/AWS1/CL_KMSDERIVESHAREDSECR01¶

DeriveSharedSecretResponse

`CONSTRUCTOR`¶

IMPORTING¶

Optional arguments:¶

`iv_keyid` `TYPE /AWS1/KMSKEYIDTYPE` `/AWS1/KMSKEYIDTYPE`¶

Identifies the KMS key used to derive the shared secret.

`iv_sharedsecret` `TYPE /AWS1/KMSPLAINTEXTTYPE` `/AWS1/KMSPLAINTEXTTYPE`¶

The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.

If the response includes the CiphertextForRecipient field, the SharedSecret field is null or empty.

`iv_ciphertextforrecipient` `TYPE /AWS1/KMSCIPHERTEXTTYPE` `/AWS1/KMSCIPHERTEXTTYPE`¶

The plaintext shared secret encrypted with the public key from the attestation document. This ciphertext can be decrypted only by using a private key from the attested environment.

This field is included in the response only when the Recipient parameter in the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see Cryptographic attestation support in KMS in the Key Management Service Developer Guide.

`iv_keyagreementalgorithm` `TYPE /AWS1/KMSKEYAGREEMENTALGSPEC` `/AWS1/KMSKEYAGREEMENTALGSPEC`¶

Identifies the key agreement algorithm used to derive the shared secret.

`iv_keyorigin` `TYPE /AWS1/KMSORIGINTYPE` `/AWS1/KMSORIGINTYPE`¶

The source of the key material for the specified KMS key.

When this value is AWS_KMS, KMS created the key material. When this value is EXTERNAL, the key material was imported or the KMS key doesn't have any key material.

The only valid values for DeriveSharedSecret are AWS_KMS and EXTERNAL. DeriveSharedSecret does not support KMS keys with a KeyOrigin value of AWS_CLOUDHSM or EXTERNAL_KEY_STORE.

Queryable Attributes¶

KeyId¶

Identifies the KMS key used to derive the shared secret.

Accessible with the following methods¶

Method	Description
`GET_KEYID()`	Getter for KEYID, with configurable default
`ASK_KEYID()`	Getter for KEYID w/ exceptions if field has no value
`HAS_KEYID()`	Determine if KEYID has a value

SharedSecret¶

The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.

If the response includes the CiphertextForRecipient field, the SharedSecret field is null or empty.

Accessible with the following methods¶

Method	Description
`GET_SHAREDSECRET()`	Getter for SHAREDSECRET, with configurable default
`ASK_SHAREDSECRET()`	Getter for SHAREDSECRET w/ exceptions if field has no value
`HAS_SHAREDSECRET()`	Determine if SHAREDSECRET has a value

CiphertextForRecipient¶

The plaintext shared secret encrypted with the public key from the attestation document. This ciphertext can be decrypted only by using a private key from the attested environment.

This field is included in the response only when the Recipient parameter in the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see Cryptographic attestation support in KMS in the Key Management Service Developer Guide.

Accessible with the following methods¶

Method	Description
`GET_CIPHERTEXTFORRECIPIENT()`	Getter for CIPHERTEXTFORRECIPIENT, with configurable default
`ASK_CIPHERTEXTFORRECIPIENT()`	Getter for CIPHERTEXTFORRECIPIENT w/ exceptions if field has
`HAS_CIPHERTEXTFORRECIPIENT()`	Determine if CIPHERTEXTFORRECIPIENT has a value

KeyAgreementAlgorithm¶

Identifies the key agreement algorithm used to derive the shared secret.

Accessible with the following methods¶

Method	Description
`GET_KEYAGREEMENTALGORITHM()`	Getter for KEYAGREEMENTALGORITHM, with configurable default
`ASK_KEYAGREEMENTALGORITHM()`	Getter for KEYAGREEMENTALGORITHM w/ exceptions if field has
`HAS_KEYAGREEMENTALGORITHM()`	Determine if KEYAGREEMENTALGORITHM has a value

KeyOrigin¶

The source of the key material for the specified KMS key.

When this value is AWS_KMS, KMS created the key material. When this value is EXTERNAL, the key material was imported or the KMS key doesn't have any key material.

The only valid values for DeriveSharedSecret are AWS_KMS and EXTERNAL. DeriveSharedSecret does not support KMS keys with a KeyOrigin value of AWS_CLOUDHSM or EXTERNAL_KEY_STORE.

Accessible with the following methods¶

Method	Description
`GET_KEYORIGIN()`	Getter for KEYORIGIN, with configurable default
`ASK_KEYORIGIN()`	Getter for KEYORIGIN w/ exceptions if field has no value
`HAS_KEYORIGIN()`	Determine if KEYORIGIN has a value

/AWS1/CL_KMSDERIVESHAREDSECR01¶

CONSTRUCTOR¶

IMPORTING¶

Optional arguments:¶

iv_keyid TYPE /AWS1/KMSKEYIDTYPE /AWS1/KMSKEYIDTYPE¶

iv_sharedsecret TYPE /AWS1/KMSPLAINTEXTTYPE /AWS1/KMSPLAINTEXTTYPE¶

iv_ciphertextforrecipient TYPE /AWS1/KMSCIPHERTEXTTYPE /AWS1/KMSCIPHERTEXTTYPE¶

iv_keyagreementalgorithm TYPE /AWS1/KMSKEYAGREEMENTALGSPEC /AWS1/KMSKEYAGREEMENTALGSPEC¶

iv_keyorigin TYPE /AWS1/KMSORIGINTYPE /AWS1/KMSORIGINTYPE¶

Queryable Attributes¶

KeyId¶

Accessible with the following methods¶

SharedSecret¶

Accessible with the following methods¶

CiphertextForRecipient¶

Accessible with the following methods¶

KeyAgreementAlgorithm¶

Accessible with the following methods¶

KeyOrigin¶

Accessible with the following methods¶

`CONSTRUCTOR`¶

`iv_keyid` `TYPE /AWS1/KMSKEYIDTYPE` `/AWS1/KMSKEYIDTYPE`¶

`iv_sharedsecret` `TYPE /AWS1/KMSPLAINTEXTTYPE` `/AWS1/KMSPLAINTEXTTYPE`¶

`iv_ciphertextforrecipient` `TYPE /AWS1/KMSCIPHERTEXTTYPE` `/AWS1/KMSCIPHERTEXTTYPE`¶

`iv_keyagreementalgorithm` `TYPE /AWS1/KMSKEYAGREEMENTALGSPEC` `/AWS1/KMSKEYAGREEMENTALGSPEC`¶

`iv_keyorigin` `TYPE /AWS1/KMSORIGINTYPE` `/AWS1/KMSORIGINTYPE`¶