Cryptography calculates the KCV by using standard algorithms, typically - // by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to - // the first 3 bytes, or 6 hex digits, of the resulting cryptogram. + // have the same key or to detect that a key has changed. // // This member is required. KeyCheckValue *string - // The algorithm used for calculating key check value (KCV) for DES and AES keys. - // For a DES key, Amazon Web Services Payment Cryptography computes the KCV by - // encrypting 8 bytes, each with value '00', with the key to be checked and - // retaining the 3 highest order bytes of the encrypted result. For an AES key, - // Amazon Web Services Payment Cryptography computes the KCV by encrypting 8 bytes, - // each with value '01', with the key to be checked and retaining the 3 highest - // order bytes of the encrypted result. + // The algorithm that Amazon Web Services Payment Cryptography uses to calculate + // the key check value (KCV). It is used to validate the key integrity. For TDES + // keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with + // the key to be checked and retaining the 3 highest order bytes of the encrypted + // result. For AES keys, the KCV is computed using a CMAC algorithm where the input + // data is 16 bytes of zero and retaining the 3 highest order bytes of the + // encrypted result. // // This member is required. KeyCheckValueAlgorithm KeyCheckValueAlgorithm @@ -397,10 +435,7 @@ type KeySummary struct { KeyAttributes *KeyAttributes // The key check value (KCV) is used to check if all parties holding a given key - // have the same key or to detect that a key has changed. Amazon Web Services - // Payment Cryptography calculates the KCV by using standard algorithms, typically - // by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to - // the first 3 bytes, or 6 hex digits, of the resulting cryptogram. + // have the same key or to detect that a key has changed. // // This member is required. KeyCheckValue *string @@ -470,12 +505,11 @@ type TrustedCertificatePublicKey struct { noSmithyDocumentSerde } -// Parameter information for generating a wrapped key using TR-31 or TR-34 -// standard. +// Parameter information for generating a WrappedKeyBlock for key exchange. type WrappedKey struct { - // Parameter information for generating a wrapped key using TR-31 or TR-34 - // standard. + // Parameter information for generating a wrapped key using TR-31 or TR-34 skey + // exchange method. // // This member is required. KeyMaterial *string @@ -490,6 +524,19 @@ type WrappedKey struct { // This member is required. WrappingKeyArn *string + // The key check value (KCV) is used to check if all parties holding a given key + // have the same key or to detect that a key has changed. + KeyCheckValue *string + + // The algorithm that Amazon Web Services Payment Cryptography uses to calculate + // the key check value (KCV). It is used to validate the key integrity. For TDES + // keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with + // the key to be checked and retaining the 3 highest order bytes of the encrypted + // result. For AES keys, the KCV is computed using a CMAC algorithm where the input + // data is 16 bytes of zero and retaining the 3 highest order bytes of the + // encrypted result. + KeyCheckValueAlgorithm KeyCheckValueAlgorithm + noSmithyDocumentSerde } diff --git a/service/paymentcryptography/validators.go b/service/paymentcryptography/validators.go index f288b44d7c5..44fd05ba984 100644 --- a/service/paymentcryptography/validators.go +++ b/service/paymentcryptography/validators.go @@ -442,6 +442,38 @@ func addOpUpdateAliasValidationMiddleware(stack *middleware.Stack) error { return stack.Initialize.Add(&validateOpUpdateAlias{}, middleware.After) } +func validateExportAttributes(v *types.ExportAttributes) error { + if v == nil { + return nil + } + invalidParams := smithy.InvalidParamsError{Context: "ExportAttributes"} + if v.ExportDukptInitialKey != nil { + if err := validateExportDukptInitialKey(v.ExportDukptInitialKey); err != nil { + invalidParams.AddNested("ExportDukptInitialKey", err.(smithy.InvalidParamsError)) + } + } + if invalidParams.Len() > 0 { + return invalidParams + } else { + return nil + } +} + +func validateExportDukptInitialKey(v *types.ExportDukptInitialKey) error { + if v == nil { + return nil + } + invalidParams := smithy.InvalidParamsError{Context: "ExportDukptInitialKey"} + if v.KeySerialNumber == nil { + invalidParams.Add(smithy.NewErrParamRequired("KeySerialNumber")) + } + if invalidParams.Len() > 0 { + return invalidParams + } else { + return nil + } +} + func validateExportKeyMaterial(v types.ExportKeyMaterial) error { if v == nil { return nil @@ -774,6 +806,11 @@ func validateOpExportKeyInput(v *ExportKeyInput) error { if v.ExportKeyIdentifier == nil { invalidParams.Add(smithy.NewErrParamRequired("ExportKeyIdentifier")) } + if v.ExportAttributes != nil { + if err := validateExportAttributes(v.ExportAttributes); err != nil { + invalidParams.AddNested("ExportAttributes", err.(smithy.InvalidParamsError)) + } + } if invalidParams.Len() > 0 { return invalidParams } else {