Update generated code (#1901)

update generated code

Author: async-aws-bot

manifest.json

@@ -1,6 +1,6 @@
 {
     "variables": {
-        "${LATEST}": "3.344.3"
+        "${LATEST}": "3.344.6"
     },
     "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json",
     "services": {

src/Service/Kms/CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - AWS api-change: AWS KMS announces the support for on-demand rotation of symmetric-encryption KMS keys with imported key material (EXTERNAL origin).
 - AWS api-change: Rework regions configuration
+- AWS api-change: AWS KMS announces the support of ML-DSA key pairs that creates post-quantum safe digital signatures.
 
 ## 1.9.0
 

src/Service/Kms/src/Enum/KeySpec.php

@@ -12,6 +12,9 @@ final class KeySpec
     public const HMAC_256 = 'HMAC_256';
     public const HMAC_384 = 'HMAC_384';
     public const HMAC_512 = 'HMAC_512';
+    public const ML_DSA_44 = 'ML_DSA_44';
+    public const ML_DSA_65 = 'ML_DSA_65';
+    public const ML_DSA_87 = 'ML_DSA_87';
     public const RSA_2048 = 'RSA_2048';
     public const RSA_3072 = 'RSA_3072';
     public const RSA_4096 = 'RSA_4096';
@@ -29,6 +32,9 @@ public static function exists(string $value): bool
             self::HMAC_256 => true,
             self::HMAC_384 => true,
             self::HMAC_512 => true,
+            self::ML_DSA_44 => true,
+            self::ML_DSA_65 => true,
+            self::ML_DSA_87 => true,
             self::RSA_2048 => true,
             self::RSA_3072 => true,
             self::RSA_4096 => true,

src/Service/Kms/src/Enum/MessageType.php

@@ -5,12 +5,14 @@
 final class MessageType
 {
     public const DIGEST = 'DIGEST';
+    public const EXTERNAL_MU = 'EXTERNAL_MU';
     public const RAW = 'RAW';
 
     public static function exists(string $value): bool
     {
         return isset([
             self::DIGEST => true,
+            self::EXTERNAL_MU => true,
             self::RAW => true,
         ][$value]);
     }

src/Service/Kms/src/Enum/SigningAlgorithmSpec.php

@@ -7,6 +7,7 @@ final class SigningAlgorithmSpec
     public const ECDSA_SHA_256 = 'ECDSA_SHA_256';
     public const ECDSA_SHA_384 = 'ECDSA_SHA_384';
     public const ECDSA_SHA_512 = 'ECDSA_SHA_512';
+    public const ML_DSA_SHAKE_256 = 'ML_DSA_SHAKE_256';
     public const RSASSA_PKCS1_V1_5_SHA_256 = 'RSASSA_PKCS1_V1_5_SHA_256';
     public const RSASSA_PKCS1_V1_5_SHA_384 = 'RSASSA_PKCS1_V1_5_SHA_384';
     public const RSASSA_PKCS1_V1_5_SHA_512 = 'RSASSA_PKCS1_V1_5_SHA_512';
@@ -21,6 +22,7 @@ public static function exists(string $value): bool
             self::ECDSA_SHA_256 => true,
             self::ECDSA_SHA_384 => true,
             self::ECDSA_SHA_512 => true,
+            self::ML_DSA_SHAKE_256 => true,
             self::RSASSA_PKCS1_V1_5_SHA_256 => true,
             self::RSASSA_PKCS1_V1_5_SHA_384 => true,
             self::RSASSA_PKCS1_V1_5_SHA_512 => true,

src/Service/Kms/src/Input/CreateKeyRequest.php

@@ -78,7 +78,8 @@ final class CreateKeyRequest extends Input
      * - For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
      * - For asymmetric KMS keys with RSA key pairs, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
      * - For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
-     * - For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify `SIGN_VERIFY`.
+     * - For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify `SIGN_VERIFY`.
+     * - For asymmetric KMS keys with ML-DSA key pairs, specify `SIGN_VERIFY`.
      * - For asymmetric KMS keys with SM2 key pairs (China Regions only), specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or
      *   `KEY_AGREEMENT`.
      *
@@ -142,6 +143,12 @@ final class CreateKeyRequest extends Input
      *
      *   - `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
      *
+     * - Asymmetric ML-DSA key pairs (signing and verification)
+     *
+     *   - `ML_DSA_44`
+     *   - `ML_DSA_65`
+     *   - `ML_DSA_87`
+     *
      * - SM2 key pairs (encryption and decryption -or- signing and verification -or- deriving shared secrets)
      *
      *   - `SM2` (China Regions only)

src/Service/Kms/src/Input/SignRequest.php

@@ -50,25 +50,30 @@ final class SignRequest extends Input
 
     /**
      * Tells KMS whether the value of the `Message` parameter should be hashed as part of the signing algorithm. Use `RAW`
-     * for unhashed messages; use `DIGEST` for message digests, which are already hashed.
+     * for unhashed messages; use `DIGEST` for message digests, which are already hashed; use `EXTERNAL_MU` for 64-byte
+     * representative μ used in ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
      *
      * When the value of `MessageType` is `RAW`, KMS uses the standard signing algorithm, which begins with a hash function.
-     * When the value is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+     * When the value is `DIGEST`, KMS skips the hashing step in the signing algorithm. When the value is `EXTERNAL_MU` KMS
+     * skips the concatenated hashing of the public key hash and the message done in the ML-DSA signing algorithm.
      *
-     * ! Use the `DIGEST` value only when the value of the `Message` parameter is a message digest. If you use the `DIGEST`
-     * ! value with an unhashed message, the security of the signing operation can be compromised.
+     * ! Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the `Message` parameter is a message digest. If you
+     * ! use the `DIGEST` value with an unhashed message, the security of the signing operation can be compromised.
      *
-     * When the value of `MessageType`is `DIGEST`, the length of the `Message` value must match the length of hashed
+     * When the value of `MessageType` is `DIGEST`, the length of the `Message` value must match the length of hashed
      * messages for the specified signing algorithm.
      *
+     * When the value of `MessageType` is `EXTERNAL_MU` the length of the `Message` value must be 64 bytes.
+     *
      * You can submit a message digest and omit the `MessageType` or specify `RAW` so the digest is hashed again while
      * signing. However, this can cause verification failures when verifying with a system that assumes a single hash.
      *
-     * The hashing algorithm in that `Sign` uses is based on the `SigningAlgorithm` value.
+     * The hashing algorithm that `Sign` uses is based on the `SigningAlgorithm` value.
      *
      * - Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
      * - Signing algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
      * - Signing algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
+     * - Signing algorithms that end in SHAKE_256 use the SHAKE_256 hashing algorithm.
      * - SM2DSA uses the SM3 hashing algorithm. For details, see Offline verification with SM2 key pairs [^1].
      *
      * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification

src/Service/Kms/src/Input/VerifyRequest.php

@@ -49,26 +49,31 @@ final class VerifyRequest extends Input
 
     /**
      * Tells KMS whether the value of the `Message` parameter should be hashed as part of the signing algorithm. Use `RAW`
-     * for unhashed messages; use `DIGEST` for message digests, which are already hashed.
+     * for unhashed messages; use `DIGEST` for message digests, which are already hashed; use `EXTERNAL_MU` for 64-byte
+     * representative μ used in ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
      *
      * When the value of `MessageType` is `RAW`, KMS uses the standard signing algorithm, which begins with a hash function.
-     * When the value is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+     * When the value is `DIGEST`, KMS skips the hashing step in the signing algorithm. When the value is `EXTERNAL_MU` KMS
+     * skips the concatenated hashing of the public key hash and the message done in the ML-DSA signing algorithm.
      *
-     * ! Use the `DIGEST` value only when the value of the `Message` parameter is a message digest. If you use the `DIGEST`
-     * ! value with an unhashed message, the security of the verification operation can be compromised.
+     * ! Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the `Message` parameter is a message digest. If you
+     * ! use the `DIGEST` value with an unhashed message, the security of the signing operation can be compromised.
      *
-     * When the value of `MessageType`is `DIGEST`, the length of the `Message` value must match the length of hashed
+     * When the value of `MessageType` is `DIGEST`, the length of the `Message` value must match the length of hashed
      * messages for the specified signing algorithm.
      *
+     * When the value of `MessageType` is `EXTERNAL_MU` the length of the `Message` value must be 64 bytes.
+     *
      * You can submit a message digest and omit the `MessageType` or specify `RAW` so the digest is hashed again while
      * signing. However, if the signed message is hashed once while signing, but twice while verifying, verification fails,
      * even when the message hasn't changed.
      *
-     * The hashing algorithm in that `Verify` uses is based on the `SigningAlgorithm` value.
+     * The hashing algorithm that `Verify` uses is based on the `SigningAlgorithm` value.
      *
      * - Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
      * - Signing algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
      * - Signing algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
+     * - Signing algorithms that end in SHAKE_256 use the SHAKE_256 hashing algorithm.
      * - SM2DSA uses the SM3 hashing algorithm. For details, see Offline verification with SM2 key pairs [^1].
      *
      * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification

src/Service/Kms/src/KmsClient.php

@@ -184,15 +184,16 @@ public function createAlias($input): Result
      *   Then, use the `KeyUsage` parameter to determine whether the KMS key will be used to encrypt and decrypt or sign and
      *   verify. You can't change these properties after the KMS key is created.
      *
-     *   Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions
-     *   only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey
-     *   operation to download the public key so it can be used outside of KMS. Each KMS key can have only one key usage.
-     *   KMS keys with RSA key pairs can be used to encrypt and decrypt data or sign and verify messages (but not both). KMS
-     *   keys with NIST-recommended ECC key pairs can be used to sign and verify messages or derive shared secrets (but not
-     *   both). KMS keys with `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS keys with SM2 key pairs
-     *   (China Regions only) can be used to either encrypt and decrypt data, sign and verify messages, or derive shared
-     *   secrets (you must choose one key usage type). For information about asymmetric KMS keys, see Asymmetric KMS keys
-     *   [^2] in the *Key Management Service Developer Guide*.
+     *   Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, ML-DSA key pair or an SM2 key pair
+     *   (China Regions only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use
+     *   the GetPublicKey operation to download the public key so it can be used outside of KMS. Each KMS key can have only
+     *   one key usage. KMS keys with RSA key pairs can be used to encrypt and decrypt data or sign and verify messages (but
+     *   not both). KMS keys with NIST-recommended ECC key pairs can be used to sign and verify messages or derive shared
+     *   secrets (but not both). KMS keys with `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS keys with
+     *   ML-DSA key pairs can be used to sign and verify messages. KMS keys with SM2 key pairs (China Regions only) can be
+     *   used to either encrypt and decrypt data, sign and verify messages, or derive shared secrets (you must choose one
+     *   key usage type). For information about asymmetric KMS keys, see Asymmetric KMS keys [^2] in the *Key Management
+     *   Service Developer Guide*.
      *
      * - `HMAC KMS key`:
      *
@@ -875,10 +876,10 @@ public function listAliases($input = []): ListAliasesResponse
      * outside of KMS. For information about asymmetric KMS keys, see Asymmetric KMS keys [^2] in the *Key Management
      * Service Developer Guide*.
      *
-     * Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is
-     * represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a message.
-     * Anyone with the public key can verify that the message was signed with that particular private key and that the
-     * message hasn't changed since it was signed.
+     * Digital signatures are generated and verified by using asymmetric key pair, such as an RSA, ECC, or ML-DSA pair that
+     * is represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a
+     * message. Anyone with the public key can verify that the message was signed with that particular private key and that
+     * the message hasn't changed since it was signed.
      *
      * To use the `Sign` operation, provide the following information:
      *
@@ -887,8 +888,8 @@ public function listAliases($input = []): ListAliasesResponse
      *   key.
      * - Use the `Message` parameter to specify the message or message digest to sign. You can submit messages of up to 4096
      *   bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash digest in the
-     *   `Message` parameter. To indicate whether the message is a full message or a digest, use the `MessageType`
-     *   parameter.
+     *   `Message` parameter. To indicate whether the message is a full message, a digest, or an ML-DSA EXTERNAL_MU, use the
+     *   `MessageType` parameter.
      * - Choose a signing algorithm that is compatible with the KMS key.
      *
      * ! When signing a message, be sure to record the KMS key and the signing algorithm. This information is required to