{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE TypeFamilies #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-binds #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.KMS.Sign
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
--
-- Creates a
-- <https://en.wikipedia.org/wiki/Digital_signature digital signature> for
-- a message or message digest by using the private key in an asymmetric
-- KMS key. To verify the signature, use the Verify operation, or use the
-- public key in the same asymmetric KMS key outside of KMS. For
-- information about symmetric and asymmetric KMS keys, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html Using Symmetric and Asymmetric KMS keys>
-- in the /Key Management Service Developer Guide/.
--
-- Digital signatures are generated and verified by using asymmetric key
-- pair, such as an RSA or ECC pair that is represented by an asymmetric
-- KMS key. The key owner (or an authorized user) uses their private key to
-- sign a message. Anyone with the public key can verify that the message
-- was signed with that particular private key and that the message hasn\'t
-- changed since it was signed.
--
-- To use the @Sign@ operation, provide the following information:
--
-- -   Use the @KeyId@ parameter to identify an asymmetric KMS key with a
--     @KeyUsage@ value of @SIGN_VERIFY@. To get the @KeyUsage@ value of a
--     KMS key, use the DescribeKey operation. The caller must have
--     @kms:Sign@ permission on the KMS key.
--
-- -   Use the @Message@ parameter to specify the message or message digest
--     to sign. You can submit messages of up to 4096 bytes. To sign a
--     larger message, generate a hash digest of the message, and then
--     provide the hash digest in the @Message@ parameter. To indicate
--     whether the message is a full message or a digest, use the
--     @MessageType@ parameter.
--
-- -   Choose a signing algorithm that is compatible with the KMS key.
--
-- When signing a message, be sure to record the KMS key and the signing
-- algorithm. This information is required to verify the signature.
--
-- To verify the signature that this operation generates, use the Verify
-- operation. Or use the GetPublicKey operation to download the public key
-- and then use the public key to verify the signature outside of KMS.
--
-- The KMS key that you use for this operation must be in a compatible key
-- state. For details, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html Key state: Effect on your KMS key>
-- in the /Key Management Service Developer Guide/.
--
-- __Cross-account use__: Yes. To perform this operation with a KMS key in
-- a different Amazon Web Services account, specify the key ARN or alias
-- ARN in the value of the @KeyId@ parameter.
--
-- __Required permissions__:
-- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:Sign>
-- (key policy)
--
-- __Related operations__: Verify
module Amazonka.KMS.Sign
  ( -- * Creating a Request
    Sign (..),
    newSign,

    -- * Request Lenses
    sign_messageType,
    sign_grantTokens,
    sign_keyId,
    sign_message,
    sign_signingAlgorithm,

    -- * Destructuring the Response
    SignResponse (..),
    newSignResponse,

    -- * Response Lenses
    signResponse_signingAlgorithm,
    signResponse_signature,
    signResponse_keyId,
    signResponse_httpStatus,
  )
where

import qualified Amazonka.Core as Core
import Amazonka.KMS.Types
import qualified Amazonka.Lens as Lens
import qualified Amazonka.Prelude as Prelude
import qualified Amazonka.Request as Request
import qualified Amazonka.Response as Response

-- | /See:/ 'newSign' smart constructor.
data Sign = Sign'
  { -- | Tells KMS whether the value of the @Message@ parameter is a message or
    -- message digest. The default value, RAW, indicates a message. To indicate
    -- a message digest, enter @DIGEST@.
    Sign -> Maybe MessageType
messageType :: Prelude.Maybe MessageType,
    -- | A list of grant tokens.
    --
    -- Use a grant token when your permission to call this operation comes from
    -- a new grant that has not yet achieved /eventual consistency/. For more
    -- information, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token>
    -- and
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token>
    -- in the /Key Management Service Developer Guide/.
    Sign -> Maybe [Text]
grantTokens :: Prelude.Maybe [Prelude.Text],
    -- | Identifies an asymmetric KMS key. KMS uses the private key in the
    -- asymmetric KMS key to sign the message. The @KeyUsage@ type of the KMS
    -- key must be @SIGN_VERIFY@. To find the @KeyUsage@ of a KMS key, use the
    -- DescribeKey operation.
    --
    -- To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
    -- When using an alias name, prefix it with @\"alias\/\"@. To specify a KMS
    -- key in a different Amazon Web Services account, you must use the key ARN
    -- or alias ARN.
    --
    -- For example:
    --
    -- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
    --
    -- -   Key ARN:
    --     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
    --
    -- -   Alias name: @alias\/ExampleAlias@
    --
    -- -   Alias ARN: @arn:aws:kms:us-east-2:111122223333:alias\/ExampleAlias@
    --
    -- To get the key ID and key ARN for a KMS key, use ListKeys or
    -- DescribeKey. To get the alias name and alias ARN, use ListAliases.
    Sign -> Text
keyId :: Prelude.Text,
    -- | Specifies the message or message digest to sign. Messages can be 0-4096
    -- bytes. To sign a larger message, provide the message digest.
    --
    -- If you provide a message, KMS generates a hash digest of the message and
    -- then signs it.
    Sign -> Sensitive Base64
message :: Core.Sensitive Core.Base64,
    -- | Specifies the signing algorithm to use when signing the message.
    --
    -- Choose an algorithm that is compatible with the type and size of the
    -- specified asymmetric KMS key.
    Sign -> SigningAlgorithmSpec
signingAlgorithm :: SigningAlgorithmSpec
  }
  deriving (Sign -> Sign -> Bool
(Sign -> Sign -> Bool) -> (Sign -> Sign -> Bool) -> Eq Sign
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: Sign -> Sign -> Bool
$c/= :: Sign -> Sign -> Bool
== :: Sign -> Sign -> Bool
$c== :: Sign -> Sign -> Bool
Prelude.Eq, Int -> Sign -> ShowS
[Sign] -> ShowS
Sign -> String
(Int -> Sign -> ShowS)
-> (Sign -> String) -> ([Sign] -> ShowS) -> Show Sign
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [Sign] -> ShowS
$cshowList :: [Sign] -> ShowS
show :: Sign -> String
$cshow :: Sign -> String
showsPrec :: Int -> Sign -> ShowS
$cshowsPrec :: Int -> Sign -> ShowS
Prelude.Show, (forall x. Sign -> Rep Sign x)
-> (forall x. Rep Sign x -> Sign) -> Generic Sign
forall x. Rep Sign x -> Sign
forall x. Sign -> Rep Sign x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep Sign x -> Sign
$cfrom :: forall x. Sign -> Rep Sign x
Prelude.Generic)

-- |
-- Create a value of 'Sign' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'messageType', 'sign_messageType' - Tells KMS whether the value of the @Message@ parameter is a message or
-- message digest. The default value, RAW, indicates a message. To indicate
-- a message digest, enter @DIGEST@.
--
-- 'grantTokens', 'sign_grantTokens' - A list of grant tokens.
--
-- Use a grant token when your permission to call this operation comes from
-- a new grant that has not yet achieved /eventual consistency/. For more
-- information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token>
-- and
-- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token>
-- in the /Key Management Service Developer Guide/.
--
-- 'keyId', 'sign_keyId' - Identifies an asymmetric KMS key. KMS uses the private key in the
-- asymmetric KMS key to sign the message. The @KeyUsage@ type of the KMS
-- key must be @SIGN_VERIFY@. To find the @KeyUsage@ of a KMS key, use the
-- DescribeKey operation.
--
-- To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
-- When using an alias name, prefix it with @\"alias\/\"@. To specify a KMS
-- key in a different Amazon Web Services account, you must use the key ARN
-- or alias ARN.
--
-- For example:
--
-- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Key ARN:
--     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Alias name: @alias\/ExampleAlias@
--
-- -   Alias ARN: @arn:aws:kms:us-east-2:111122223333:alias\/ExampleAlias@
--
-- To get the key ID and key ARN for a KMS key, use ListKeys or
-- DescribeKey. To get the alias name and alias ARN, use ListAliases.
--
-- 'message', 'sign_message' - Specifies the message or message digest to sign. Messages can be 0-4096
-- bytes. To sign a larger message, provide the message digest.
--
-- If you provide a message, KMS generates a hash digest of the message and
-- then signs it.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
--
-- 'signingAlgorithm', 'sign_signingAlgorithm' - Specifies the signing algorithm to use when signing the message.
--
-- Choose an algorithm that is compatible with the type and size of the
-- specified asymmetric KMS key.
newSign ::
  -- | 'keyId'
  Prelude.Text ->
  -- | 'message'
  Prelude.ByteString ->
  -- | 'signingAlgorithm'
  SigningAlgorithmSpec ->
  Sign
newSign :: Text -> ByteString -> SigningAlgorithmSpec -> Sign
newSign Text
pKeyId_ ByteString
pMessage_ SigningAlgorithmSpec
pSigningAlgorithm_ =
  Sign' :: Maybe MessageType
-> Maybe [Text]
-> Text
-> Sensitive Base64
-> SigningAlgorithmSpec
-> Sign
Sign'
    { $sel:messageType:Sign' :: Maybe MessageType
messageType = Maybe MessageType
forall a. Maybe a
Prelude.Nothing,
      $sel:grantTokens:Sign' :: Maybe [Text]
grantTokens = Maybe [Text]
forall a. Maybe a
Prelude.Nothing,
      $sel:keyId:Sign' :: Text
keyId = Text
pKeyId_,
      $sel:message:Sign' :: Sensitive Base64
message =
        Tagged Base64 (Identity Base64)
-> Tagged (Sensitive Base64) (Identity (Sensitive Base64))
forall a. Iso' (Sensitive a) a
Core._Sensitive (Tagged Base64 (Identity Base64)
 -> Tagged (Sensitive Base64) (Identity (Sensitive Base64)))
-> (Tagged ByteString (Identity ByteString)
    -> Tagged Base64 (Identity Base64))
-> Tagged ByteString (Identity ByteString)
-> Tagged (Sensitive Base64) (Identity (Sensitive Base64))
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. Tagged ByteString (Identity ByteString)
-> Tagged Base64 (Identity Base64)
Iso' Base64 ByteString
Core._Base64
          (Tagged ByteString (Identity ByteString)
 -> Tagged (Sensitive Base64) (Identity (Sensitive Base64)))
-> ByteString -> Sensitive Base64
forall t b. AReview t b -> b -> t
Lens.# ByteString
pMessage_,
      $sel:signingAlgorithm:Sign' :: SigningAlgorithmSpec
signingAlgorithm = SigningAlgorithmSpec
pSigningAlgorithm_
    }

-- | Tells KMS whether the value of the @Message@ parameter is a message or
-- message digest. The default value, RAW, indicates a message. To indicate
-- a message digest, enter @DIGEST@.
sign_messageType :: Lens.Lens' Sign (Prelude.Maybe MessageType)
sign_messageType :: (Maybe MessageType -> f (Maybe MessageType)) -> Sign -> f Sign
sign_messageType = (Sign -> Maybe MessageType)
-> (Sign -> Maybe MessageType -> Sign)
-> Lens Sign Sign (Maybe MessageType) (Maybe MessageType)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Sign' {Maybe MessageType
messageType :: Maybe MessageType
$sel:messageType:Sign' :: Sign -> Maybe MessageType
messageType} -> Maybe MessageType
messageType) (\s :: Sign
s@Sign' {} Maybe MessageType
a -> Sign
s {$sel:messageType:Sign' :: Maybe MessageType
messageType = Maybe MessageType
a} :: Sign)

-- | A list of grant tokens.
--
-- Use a grant token when your permission to call this operation comes from
-- a new grant that has not yet achieved /eventual consistency/. For more
-- information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token>
-- and
-- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token>
-- in the /Key Management Service Developer Guide/.
sign_grantTokens :: Lens.Lens' Sign (Prelude.Maybe [Prelude.Text])
sign_grantTokens :: (Maybe [Text] -> f (Maybe [Text])) -> Sign -> f Sign
sign_grantTokens = (Sign -> Maybe [Text])
-> (Sign -> Maybe [Text] -> Sign)
-> Lens Sign Sign (Maybe [Text]) (Maybe [Text])
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Sign' {Maybe [Text]
grantTokens :: Maybe [Text]
$sel:grantTokens:Sign' :: Sign -> Maybe [Text]
grantTokens} -> Maybe [Text]
grantTokens) (\s :: Sign
s@Sign' {} Maybe [Text]
a -> Sign
s {$sel:grantTokens:Sign' :: Maybe [Text]
grantTokens = Maybe [Text]
a} :: Sign) ((Maybe [Text] -> f (Maybe [Text])) -> Sign -> f Sign)
-> ((Maybe [Text] -> f (Maybe [Text]))
    -> Maybe [Text] -> f (Maybe [Text]))
-> (Maybe [Text] -> f (Maybe [Text]))
-> Sign
-> f Sign
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso [Text] [Text] [Text] [Text]
-> Iso (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) (Maybe [Text])
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping AnIso [Text] [Text] [Text] [Text]
forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced

-- | Identifies an asymmetric KMS key. KMS uses the private key in the
-- asymmetric KMS key to sign the message. The @KeyUsage@ type of the KMS
-- key must be @SIGN_VERIFY@. To find the @KeyUsage@ of a KMS key, use the
-- DescribeKey operation.
--
-- To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
-- When using an alias name, prefix it with @\"alias\/\"@. To specify a KMS
-- key in a different Amazon Web Services account, you must use the key ARN
-- or alias ARN.
--
-- For example:
--
-- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Key ARN:
--     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Alias name: @alias\/ExampleAlias@
--
-- -   Alias ARN: @arn:aws:kms:us-east-2:111122223333:alias\/ExampleAlias@
--
-- To get the key ID and key ARN for a KMS key, use ListKeys or
-- DescribeKey. To get the alias name and alias ARN, use ListAliases.
sign_keyId :: Lens.Lens' Sign Prelude.Text
sign_keyId :: (Text -> f Text) -> Sign -> f Sign
sign_keyId = (Sign -> Text)
-> (Sign -> Text -> Sign) -> Lens Sign Sign Text Text
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Sign' {Text
keyId :: Text
$sel:keyId:Sign' :: Sign -> Text
keyId} -> Text
keyId) (\s :: Sign
s@Sign' {} Text
a -> Sign
s {$sel:keyId:Sign' :: Text
keyId = Text
a} :: Sign)

-- | Specifies the message or message digest to sign. Messages can be 0-4096
-- bytes. To sign a larger message, provide the message digest.
--
-- If you provide a message, KMS generates a hash digest of the message and
-- then signs it.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
sign_message :: Lens.Lens' Sign Prelude.ByteString
sign_message :: (ByteString -> f ByteString) -> Sign -> f Sign
sign_message = (Sign -> Sensitive Base64)
-> (Sign -> Sensitive Base64 -> Sign)
-> Lens Sign Sign (Sensitive Base64) (Sensitive Base64)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Sign' {Sensitive Base64
message :: Sensitive Base64
$sel:message:Sign' :: Sign -> Sensitive Base64
message} -> Sensitive Base64
message) (\s :: Sign
s@Sign' {} Sensitive Base64
a -> Sign
s {$sel:message:Sign' :: Sensitive Base64
message = Sensitive Base64
a} :: Sign) ((Sensitive Base64 -> f (Sensitive Base64)) -> Sign -> f Sign)
-> ((ByteString -> f ByteString)
    -> Sensitive Base64 -> f (Sensitive Base64))
-> (ByteString -> f ByteString)
-> Sign
-> f Sign
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. (Base64 -> f Base64) -> Sensitive Base64 -> f (Sensitive Base64)
forall a. Iso' (Sensitive a) a
Core._Sensitive ((Base64 -> f Base64) -> Sensitive Base64 -> f (Sensitive Base64))
-> ((ByteString -> f ByteString) -> Base64 -> f Base64)
-> (ByteString -> f ByteString)
-> Sensitive Base64
-> f (Sensitive Base64)
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. (ByteString -> f ByteString) -> Base64 -> f Base64
Iso' Base64 ByteString
Core._Base64

-- | Specifies the signing algorithm to use when signing the message.
--
-- Choose an algorithm that is compatible with the type and size of the
-- specified asymmetric KMS key.
sign_signingAlgorithm :: Lens.Lens' Sign SigningAlgorithmSpec
sign_signingAlgorithm :: (SigningAlgorithmSpec -> f SigningAlgorithmSpec) -> Sign -> f Sign
sign_signingAlgorithm = (Sign -> SigningAlgorithmSpec)
-> (Sign -> SigningAlgorithmSpec -> Sign)
-> Lens Sign Sign SigningAlgorithmSpec SigningAlgorithmSpec
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Sign' {SigningAlgorithmSpec
signingAlgorithm :: SigningAlgorithmSpec
$sel:signingAlgorithm:Sign' :: Sign -> SigningAlgorithmSpec
signingAlgorithm} -> SigningAlgorithmSpec
signingAlgorithm) (\s :: Sign
s@Sign' {} SigningAlgorithmSpec
a -> Sign
s {$sel:signingAlgorithm:Sign' :: SigningAlgorithmSpec
signingAlgorithm = SigningAlgorithmSpec
a} :: Sign)

instance Core.AWSRequest Sign where
  type AWSResponse Sign = SignResponse
  request :: Sign -> Request Sign
request = Service -> Sign -> Request Sign
forall a. (ToRequest a, ToJSON a) => Service -> a -> Request a
Request.postJSON Service
defaultService
  response :: Logger
-> Service
-> Proxy Sign
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse Sign)))
response =
    (Int
 -> ResponseHeaders -> Object -> Either String (AWSResponse Sign))
-> Logger
-> Service
-> Proxy Sign
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse Sign)))
forall (m :: * -> *) a.
MonadResource m =>
(Int -> ResponseHeaders -> Object -> Either String (AWSResponse a))
-> Logger
-> Service
-> Proxy a
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse a)))
Response.receiveJSON
      ( \Int
s ResponseHeaders
h Object
x ->
          Maybe SigningAlgorithmSpec
-> Maybe Base64 -> Maybe Text -> Int -> SignResponse
SignResponse'
            (Maybe SigningAlgorithmSpec
 -> Maybe Base64 -> Maybe Text -> Int -> SignResponse)
-> Either String (Maybe SigningAlgorithmSpec)
-> Either
     String (Maybe Base64 -> Maybe Text -> Int -> SignResponse)
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> (Object
x Object -> Text -> Either String (Maybe SigningAlgorithmSpec)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"SigningAlgorithm")
            Either String (Maybe Base64 -> Maybe Text -> Int -> SignResponse)
-> Either String (Maybe Base64)
-> Either String (Maybe Text -> Int -> SignResponse)
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Either String (Maybe Base64)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"Signature")
            Either String (Maybe Text -> Int -> SignResponse)
-> Either String (Maybe Text)
-> Either String (Int -> SignResponse)
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Either String (Maybe Text)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"KeyId")
            Either String (Int -> SignResponse)
-> Either String Int -> Either String SignResponse
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Int -> Either String Int
forall (f :: * -> *) a. Applicative f => a -> f a
Prelude.pure (Int -> Int
forall a. Enum a => a -> Int
Prelude.fromEnum Int
s))
      )

instance Prelude.Hashable Sign

instance Prelude.NFData Sign

instance Core.ToHeaders Sign where
  toHeaders :: Sign -> ResponseHeaders
toHeaders =
    ResponseHeaders -> Sign -> ResponseHeaders
forall a b. a -> b -> a
Prelude.const
      ( [ResponseHeaders] -> ResponseHeaders
forall a. Monoid a => [a] -> a
Prelude.mconcat
          [ HeaderName
"X-Amz-Target"
              HeaderName -> ByteString -> ResponseHeaders
forall a. ToHeader a => HeaderName -> a -> ResponseHeaders
Core.=# (ByteString
"TrentService.Sign" :: Prelude.ByteString),
            HeaderName
"Content-Type"
              HeaderName -> ByteString -> ResponseHeaders
forall a. ToHeader a => HeaderName -> a -> ResponseHeaders
Core.=# ( ByteString
"application/x-amz-json-1.1" ::
                          Prelude.ByteString
                      )
          ]
      )

instance Core.ToJSON Sign where
  toJSON :: Sign -> Value
toJSON Sign' {Maybe [Text]
Maybe MessageType
Text
Sensitive Base64
SigningAlgorithmSpec
signingAlgorithm :: SigningAlgorithmSpec
message :: Sensitive Base64
keyId :: Text
grantTokens :: Maybe [Text]
messageType :: Maybe MessageType
$sel:signingAlgorithm:Sign' :: Sign -> SigningAlgorithmSpec
$sel:message:Sign' :: Sign -> Sensitive Base64
$sel:keyId:Sign' :: Sign -> Text
$sel:grantTokens:Sign' :: Sign -> Maybe [Text]
$sel:messageType:Sign' :: Sign -> Maybe MessageType
..} =
    [Pair] -> Value
Core.object
      ( [Maybe Pair] -> [Pair]
forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ (Text
"MessageType" Text -> MessageType -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) (MessageType -> Pair) -> Maybe MessageType -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe MessageType
messageType,
            (Text
"GrantTokens" Text -> [Text] -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) ([Text] -> Pair) -> Maybe [Text] -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe [Text]
grantTokens,
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"KeyId" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Text
keyId),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"Message" Text -> Sensitive Base64 -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Sensitive Base64
message),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just
              (Text
"SigningAlgorithm" Text -> SigningAlgorithmSpec -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= SigningAlgorithmSpec
signingAlgorithm)
          ]
      )

instance Core.ToPath Sign where
  toPath :: Sign -> ByteString
toPath = ByteString -> Sign -> ByteString
forall a b. a -> b -> a
Prelude.const ByteString
"/"

instance Core.ToQuery Sign where
  toQuery :: Sign -> QueryString
toQuery = QueryString -> Sign -> QueryString
forall a b. a -> b -> a
Prelude.const QueryString
forall a. Monoid a => a
Prelude.mempty

-- | /See:/ 'newSignResponse' smart constructor.
data SignResponse = SignResponse'
  { -- | The signing algorithm that was used to sign the message.
    SignResponse -> Maybe SigningAlgorithmSpec
signingAlgorithm :: Prelude.Maybe SigningAlgorithmSpec,
    -- | The cryptographic signature that was generated for the message.
    --
    -- -   When used with the supported RSA signing algorithms, the encoding of
    --     this value is defined by
    --     <https://tools.ietf.org/html/rfc8017 PKCS #1 in RFC 8017>.
    --
    -- -   When used with the @ECDSA_SHA_256@, @ECDSA_SHA_384@, or
    --     @ECDSA_SHA_512@ signing algorithms, this value is a DER-encoded
    --     object as defined by ANS X9.62–2005 and
    --     <https://tools.ietf.org/html/rfc3279#section-2.2.3 RFC 3279 Section 2.2.3>.
    --     This is the most commonly used signature format and is appropriate
    --     for most uses.
    --
    -- When you use the HTTP API or the Amazon Web Services CLI, the value is
    -- Base64-encoded. Otherwise, it is not Base64-encoded.
    SignResponse -> Maybe Base64
signature :: Prelude.Maybe Core.Base64,
    -- | The Amazon Resource Name
    -- (<https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN key ARN>)
    -- of the asymmetric KMS key that was used to sign the message.
    SignResponse -> Maybe Text
keyId :: Prelude.Maybe Prelude.Text,
    -- | The response's http status code.
    SignResponse -> Int
httpStatus :: Prelude.Int
  }
  deriving (SignResponse -> SignResponse -> Bool
(SignResponse -> SignResponse -> Bool)
-> (SignResponse -> SignResponse -> Bool) -> Eq SignResponse
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: SignResponse -> SignResponse -> Bool
$c/= :: SignResponse -> SignResponse -> Bool
== :: SignResponse -> SignResponse -> Bool
$c== :: SignResponse -> SignResponse -> Bool
Prelude.Eq, ReadPrec [SignResponse]
ReadPrec SignResponse
Int -> ReadS SignResponse
ReadS [SignResponse]
(Int -> ReadS SignResponse)
-> ReadS [SignResponse]
-> ReadPrec SignResponse
-> ReadPrec [SignResponse]
-> Read SignResponse
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [SignResponse]
$creadListPrec :: ReadPrec [SignResponse]
readPrec :: ReadPrec SignResponse
$creadPrec :: ReadPrec SignResponse
readList :: ReadS [SignResponse]
$creadList :: ReadS [SignResponse]
readsPrec :: Int -> ReadS SignResponse
$creadsPrec :: Int -> ReadS SignResponse
Prelude.Read, Int -> SignResponse -> ShowS
[SignResponse] -> ShowS
SignResponse -> String
(Int -> SignResponse -> ShowS)
-> (SignResponse -> String)
-> ([SignResponse] -> ShowS)
-> Show SignResponse
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [SignResponse] -> ShowS
$cshowList :: [SignResponse] -> ShowS
show :: SignResponse -> String
$cshow :: SignResponse -> String
showsPrec :: Int -> SignResponse -> ShowS
$cshowsPrec :: Int -> SignResponse -> ShowS
Prelude.Show, (forall x. SignResponse -> Rep SignResponse x)
-> (forall x. Rep SignResponse x -> SignResponse)
-> Generic SignResponse
forall x. Rep SignResponse x -> SignResponse
forall x. SignResponse -> Rep SignResponse x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep SignResponse x -> SignResponse
$cfrom :: forall x. SignResponse -> Rep SignResponse x
Prelude.Generic)

-- |
-- Create a value of 'SignResponse' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'signingAlgorithm', 'signResponse_signingAlgorithm' - The signing algorithm that was used to sign the message.
--
-- 'signature', 'signResponse_signature' - The cryptographic signature that was generated for the message.
--
-- -   When used with the supported RSA signing algorithms, the encoding of
--     this value is defined by
--     <https://tools.ietf.org/html/rfc8017 PKCS #1 in RFC 8017>.
--
-- -   When used with the @ECDSA_SHA_256@, @ECDSA_SHA_384@, or
--     @ECDSA_SHA_512@ signing algorithms, this value is a DER-encoded
--     object as defined by ANS X9.62–2005 and
--     <https://tools.ietf.org/html/rfc3279#section-2.2.3 RFC 3279 Section 2.2.3>.
--     This is the most commonly used signature format and is appropriate
--     for most uses.
--
-- When you use the HTTP API or the Amazon Web Services CLI, the value is
-- Base64-encoded. Otherwise, it is not Base64-encoded.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
--
-- 'keyId', 'signResponse_keyId' - The Amazon Resource Name
-- (<https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN key ARN>)
-- of the asymmetric KMS key that was used to sign the message.
--
-- 'httpStatus', 'signResponse_httpStatus' - The response's http status code.
newSignResponse ::
  -- | 'httpStatus'
  Prelude.Int ->
  SignResponse
newSignResponse :: Int -> SignResponse
newSignResponse Int
pHttpStatus_ =
  SignResponse' :: Maybe SigningAlgorithmSpec
-> Maybe Base64 -> Maybe Text -> Int -> SignResponse
SignResponse'
    { $sel:signingAlgorithm:SignResponse' :: Maybe SigningAlgorithmSpec
signingAlgorithm = Maybe SigningAlgorithmSpec
forall a. Maybe a
Prelude.Nothing,
      $sel:signature:SignResponse' :: Maybe Base64
signature = Maybe Base64
forall a. Maybe a
Prelude.Nothing,
      $sel:keyId:SignResponse' :: Maybe Text
keyId = Maybe Text
forall a. Maybe a
Prelude.Nothing,
      $sel:httpStatus:SignResponse' :: Int
httpStatus = Int
pHttpStatus_
    }

-- | The signing algorithm that was used to sign the message.
signResponse_signingAlgorithm :: Lens.Lens' SignResponse (Prelude.Maybe SigningAlgorithmSpec)
signResponse_signingAlgorithm :: (Maybe SigningAlgorithmSpec -> f (Maybe SigningAlgorithmSpec))
-> SignResponse -> f SignResponse
signResponse_signingAlgorithm = (SignResponse -> Maybe SigningAlgorithmSpec)
-> (SignResponse -> Maybe SigningAlgorithmSpec -> SignResponse)
-> Lens
     SignResponse
     SignResponse
     (Maybe SigningAlgorithmSpec)
     (Maybe SigningAlgorithmSpec)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\SignResponse' {Maybe SigningAlgorithmSpec
signingAlgorithm :: Maybe SigningAlgorithmSpec
$sel:signingAlgorithm:SignResponse' :: SignResponse -> Maybe SigningAlgorithmSpec
signingAlgorithm} -> Maybe SigningAlgorithmSpec
signingAlgorithm) (\s :: SignResponse
s@SignResponse' {} Maybe SigningAlgorithmSpec
a -> SignResponse
s {$sel:signingAlgorithm:SignResponse' :: Maybe SigningAlgorithmSpec
signingAlgorithm = Maybe SigningAlgorithmSpec
a} :: SignResponse)

-- | The cryptographic signature that was generated for the message.
--
-- -   When used with the supported RSA signing algorithms, the encoding of
--     this value is defined by
--     <https://tools.ietf.org/html/rfc8017 PKCS #1 in RFC 8017>.
--
-- -   When used with the @ECDSA_SHA_256@, @ECDSA_SHA_384@, or
--     @ECDSA_SHA_512@ signing algorithms, this value is a DER-encoded
--     object as defined by ANS X9.62–2005 and
--     <https://tools.ietf.org/html/rfc3279#section-2.2.3 RFC 3279 Section 2.2.3>.
--     This is the most commonly used signature format and is appropriate
--     for most uses.
--
-- When you use the HTTP API or the Amazon Web Services CLI, the value is
-- Base64-encoded. Otherwise, it is not Base64-encoded.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
signResponse_signature :: Lens.Lens' SignResponse (Prelude.Maybe Prelude.ByteString)
signResponse_signature :: (Maybe ByteString -> f (Maybe ByteString))
-> SignResponse -> f SignResponse
signResponse_signature = (SignResponse -> Maybe Base64)
-> (SignResponse -> Maybe Base64 -> SignResponse)
-> Lens SignResponse SignResponse (Maybe Base64) (Maybe Base64)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\SignResponse' {Maybe Base64
signature :: Maybe Base64
$sel:signature:SignResponse' :: SignResponse -> Maybe Base64
signature} -> Maybe Base64
signature) (\s :: SignResponse
s@SignResponse' {} Maybe Base64
a -> SignResponse
s {$sel:signature:SignResponse' :: Maybe Base64
signature = Maybe Base64
a} :: SignResponse) ((Maybe Base64 -> f (Maybe Base64))
 -> SignResponse -> f SignResponse)
-> ((Maybe ByteString -> f (Maybe ByteString))
    -> Maybe Base64 -> f (Maybe Base64))
-> (Maybe ByteString -> f (Maybe ByteString))
-> SignResponse
-> f SignResponse
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso Base64 Base64 ByteString ByteString
-> Iso
     (Maybe Base64) (Maybe Base64) (Maybe ByteString) (Maybe ByteString)
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping AnIso Base64 Base64 ByteString ByteString
Iso' Base64 ByteString
Core._Base64

-- | The Amazon Resource Name
-- (<https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN key ARN>)
-- of the asymmetric KMS key that was used to sign the message.
signResponse_keyId :: Lens.Lens' SignResponse (Prelude.Maybe Prelude.Text)
signResponse_keyId :: (Maybe Text -> f (Maybe Text)) -> SignResponse -> f SignResponse
signResponse_keyId = (SignResponse -> Maybe Text)
-> (SignResponse -> Maybe Text -> SignResponse)
-> Lens SignResponse SignResponse (Maybe Text) (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\SignResponse' {Maybe Text
keyId :: Maybe Text
$sel:keyId:SignResponse' :: SignResponse -> Maybe Text
keyId} -> Maybe Text
keyId) (\s :: SignResponse
s@SignResponse' {} Maybe Text
a -> SignResponse
s {$sel:keyId:SignResponse' :: Maybe Text
keyId = Maybe Text
a} :: SignResponse)

-- | The response's http status code.
signResponse_httpStatus :: Lens.Lens' SignResponse Prelude.Int
signResponse_httpStatus :: (Int -> f Int) -> SignResponse -> f SignResponse
signResponse_httpStatus = (SignResponse -> Int)
-> (SignResponse -> Int -> SignResponse)
-> Lens SignResponse SignResponse Int Int
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\SignResponse' {Int
httpStatus :: Int
$sel:httpStatus:SignResponse' :: SignResponse -> Int
httpStatus} -> Int
httpStatus) (\s :: SignResponse
s@SignResponse' {} Int
a -> SignResponse
s {$sel:httpStatus:SignResponse' :: Int
httpStatus = Int
a} :: SignResponse)

instance Prelude.NFData SignResponse