#[non_exhaustive]pub struct KmsPrivateKeyToStaticPublicKeyInput {
pub recipient_public_key: Option<Blob>,
pub sender_kms_identifier: Option<String>,
pub sender_public_key: Option<Blob>,
}Expand description
Inputs for creating a KmsPrivateKeyToStaticPublicKey Configuration.
Fields (Non-exhaustive)§
This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional
Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.recipient_public_key: Option<Blob>Recipient Public Key. This MUST be a raw public ECC key in DER format.
sender_kms_identifier: Option<String>AWS KMS Key Identifier belonging to the sender.
sender_public_key: Option<Blob>Sender Public Key. This is the raw public ECC key in DER format that belongs to the senderKmsIdentifier.
Implementations§
Source§impl KmsPrivateKeyToStaticPublicKeyInput
impl KmsPrivateKeyToStaticPublicKeyInput
Sourcepub fn recipient_public_key(&self) -> &Option<Blob>
pub fn recipient_public_key(&self) -> &Option<Blob>
Recipient Public Key. This MUST be a raw public ECC key in DER format.
Sourcepub fn sender_kms_identifier(&self) -> &Option<String>
pub fn sender_kms_identifier(&self) -> &Option<String>
AWS KMS Key Identifier belonging to the sender.
Sourcepub fn sender_public_key(&self) -> &Option<Blob>
pub fn sender_public_key(&self) -> &Option<Blob>
Sender Public Key. This is the raw public ECC key in DER format that belongs to the senderKmsIdentifier.
Source§impl KmsPrivateKeyToStaticPublicKeyInput
impl KmsPrivateKeyToStaticPublicKeyInput
Sourcepub fn builder() -> KmsPrivateKeyToStaticPublicKeyInputBuilder
pub fn builder() -> KmsPrivateKeyToStaticPublicKeyInputBuilder
Creates a new builder-style object to manufacture KmsPrivateKeyToStaticPublicKeyInput.
Examples found in repository?
examples/keyring/ecdh/kms_ecdh_discovery_keyring_example.rs (line 174)
157async fn get_ciphertext(
158 example_data: &str,
159 encryption_context: HashMap<String, String>,
160 ecc_recipient_key_arn: &str,
161 ecdh_curve_spec: EcdhCurveSpec,
162 kms_client: aws_sdk_kms::Client,
163 esdk_client: esdk_client::Client,
164) -> Result<Blob, crate::BoxError> {
165 // 1. Create the public keys for sender and recipient
166 // Recipient keys are taken as input for this example
167 // Sender ECC key used in this example is TEST_KMS_ECDH_KEY_ID_P256_SENDER
168 let public_key_sender_utf8_bytes =
169 generate_kms_ecc_public_key(TEST_KMS_ECDH_KEY_ID_P256_SENDER).await?;
170 let public_key_recipient_utf8_bytes =
171 generate_kms_ecc_public_key(ecc_recipient_key_arn).await?;
172
173 // 2. Create the KmsPrivateKeyToStaticPublicKeyInput
174 let kms_ecdh_static_configuration_input = KmsPrivateKeyToStaticPublicKeyInput::builder()
175 .sender_kms_identifier(TEST_KMS_ECDH_KEY_ID_P256_SENDER)
176 // Must be a UTF8 DER-encoded X.509 public key
177 .sender_public_key(public_key_sender_utf8_bytes)
178 // Must be a UTF8 DER-encoded X.509 public key
179 .recipient_public_key(public_key_recipient_utf8_bytes)
180 .build()?;
181
182 let kms_ecdh_static_configuration = KmsEcdhStaticConfigurations::KmsPrivateKeyToStaticPublicKey(
183 kms_ecdh_static_configuration_input,
184 );
185
186 // 3. Create the KMS ECDH keyring.
187 let mpl_config = MaterialProvidersConfig::builder().build()?;
188 let mpl = mpl_client::Client::from_conf(mpl_config)?;
189
190 let kms_ecdh_keyring = mpl
191 .create_aws_kms_ecdh_keyring()
192 .kms_client(kms_client)
193 .curve_spec(ecdh_curve_spec)
194 .key_agreement_scheme(kms_ecdh_static_configuration)
195 .send()
196 .await?;
197
198 // 4. Encrypt the data with the encryption_context
199 let plaintext = example_data.as_bytes();
200
201 let encryption_response = esdk_client
202 .encrypt()
203 .plaintext(plaintext)
204 .keyring(kms_ecdh_keyring.clone())
205 .encryption_context(encryption_context.clone())
206 .send()
207 .await?;
208
209 let ciphertext = encryption_response
210 .ciphertext
211 .expect("Unable to unwrap ciphertext from encryption response");
212
213 // 5. Demonstrate that the ciphertext and plaintext are different.
214 // (This is an example for demonstration; you do not need to do this in your own code.)
215 assert_ne!(
216 ciphertext,
217 aws_smithy_types::Blob::new(plaintext),
218 "Ciphertext and plaintext data are the same. Invalid encryption"
219 );
220
221 Ok(ciphertext)
222}More examples
examples/keyring/ecdh/kms_ecdh_keyring_example.rs (line 131)
59pub async fn encrypt_and_decrypt_with_keyring(
60 example_data: &str,
61 ecc_key_arn: &str,
62 ecdh_curve_spec: EcdhCurveSpec,
63 ecc_recipient_key_arn: Option<&str>,
64) -> Result<(), crate::BoxError> {
65 // 1. If ecc_recipient_key_arn is not provided, set the private key for the recipient to TEST_KMS_ECDH_KEY_ID_P256_RECIPIENT
66 let ecc_recipient_key_arn = ecc_recipient_key_arn
67 .unwrap_or(crate::example_utils::utils::TEST_KMS_ECDH_KEY_ID_P256_RECIPIENT);
68
69 // 2. Instantiate the encryption SDK client.
70 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
71 // which enforces that this client only encrypts using committing algorithm suites and enforces
72 // that this client will only decrypt encrypted messages that were created with a committing
73 // algorithm suite.
74 let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
75 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
76
77 // 3. Create a KMS client.
78 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
79 let kms_client = aws_sdk_kms::Client::new(&sdk_config);
80
81 // 4. Create encryption context.
82 // Remember that your encryption context is NOT SECRET.
83 // For more information, see
84 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
85 let encryption_context = HashMap::from([
86 ("encryption".to_string(), "context".to_string()),
87 ("is not".to_string(), "secret".to_string()),
88 ("but adds".to_string(), "useful metadata".to_string()),
89 (
90 "that can help you".to_string(),
91 "be confident that".to_string(),
92 ),
93 (
94 "the data you are handling".to_string(),
95 "is what you think it is".to_string(),
96 ),
97 ]);
98
99 // 5. You may provide your own ECC keys in the files located at
100 // - EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_SENDER
101 // - EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_RECIPIENT
102
103 // If not, the main method in this class will call
104 // the KMS ECC key, retrieve its public key, and store it
105 // in a PEM file for example use.
106 if should_generate_new_kms_ecc_public_key(EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_SENDER)? {
107 write_kms_ecdh_ecc_public_key(ecc_key_arn, EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_SENDER)
108 .await?;
109 }
110
111 if should_generate_new_kms_ecc_public_key(EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_RECIPIENT)? {
112 write_kms_ecdh_ecc_public_key(
113 ecc_recipient_key_arn,
114 EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_RECIPIENT,
115 )
116 .await?;
117 }
118
119 // 6. Load public key from UTF-8 encoded PEM files into a DER encoded public key.
120 let public_key_file_content_sender =
121 std::fs::read_to_string(Path::new(EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_SENDER))?;
122 let parsed_public_key_file_content_sender = parse(public_key_file_content_sender)?;
123 let public_key_sender_utf8_bytes = parsed_public_key_file_content_sender.contents();
124
125 let public_key_file_content_recipient =
126 std::fs::read_to_string(Path::new(EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_RECIPIENT))?;
127 let parsed_public_key_file_content_recipient = parse(public_key_file_content_recipient)?;
128 let public_key_recipient_utf8_bytes = parsed_public_key_file_content_recipient.contents();
129
130 // 7. Create the KmsPrivateKeyToStaticPublicKeyInput
131 let kms_ecdh_static_configuration_input = KmsPrivateKeyToStaticPublicKeyInput::builder()
132 .sender_kms_identifier(ecc_key_arn)
133 // Must be a UTF8 DER-encoded X.509 public key
134 .sender_public_key(public_key_sender_utf8_bytes)
135 // Must be a UTF8 DER-encoded X.509 public key
136 .recipient_public_key(public_key_recipient_utf8_bytes)
137 .build()?;
138
139 let kms_ecdh_static_configuration = KmsEcdhStaticConfigurations::KmsPrivateKeyToStaticPublicKey(
140 kms_ecdh_static_configuration_input,
141 );
142
143 // 8. Create the KMS ECDH keyring.
144 let mpl_config = MaterialProvidersConfig::builder().build()?;
145 let mpl = mpl_client::Client::from_conf(mpl_config)?;
146
147 // Create a KMS ECDH keyring.
148 // This keyring uses the KmsPrivateKeyToStaticPublicKey configuration. This configuration calls for both of
149 // the keys to be on the same curve (P256, P384, P521).
150 // On encrypt, the keyring calls AWS KMS to derive the shared secret from the sender's KMS ECC Key ARN and the recipient's public key.
151 // For this example, on decrypt, the keyring calls AWS KMS to derive the shared secret from the sender's KMS ECC Key ARN and the recipient's public key;
152 // however, on decrypt, the recipient can construct a keyring such that the shared secret is calculated with
153 // the recipient's private key and the sender's public key. In both scenarios the shared secret will be the same.
154 // For more information on this configuration see:
155 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-ecdh-keyring.html#kms-ecdh-create
156 // This keyring takes in:
157 // - kmsClient
158 // - kmsKeyId: Must be an ARN representing a KMS ECC key meant for KeyAgreement
159 // - curveSpec: The curve name where the public keys lie
160 // - senderPublicKey: A ByteBuffer of a UTF-8 encoded public
161 // key for the key passed into kmsKeyId in DER format
162 // - recipientPublicKey: A ByteBuffer of a UTF-8 encoded public
163 // key for the key passed into kmsKeyId in DER format
164 let kms_ecdh_keyring = mpl
165 .create_aws_kms_ecdh_keyring()
166 .kms_client(kms_client)
167 .curve_spec(ecdh_curve_spec)
168 .key_agreement_scheme(kms_ecdh_static_configuration)
169 .send()
170 .await?;
171
172 // 9. Encrypt the data with the encryption_context
173 let plaintext = example_data.as_bytes();
174
175 let encryption_response = esdk_client
176 .encrypt()
177 .plaintext(plaintext)
178 .keyring(kms_ecdh_keyring.clone())
179 .encryption_context(encryption_context.clone())
180 .send()
181 .await?;
182
183 let ciphertext = encryption_response
184 .ciphertext
185 .expect("Unable to unwrap ciphertext from encryption response");
186
187 // 10. Demonstrate that the ciphertext and plaintext are different.
188 // (This is an example for demonstration; you do not need to do this in your own code.)
189 assert_ne!(
190 ciphertext,
191 aws_smithy_types::Blob::new(plaintext),
192 "Ciphertext and plaintext data are the same. Invalid encryption"
193 );
194
195 // 11. Decrypt your encrypted data using the same keyring you used on encrypt.
196 let decryption_response = esdk_client
197 .decrypt()
198 .ciphertext(ciphertext)
199 .keyring(kms_ecdh_keyring)
200 // Provide the encryption context that was supplied to the encrypt method
201 .encryption_context(encryption_context)
202 .send()
203 .await?;
204
205 let decrypted_plaintext = decryption_response
206 .plaintext
207 .expect("Unable to unwrap plaintext from decryption response");
208
209 // 12. Demonstrate that the decrypted plaintext is identical to the original plaintext.
210 // (This is an example for demonstration; you do not need to do this in your own code.)
211 assert_eq!(
212 decrypted_plaintext,
213 aws_smithy_types::Blob::new(plaintext),
214 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
215 );
216
217 println!("KMS ECDH Keyring Example Completed Successfully");
218
219 Ok(())
220}Trait Implementations§
Source§impl Clone for KmsPrivateKeyToStaticPublicKeyInput
impl Clone for KmsPrivateKeyToStaticPublicKeyInput
Source§fn clone(&self) -> KmsPrivateKeyToStaticPublicKeyInput
fn clone(&self) -> KmsPrivateKeyToStaticPublicKeyInput
Returns a duplicate of the value. Read more
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
Performs copy-assignment from
source. Read moreSource§impl PartialEq for KmsPrivateKeyToStaticPublicKeyInput
impl PartialEq for KmsPrivateKeyToStaticPublicKeyInput
Source§fn eq(&self, other: &KmsPrivateKeyToStaticPublicKeyInput) -> bool
fn eq(&self, other: &KmsPrivateKeyToStaticPublicKeyInput) -> bool
Tests for
self and other values to be equal, and is used by ==.impl StructuralPartialEq for KmsPrivateKeyToStaticPublicKeyInput
Auto Trait Implementations§
impl Freeze for KmsPrivateKeyToStaticPublicKeyInput
impl RefUnwindSafe for KmsPrivateKeyToStaticPublicKeyInput
impl Send for KmsPrivateKeyToStaticPublicKeyInput
impl Sync for KmsPrivateKeyToStaticPublicKeyInput
impl Unpin for KmsPrivateKeyToStaticPublicKeyInput
impl UnwindSafe for KmsPrivateKeyToStaticPublicKeyInput
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreCreates a shared type from an unshared type.