Add support in the client for the kem message type

This allows to easily use end-to-end encrypted requests and replies
to fetch secrets.

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 9 insertions, 5 deletions

diff --git a/custodia/message/kem.py b/custodia/message/kem.py
index 48b756b..add1c72 100644
--- a/custodia/message/kem.py
+++ b/custodia/message/kem.py
@@ -215,11 +215,9 @@ class KEMClient(object):
                                 self.server_keys[KEY_USAGE_ENC], encalg)
 
     def parse_reply(self, name, message):
-        jwe = JWT(jwt=message,
-                  key=self.client_keys[KEY_USAGE_ENC])
-        jws = JWT(jwt=jwe.claims,
-                  key=self.server_keys[KEY_USAGE_SIG])
-        claims = json_decode(jws.claims)
+        claims = decode_enc_kem(message,
+                                self.client_keys[KEY_USAGE_ENC],
+                                self.server_keys[KEY_USAGE_SIG])
         check_kem_claims(claims, name)
         return claims['value']
 
@@ -242,6 +240,12 @@ def make_enc_kem(name, value, sig_key, alg, enc_key, enc):
     return jwe.serialize(compact=True)
 
 
+def decode_enc_kem(message, enc_key, sig_key):
+    jwe = JWT(jwt=message, key=enc_key)
+    jws = JWT(jwt=jwe.claims, key=sig_key)
+    return json_decode(jws.claims)
+
+
 # unit tests
 test_keys = ({
     "kty": "RSA",