Skip to main content

KmsPublicKeyDiscoveryInput

aws_esdk::material_providers::types

Struct KmsPublicKeyDiscoveryInput 

Source 
#[non_exhaustive]
pub struct KmsPublicKeyDiscoveryInput {
    pub recipient_kms_identifier: Option<String>,
}
Expand description

Inputs for creating a KmsPublicKeyDiscovery Configuration. This is a DECRYPT ONLY configuration.

Fields (Non-exhaustive)§

This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.
§recipient_kms_identifier: Option<String>

AWS KMS key identifier belonging to the recipient.

Implementations§

Source§

impl KmsPublicKeyDiscoveryInput

Source

pub fn recipient_kms_identifier(&self) -> &Option<String>

AWS KMS key identifier belonging to the recipient.

Source§

impl KmsPublicKeyDiscoveryInput

Source

pub fn builder() -> KmsPublicKeyDiscoveryInputBuilder

Creates a new builder-style object to manufacture KmsPublicKeyDiscoveryInput.

Examples found in repository?
examples/keyring/ecdh/kms_ecdh_discovery_keyring_example.rs (line 79)
43pub async fn decrypt_with_keyring(
44    example_data: &str,
45    ecdh_curve_spec: EcdhCurveSpec,
46    ecc_recipient_key_arn: &str,
47) -> Result<(), crate::BoxError> {
48    // 1. Instantiate the encryption SDK client.
49    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
50    // which enforces that this client only encrypts using committing algorithm suites and enforces
51    // that this client will only decrypt encrypted messages that were created with a committing
52    // algorithm suite.
53    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
54    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
55
56    // 2. Create a KMS client.
57    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
58    let kms_client = aws_sdk_kms::Client::new(&sdk_config);
59
60    // 3. Create encryption context.
61    // Remember that your encryption context is NOT SECRET.
62    // For more information, see
63    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
64    let encryption_context = HashMap::from([
65        ("encryption".to_string(), "context".to_string()),
66        ("is not".to_string(), "secret".to_string()),
67        ("but adds".to_string(), "useful metadata".to_string()),
68        (
69            "that can help you".to_string(),
70            "be confident that".to_string(),
71        ),
72        (
73            "the data you are handling".to_string(),
74            "is what you think it is".to_string(),
75        ),
76    ]);
77
78    // 4. Create the KmsPublicKeyDiscoveryInput
79    let kms_ecdh_discovery_static_configuration_input = KmsPublicKeyDiscoveryInput::builder()
80        .recipient_kms_identifier(ecc_recipient_key_arn)
81        .build()?;
82
83    let kms_ecdh_discovery_static_configuration =
84        KmsEcdhStaticConfigurations::KmsPublicKeyDiscovery(
85            kms_ecdh_discovery_static_configuration_input,
86        );
87
88    // 5. Create the KMS ECDH keyring.
89    let mpl_config = MaterialProvidersConfig::builder().build()?;
90    let mpl = mpl_client::Client::from_conf(mpl_config)?;
91
92    // Create a KMS ECDH Discovery keyring.
93    // This keyring uses the KmsPublicKeyDiscovery configuration.
94    // On encrypt, the keyring will fail as it is not allowed to encrypt data under this configuration.
95    // On decrypt, the keyring will check if its corresponding public key is stored in the message header. It
96    // will AWS KMS to derive the shared from the recipient's KMS ECC Key ARN and the sender's public key;
97    // For more information on this configuration see:
98    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-ecdh-keyring.html#kms-ecdh-discovery
99    // This keyring takes in:
100    //  - kmsClient
101    //  - recipientKmsIdentifier: Must be an ARN representing a KMS ECC key meant for KeyAgreement
102    //  - curveSpec: The curve name where the public keys lie
103    let kms_ecdh_discovery_keyring = mpl
104        .create_aws_kms_ecdh_keyring()
105        .kms_client(kms_client.clone())
106        .curve_spec(ecdh_curve_spec)
107        .key_agreement_scheme(kms_ecdh_discovery_static_configuration)
108        .send()
109        .await?;
110
111    // 6. Get ciphertext by creating a KMS ECDH keyring WITHOUT discovery
112    // because the KMS ECDH keyring WITH discovery CANNOT encrypt data.
113    let plaintext = example_data.as_bytes();
114
115    // Get ciphertext by creating a KMS ECDH keyring WITHOUT discovery.
116    // The recipient's public key used in the encrypting KMS ECDH keyring WITHOUT discovery
117    // is a public key generated from ecc_recipient_key_arn, the same ecc key used
118    // when creating the KMS ECDH keyring WITH discovery used for decryption in this example.
119    // We then decrypt this ciphertext using a KMS ECDH keyring WITH discovery
120    let ciphertext = get_ciphertext(
121        example_data,
122        encryption_context.clone(),
123        ecc_recipient_key_arn,
124        ecdh_curve_spec,
125        kms_client,
126        esdk_client.clone(),
127    )
128    .await?;
129
130    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
131    let decryption_response = esdk_client
132        .decrypt()
133        .ciphertext(ciphertext)
134        .keyring(kms_ecdh_discovery_keyring)
135        // Provide the encryption context that was supplied to the encrypt method
136        .encryption_context(encryption_context)
137        .send()
138        .await?;
139
140    let decrypted_plaintext = decryption_response
141        .plaintext
142        .expect("Unable to unwrap plaintext from decryption response");
143
144    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
145    // (This is an example for demonstration; you do not need to do this in your own code.)
146    assert_eq!(
147        decrypted_plaintext,
148        aws_smithy_types::Blob::new(plaintext),
149        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
150    );
151
152    println!("KMS ECDH Discovery Keyring Example Completed Successfully");
153
154    Ok(())
155}

Trait Implementations§

Source§

impl Clone for KmsPublicKeyDiscoveryInput

Source§

fn clone(&self) -> KmsPublicKeyDiscoveryInput

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for KmsPublicKeyDiscoveryInput

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl PartialEq for KmsPublicKeyDiscoveryInput

Source§

fn eq(&self, other: &KmsPublicKeyDiscoveryInput) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl StructuralPartialEq for KmsPublicKeyDiscoveryInput

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> AnyRef for T
where T: 'static,

Source§

fn as_any_ref(&self) -> &(dyn Any + 'static)

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<Unshared, Shared> IntoShared<Shared> for Unshared
where Shared: FromUnshared<Unshared>,

Source§

fn into_shared(self) -> Shared

Creates a shared type from an unshared type.
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> Upcast<T> for T
where T: ?Sized,

Source§

fn upcast(&self) -> Ptr<T>

Source§

impl<T> UpcastObject<T> for T
where T: ?Sized,

Source§

fn upcast(&self) -> Object<T>

Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more