feat(client-kms): Added support for the SM2 KeySpec in China Partitio…

…n Regions

clients/client-kms/src/commands/CreateCustomKeyStoreCommand.ts

@@ -25,7 +25,7 @@ export interface CreateCustomKeyStoreCommandOutput extends CreateCustomKeyStoreR
 /**
  * <p>Creates a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> that is associated with an <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html">CloudHSM cluster</a> that you own and
  *     manage.</p>
- *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">Custom Key Store feature</a> feature in KMS, which
+ *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store feature</a> feature in KMS, which
  * combines the convenience and extensive integration of KMS with the isolation and control of a
  * single-tenant key store.</p>
  *          <p>Before you create the custom key store, you must assemble

clients/client-kms/src/commands/CreateKeyCommand.ts

@@ -34,7 +34,9 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *             <dd>
  *                <p>To create a symmetric encryption KMS key, you aren't required to specify any parameters. The default value for
  *             <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, and the default value for
- *             <code>KeyUsage</code>, <code>ENCRYPT_DECRYPT</code>, create a symmetric encryption KMS key.</p>
+ *             <code>KeyUsage</code>, <code>ENCRYPT_DECRYPT</code>, create a symmetric encryption KMS key. For technical details, see
+ *             <a href="https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-symmetric-default">
+ *               SYMMETRIC_DEFAULT key spec</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p>If you need a key for basic encryption and decryption or you
  *             are creating a KMS key to protect your resources in an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>.</p>
  *                <p> </p>
@@ -45,9 +47,9 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *             the type of key material in the KMS key. Then, use the <code>KeyUsage</code> parameter
  *             to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.
  *             You can't change these properties after the KMS key is created.</p>
- *                <p>Asymmetric KMS keys contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an asymmetric
+ *                <p>Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions only). The private key in an asymmetric
  *             KMS key never leaves KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
- *             so it can be used outside of KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
+ *             so it can be used outside of KMS. KMS keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
  *             KMS keys with ECC key pairs can be used only to sign and verify messages.
  *             For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>

clients/client-kms/src/commands/DeleteCustomKeyStoreCommand.ts

@@ -25,7 +25,7 @@ export interface DeleteCustomKeyStoreCommandOutput extends DeleteCustomKeyStoreR
 /**
  * <p>Deletes a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. This operation does not delete the CloudHSM cluster that is
  *       associated with the custom key store, or affect any users or keys in the cluster.</p>
- *          <p>The custom key store that you delete cannot contain any KMS <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys">KMS keys</a>. Before deleting the key store,
+ *          <p>The custom key store that you delete cannot contain any <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys">KMS keys</a>. Before deleting the key store,
  *       verify that you will never need to use any of the KMS keys in the key store for any
  *       <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic operations</a>. Then, use <a>ScheduleKeyDeletion</a> to delete the KMS keys from the
  *       key store. When the scheduled waiting period expires, the <code>ScheduleKeyDeletion</code>
@@ -39,7 +39,7 @@ export interface DeleteCustomKeyStoreCommandOutput extends DeleteCustomKeyStoreR
  *       delete KMS keys and you can reconnect a disconnected custom key store at any time.</p>
  *          <p>If the operation succeeds, it returns a JSON object with no
  * properties.</p>
- *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">Custom Key Store feature</a> feature in KMS, which
+ *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store feature</a> feature in KMS, which
  * combines the convenience and extensive integration of KMS with the isolation and control of a
  * single-tenant key store.</p>
  *          <p>

clients/client-kms/src/commands/DescribeCustomKeyStoresCommand.ts

@@ -24,7 +24,7 @@ export interface DescribeCustomKeyStoresCommandOutput extends DescribeCustomKeyS
 
 /**
  * <p>Gets information about <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> in the account and Region.</p>
- *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">Custom Key Store feature</a> feature in KMS, which
+ *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store feature</a> feature in KMS, which
  * combines the convenience and extensive integration of KMS with the isolation and control of a
  * single-tenant key store.</p>
  *          <p>By default, this operation returns information about all custom key

clients/client-kms/src/commands/DescribeKeyCommand.ts

@@ -41,7 +41,7 @@ export interface DescribeKeyCommandOutput extends DescribeKeyResponse, __Metadat
  *                <p>Whether automatic key rotation is enabled on the KMS key. To get this information, use
  *             <a>GetKeyRotationStatus</a>. Also, some key states prevent a KMS key from
  *           being automatically rotated. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works">How Automatic Key Rotation
- *             Works</a> in <i>Key Management Service Developer Guide</i>.</p>
+ *             Works</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *             </li>
  *             <li>
  *                <p>Tags on the KMS key. To get this information, use <a>ListResourceTags</a>.</p>

clients/client-kms/src/commands/DisconnectCustomKeyStoreCommand.ts

@@ -36,7 +36,7 @@ export interface DisconnectCustomKeyStoreCommandOutput extends DisconnectCustomK
  *         <a>ConnectCustomKeyStore</a> operation.</p>
  *          <p>If the operation succeeds, it returns a JSON object with no
  * properties.</p>
- *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">Custom Key Store feature</a> feature in KMS, which
+ *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store feature</a> feature in KMS, which
  * combines the convenience and extensive integration of KMS with the isolation and control of a
  * single-tenant key store.</p>
  *

clients/client-kms/src/commands/EncryptCommand.ts

@@ -33,7 +33,7 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *         <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption
  *         Context</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The
- *       algorithm must be compatible with the KMS key type.</p>
+ *       algorithm must be compatible with the KMS key spec.</p>
  *          <important>
  *             <p>When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.</p>
  *             <p>You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.</p>
@@ -97,6 +97,10 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *                   </li>
  *                </ul>
  *             </li>
+ *             <li>
+ *                <p>
+ *                   <code>SM2PKE</code>: 1024 bytes (China Regions only)</p>
+ *             </li>
  *          </ul>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>

clients/client-kms/src/commands/GenerateDataKeyCommand.ts

@@ -25,15 +25,21 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
 /**
  * <p>Returns a unique symmetric data key for use outside of KMS. This operation returns a
  *       plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS
- *       key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS
- *       key. You can use the plaintext key to encrypt your data outside of KMS and store the encrypted
- *       data key with the encrypted data.</p>
+ *       key that you specify. The bytes in the plaintext key are random; they are not related
+ *       to the caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS
+ *       and store the encrypted data key with the encrypted data.</p>
  *
  *          <p>To generate a data key, specify the symmetric encryption KMS key that will be used to
  *       encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the
- *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify the length of
- *       the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code> parameters
- *       (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code> parameter. </p>
+ *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
+ *
+ *          <p>You must also specify the length of the data key. Use either the <code>KeySpec</code> or
+ *       <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use
+ *       the <code>KeySpec</code> parameter.</p>
+ *
+ *          <p>To generate an SM4 data key (China Regions only), specify a <code>KeySpec</code> value of
+ *       <code>AES_128</code> or <code>NumberOfBytes</code> value of <code>128</code>. The symmetric
+ *       encryption key used in China Regions to encrypt your data key is an SM4 encryption key.</p>
  *
  *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
  *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure

clients/client-kms/src/commands/GenerateDataKeyPairCommand.ts

@@ -39,9 +39,9 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
  *       operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
- *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
- *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
- *       the use of data key pairs outside of KMS.</p>
+ *       key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use
+ *       ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both.
+ *       However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.</p>
  *
  *          <p>If you are using the data key pair to encrypt data, or for any operation where you don't
  *       immediately need a private key, consider using the <a>GenerateDataKeyPairWithoutPlaintext</a> operation.

clients/client-kms/src/commands/GenerateDataKeyPairWithoutPlaintextCommand.ts

@@ -41,9 +41,9 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandOutput
  *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
  *       operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
- *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
- *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
- *       the use of data key pairs outside of KMS.</p>
+ *       key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you
+ *       use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not
+ *       both. However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.</p>
  *          <p>
  *             <code>GenerateDataKeyPairWithoutPlaintext</code> returns a unique data key pair for each
  *       request. The bytes in the key are not related to the caller or KMS key that is used to encrypt

clients/client-kms/src/commands/GenerateRandomCommand.ts

@@ -24,13 +24,16 @@ export interface GenerateRandomCommandOutput extends GenerateRandomResponse, __M
 
 /**
  * <p>Returns a random byte string that is cryptographically secure.</p>
+ *          <p>You must use the <code>NumberOfBytes</code> parameter to specify the length of the random
+ *       byte string. There is no default value for string length.</p>
  *          <p>By default, the random byte string is generated in KMS. To generate the byte string in
  *       the CloudHSM cluster that is associated with a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>, specify the custom key store
  *       ID.</p>
  *          <p>Applications in Amazon Web Services Nitro Enclaves can call this operation by using the <a href="https://github.com/aws/aws-nitro-enclaves-sdk-c">Amazon Web Services Nitro Enclaves Development Kit</a>. For information about the supporting parameters, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves use KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>For more information about entropy and random number generation, see
  *       <a href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic Details</a>.</p>
- *
+ *          <p>
+ *             <b>Cross-account use</b>: Not applicable. <code>GenerateRandom</code> does not use any account-specific resources, such as KMS keys.</p>
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GenerateRandom</a> (IAM policy)</p>
  * @example

clients/client-kms/src/commands/GetPublicKeyCommand.ts

@@ -32,8 +32,11 @@ export interface GetPublicKeyCommandOutput extends GetPublicKeyResponse, __Metad
  *       KMS by calling the <a>Encrypt</a>, <a>ReEncrypt</a>, or <a>Verify</a> operations with the identifier of an asymmetric KMS key. When you use the
  *       public key within KMS, you benefit from the authentication, authorization, and logging that
  *       are part of every KMS operation. You also reduce of risk of encrypting data that cannot be
- *       decrypted. These features are not effective outside of KMS. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations">Special
- *         Considerations for Downloading Public Keys</a>.</p>
+ *       decrypted. These features are not effective outside of KMS.</p>
+ *          <p>To verify a signature outside of KMS with an SM2 public key (China Regions only), you must
+ *       specify the distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the
+ *       distinguishing ID. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification">Offline verification
+ *       with SM2 key pairs</a>.</p>
  *          <p>To help you use the public key safely outside of KMS, <code>GetPublicKey</code> returns
  *       important information about the public key in the response, including:</p>
  *          <ul>

clients/client-kms/src/commands/UpdateCustomKeyStoreCommand.ts

@@ -58,7 +58,7 @@ export interface UpdateCustomKeyStoreCommandOutput extends UpdateCustomKeyStoreR
  *          </ul>
  *          <p>If the operation succeeds, it returns a JSON object with no
  * properties.</p>
- *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">Custom Key Store feature</a> feature in KMS, which
+ *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store feature</a> feature in KMS, which
  * combines the convenience and extensive integration of KMS with the isolation and control of a
  * single-tenant key store.</p>
  *          <p>

clients/client-kms/src/commands/VerifyCommand.ts

@@ -35,7 +35,11 @@ export interface VerifyCommandOutput extends VerifyResponse, __MetadataBearer {}
  *       signature.</p>
  *          <p>You can also verify the digital signature by using the public key of the KMS key outside
  *       of KMS. Use the <a>GetPublicKey</a> operation to download the public key in the
- *       asymmetric KMS key and then use the public key to verify the signature outside of KMS. The
+ *       asymmetric KMS key and then use the public key to verify the signature outside of KMS. To
+ *       verify a signature outside of KMS with an SM2 public key, you must specify the distinguishing
+ *       ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more
+ *       information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification">Offline
+ *       verification with SM2 key pairs</a> in <i>Key Management Service Developer Guide</i>. The
  *       advantage of using the <code>Verify</code> operation is that it is performed within KMS. As
  *       a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged
  *       in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use