Update generated code (#1728)

* update generated code

* Fix CS

---------

Co-authored-by: Jérémy Derussé <[email protected]>

manifest.json

@@ -1,6 +1,6 @@
 {
     "variables": {
-        "${LATEST}": "3.314.0"
+        "${LATEST}": "3.314.1"
     },
     "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json",
     "services": {

psalm.baseline.xml

@@ -157,11 +157,13 @@
       <code>$items</code>
       <code>$items</code>
       <code>$items</code>
+      <code>$items</code>
     </LessSpecificReturnStatement>
     <MoreSpecificReturnType>
       <code><![CDATA[list<EncryptionAlgorithmSpec::*>]]></code>
       <code><![CDATA[list<MacAlgorithmSpec::*>]]></code>
       <code><![CDATA[list<SigningAlgorithmSpec::*>]]></code>
+      <code><![CDATA[list<KeyAgreementAlgorithmSpec::*>]]></code>
     </MoreSpecificReturnType>
   </file>
   <file src="src/Service/Lambda/src/Result/ListFunctionsResponse.php">

src/Service/Kms/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## NOT RELEASED
 
+### Added
+
+- AWS api-change: This feature allows customers to use their keys stored in KMS to derive a shared secret which can then be used to establish a secured channel for communication, provide proof of possession, or establish trust with other parties.
+
 ### Changed
 
 - Add `Accept: application/json` header in request to fix incompatibility with 3rd party providers

src/Service/Kms/composer.json

@@ -28,7 +28,7 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-master": "1.4-dev"
+            "dev-master": "1.5-dev"
         }
     }
 }

src/Service/Kms/src/Enum/KeyAgreementAlgorithmSpec.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace AsyncAws\Kms\Enum;
+
+final class KeyAgreementAlgorithmSpec
+{
+    public const ECDH = 'ECDH';
+
+    public static function exists(string $value): bool
+    {
+        return isset([
+            self::ECDH => true,
+        ][$value]);
+    }
+}

src/Service/Kms/src/Enum/KeyUsageType.php

@@ -6,13 +6,15 @@ final class KeyUsageType
 {
     public const ENCRYPT_DECRYPT = 'ENCRYPT_DECRYPT';
     public const GENERATE_VERIFY_MAC = 'GENERATE_VERIFY_MAC';
+    public const KEY_AGREEMENT = 'KEY_AGREEMENT';
     public const SIGN_VERIFY = 'SIGN_VERIFY';
 
     public static function exists(string $value): bool
     {
         return isset([
             self::ENCRYPT_DECRYPT => true,
             self::GENERATE_VERIFY_MAC => true,
+            self::KEY_AGREEMENT => true,
             self::SIGN_VERIFY => true,
         ][$value]);
     }

src/Service/Kms/src/Exception/InvalidKeyUsageException.php

@@ -13,8 +13,8 @@
  *
  * For encrypting, decrypting, re-encrypting, and generating data keys, the `KeyUsage` must be `ENCRYPT_DECRYPT`. For
  * signing and verifying messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and verifying message
- * authentication codes (MACs), the `KeyUsage` must be `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use
- * the DescribeKey operation.
+ * authentication codes (MACs), the `KeyUsage` must be `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
+ * `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the DescribeKey operation.
  *
  * To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.
  */

src/Service/Kms/src/Input/CreateKeyRequest.php

@@ -67,9 +67,11 @@ final class CreateKeyRequest extends Input
      *
      * - For symmetric encryption KMS keys, omit the parameter or specify `ENCRYPT_DECRYPT`.
      * - For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
-     * - For asymmetric KMS keys with RSA key material, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
-     * - For asymmetric KMS keys with ECC key material, specify `SIGN_VERIFY`.
-     * - For asymmetric KMS keys with SM2 key material (China Regions only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+     * - For asymmetric KMS keys with RSA key pairs, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+     * - For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
+     * - For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify `SIGN_VERIFY`.
+     * - For asymmetric KMS keys with SM2 key pairs (China Regions only), specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or
+     *   `KEY_AGREEMENT`.
      *
      * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
      *
@@ -115,25 +117,25 @@ final class CreateKeyRequest extends Input
      *   - `HMAC_384`
      *   - `HMAC_512`
      *
-     * - Asymmetric RSA key pairs
+     * - Asymmetric RSA key pairs (encryption and decryption -or- signing and verification)
      *
      *   - `RSA_2048`
      *   - `RSA_3072`
      *   - `RSA_4096`
      *
-     * - Asymmetric NIST-recommended elliptic curve key pairs
+     * - Asymmetric NIST-recommended elliptic curve key pairs (signing and verification -or- deriving shared secrets)
      *
      *   - `ECC_NIST_P256` (secp256r1)
      *   - `ECC_NIST_P384` (secp384r1)
      *   - `ECC_NIST_P521` (secp521r1)
      *
-     * - Other asymmetric elliptic curve key pairs
+     * - Other asymmetric elliptic curve key pairs (signing and verification)
      *
      *   - `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
      *
-     * - SM2 key pairs (China Regions only)
+     * - SM2 key pairs (encryption and decryption -or- signing and verification -or- deriving shared secrets)
      *
-     *   - `SM2`
+     *   - `SM2` (China Regions only)
      *
      * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
      * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm

src/Service/Kms/src/KmsClient.php

@@ -183,10 +183,13 @@ public function createAlias($input): Result
      *
      *   Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions
      *   only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey
-     *   operation to download the public key so it can be used outside of KMS. KMS keys with RSA or SM2 key pairs can be
-     *   used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with ECC key pairs can be used
-     *   only to sign and verify messages. For information about asymmetric KMS keys, see Asymmetric KMS keys [^3] in the
-     *   *Key Management Service Developer Guide*.
+     *   operation to download the public key so it can be used outside of KMS. Each KMS key can have only one key usage.
+     *   KMS keys with RSA key pairs can be used to encrypt and decrypt data or sign and verify messages (but not both). KMS
+     *   keys with NIST-recommended ECC key pairs can be used to sign and verify messages or derive shared secrets (but not
+     *   both). KMS keys with `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS keys with SM2 key pairs
+     *   (China Regions only) can be used to either encrypt and decrypt data, sign and verify messages, or derive shared
+     *   secrets (you must choose one key usage type). For information about asymmetric KMS keys, see Asymmetric KMS keys
+     *   [^3] in the *Key Management Service Developer Guide*.
      *
      * - `HMAC KMS key`:
      *

src/Service/Kms/src/Result/CreateKeyResponse.php

@@ -5,6 +5,7 @@
 use AsyncAws\Core\Response;
 use AsyncAws\Core\Result;
 use AsyncAws\Kms\Enum\EncryptionAlgorithmSpec;
+use AsyncAws\Kms\Enum\KeyAgreementAlgorithmSpec;
 use AsyncAws\Kms\Enum\MacAlgorithmSpec;
 use AsyncAws\Kms\Enum\SigningAlgorithmSpec;
 use AsyncAws\Kms\ValueObject\KeyMetadata;
@@ -51,6 +52,22 @@ private function populateResultEncryptionAlgorithmSpecList(array $json): array
         return $items;
     }
 
+    /**
+     * @return list<KeyAgreementAlgorithmSpec::*>
+     */
+    private function populateResultKeyAgreementAlgorithmSpecList(array $json): array
+    {
+        $items = [];
+        foreach ($json as $item) {
+            $a = isset($item) ? (string) $item : null;
+            if (null !== $a) {
+                $items[] = $a;
+            }
+        }
+
+        return $items;
+    }
+
     private function populateResultKeyMetadata(array $json): KeyMetadata
     {
         return new KeyMetadata([
@@ -73,6 +90,7 @@ private function populateResultKeyMetadata(array $json): KeyMetadata
             'KeySpec' => isset($json['KeySpec']) ? (string) $json['KeySpec'] : null,
             'EncryptionAlgorithms' => !isset($json['EncryptionAlgorithms']) ? null : $this->populateResultEncryptionAlgorithmSpecList($json['EncryptionAlgorithms']),
             'SigningAlgorithms' => !isset($json['SigningAlgorithms']) ? null : $this->populateResultSigningAlgorithmSpecList($json['SigningAlgorithms']),
+            'KeyAgreementAlgorithms' => !isset($json['KeyAgreementAlgorithms']) ? null : $this->populateResultKeyAgreementAlgorithmSpecList($json['KeyAgreementAlgorithms']),
             'MultiRegion' => isset($json['MultiRegion']) ? filter_var($json['MultiRegion'], \FILTER_VALIDATE_BOOLEAN) : null,
             'MultiRegionConfiguration' => empty($json['MultiRegionConfiguration']) ? null : $this->populateResultMultiRegionConfiguration($json['MultiRegionConfiguration']),
             'PendingDeletionWindowInDays' => isset($json['PendingDeletionWindowInDays']) ? (int) $json['PendingDeletionWindowInDays'] : null,

src/Service/Kms/src/ValueObject/KeyMetadata.php

@@ -6,6 +6,7 @@
 use AsyncAws\Kms\Enum\CustomerMasterKeySpec;
 use AsyncAws\Kms\Enum\EncryptionAlgorithmSpec;
 use AsyncAws\Kms\Enum\ExpirationModelType;
+use AsyncAws\Kms\Enum\KeyAgreementAlgorithmSpec;
 use AsyncAws\Kms\Enum\KeyManagerType;
 use AsyncAws\Kms\Enum\KeySpec;
 use AsyncAws\Kms\Enum\KeyState;
@@ -194,6 +195,13 @@ final class KeyMetadata
      */
     private $signingAlgorithms;
 
+    /**
+     * The key agreement algorithm used to derive a shared secret.
+     *
+     * @var list<KeyAgreementAlgorithmSpec::*>|null
+     */
+    private $keyAgreementAlgorithms;
+
     /**
      * Indicates whether the KMS key is a multi-Region (`True`) or regional (`False`) key. This value is `True` for
      * multi-Region primary and replica keys and `False` for regional KMS keys.
@@ -280,6 +288,7 @@ final class KeyMetadata
      *   KeySpec?: null|KeySpec::*,
      *   EncryptionAlgorithms?: null|array<EncryptionAlgorithmSpec::*>,
      *   SigningAlgorithms?: null|array<SigningAlgorithmSpec::*>,
+     *   KeyAgreementAlgorithms?: null|array<KeyAgreementAlgorithmSpec::*>,
      *   MultiRegion?: null|bool,
      *   MultiRegionConfiguration?: null|MultiRegionConfiguration|array,
      *   PendingDeletionWindowInDays?: null|int,
@@ -308,6 +317,7 @@ public function __construct(array $input)
         $this->keySpec = $input['KeySpec'] ?? null;
         $this->encryptionAlgorithms = $input['EncryptionAlgorithms'] ?? null;
         $this->signingAlgorithms = $input['SigningAlgorithms'] ?? null;
+        $this->keyAgreementAlgorithms = $input['KeyAgreementAlgorithms'] ?? null;
         $this->multiRegion = $input['MultiRegion'] ?? null;
         $this->multiRegionConfiguration = isset($input['MultiRegionConfiguration']) ? MultiRegionConfiguration::create($input['MultiRegionConfiguration']) : null;
         $this->pendingDeletionWindowInDays = $input['PendingDeletionWindowInDays'] ?? null;
@@ -336,6 +346,7 @@ public function __construct(array $input)
      *   KeySpec?: null|KeySpec::*,
      *   EncryptionAlgorithms?: null|array<EncryptionAlgorithmSpec::*>,
      *   SigningAlgorithms?: null|array<SigningAlgorithmSpec::*>,
+     *   KeyAgreementAlgorithms?: null|array<KeyAgreementAlgorithmSpec::*>,
      *   MultiRegion?: null|bool,
      *   MultiRegionConfiguration?: null|MultiRegionConfiguration|array,
      *   PendingDeletionWindowInDays?: null|int,
@@ -416,6 +427,14 @@ public function getExpirationModel(): ?string
         return $this->expirationModel;
     }
 
+    /**
+     * @return list<KeyAgreementAlgorithmSpec::*>
+     */
+    public function getKeyAgreementAlgorithms(): array
+    {
+        return $this->keyAgreementAlgorithms ?? [];
+    }
+
     public function getKeyId(): string
     {
         return $this->keyId;