Merge branch 'main' into http-action-limits

Author: jmank88

keystore/admin.go

@@ -6,14 +6,19 @@ import (
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rand"
+	"encoding/json"
 	"fmt"
 	"maps"
 	"time"
 
+	gethkeystore "github.com/ethereum/go-ethereum/accounts/keystore"
 	"golang.org/x/crypto/curve25519"
+	"google.golang.org/protobuf/proto"
 
 	"github.com/ethereum/go-ethereum/crypto"
+
 	"github.com/smartcontractkit/chainlink-common/keystore/internal"
+	"github.com/smartcontractkit/chainlink-common/keystore/serialization"
 )
 
 var (
@@ -51,9 +56,9 @@ type ImportKeysRequest struct {
 }
 
 type ImportKeyRequest struct {
-	KeyName string
-	KeyType KeyType
-	Data    []byte
+	KeyName  string
+	Data     []byte
+	Password string
 }
 
 type ImportKeysResponse struct{}
@@ -227,12 +232,90 @@ func (k *keystore) DeleteKeys(ctx context.Context, req DeleteKeysRequest) (Delet
 	return DeleteKeysResponse{}, nil
 }
 
-func (k *keystore) ImportKeys(ctx context.Context, req ImportKeysRequest) (ImportKeysResponse, error) {
+func (ks *keystore) ImportKeys(ctx context.Context, req ImportKeysRequest) (ImportKeysResponse, error) {
+	ks.mu.Lock()
+	defer ks.mu.Unlock()
+
+	ksCopy := maps.Clone(ks.keystore)
+	for _, keyReq := range req.Keys {
+		if err := ValidKeyName(keyReq.KeyName); err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("%w: %s", ErrInvalidKeyName, err)
+		}
+		if _, ok := ksCopy[keyReq.KeyName]; ok {
+			return ImportKeysResponse{}, fmt.Errorf("%w: %s", ErrKeyAlreadyExists, keyReq.KeyName)
+		}
+		encData := gethkeystore.CryptoJSON{}
+		err := json.Unmarshal(keyReq.Data, &encData)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to unmarshal encrypted import data: %w", keyReq.KeyName, err)
+		}
+		decData, err := gethkeystore.DecryptDataV3(encData, keyReq.Password)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to decrypt key: %w", keyReq.KeyName, err)
+		}
+		keypb := &serialization.Key{}
+		err = proto.Unmarshal(decData, keypb)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to unmarshal key: %w", keyReq.KeyName, err)
+		}
+		pkRaw := internal.NewRaw(keypb.PrivateKey)
+		keyType := KeyType(keypb.KeyType)
+		publicKey, err := publicKeyFromPrivateKey(pkRaw, keyType)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to get public key from private key: %w", keyReq.KeyName, err)
+		}
+		metadata := keypb.Metadata
+		// The proto compiler sets empty slices to nil during the serialization (https://github.com/golang/protobuf/issues/1348).
+		// We set metadata back to empty slice to be consistent with the Create method which initializes it as such.
+		if metadata == nil {
+			metadata = []byte{}
+		}
+		ksCopy[keyReq.KeyName] = newKey(keyType, pkRaw, publicKey, time.Unix(keypb.CreatedAt, 0), metadata)
+	}
+	// Persist it to storage.
+	if err := ks.save(ctx, ksCopy); err != nil {
+		return ImportKeysResponse{}, fmt.Errorf("failed to save keystore: %w", err)
+	}
+	// If we succeed to save, update the in memory keystore.
+	ks.keystore = ksCopy
 	return ImportKeysResponse{}, nil
 }
 
-func (k *keystore) ExportKeys(ctx context.Context, req ExportKeysRequest) (ExportKeysResponse, error) {
-	return ExportKeysResponse{}, nil
+func (ks *keystore) ExportKeys(_ context.Context, req ExportKeysRequest) (ExportKeysResponse, error) {
+	ks.mu.RLock()
+	defer ks.mu.RUnlock()
+
+	result := ExportKeysResponse{}
+	for _, keyReq := range req.Keys {
+		key, ok := ks.keystore[keyReq.KeyName]
+		if !ok {
+			return ExportKeysResponse{}, fmt.Errorf("%w: %s", ErrKeyNotFound, keyReq.KeyName)
+		}
+		keypb := &serialization.Key{
+			Name:       keyReq.KeyName,
+			KeyType:    string(key.keyType),
+			PrivateKey: internal.Bytes(key.privateKey),
+			CreatedAt:  key.createdAt.Unix(),
+			Metadata:   key.metadata,
+		}
+		serialized, err := proto.Marshal(keypb)
+		if err != nil {
+			return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to marshal key: %w", keyReq.KeyName, err)
+		}
+		encData, err := gethkeystore.EncryptDataV3(serialized, []byte(keyReq.Enc.Password), keyReq.Enc.ScryptParams.N, keyReq.Enc.ScryptParams.P)
+		if err != nil {
+			return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to encrypt key: %w", keyReq.KeyName, err)
+		}
+		encDataBytes, err := json.Marshal(encData)
+		if err != nil {
+			return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to marshal encrypted key: %w", keyReq.KeyName, err)
+		}
+		result.Keys = append(result.Keys, ExportKeyResponse{
+			KeyName: keyReq.KeyName,
+			Data:    encDataBytes,
+		})
+	}
+	return result, nil
 }
 
 func (ks *keystore) SetMetadata(ctx context.Context, req SetMetadataRequest) (SetMetadataResponse, error) {

keystore/admin_test.go

@@ -210,3 +210,79 @@ func TestKeystore_ConcurrentCreateAndRead(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, numWriters*keysPerWriter, len(resp.Keys))
 }
+
+func TestKeystore_ExportImport(t *testing.T) {
+	ks1, err := keystore.LoadKeystore(t.Context(), keystore.NewMemoryStorage(), keystore.EncryptionParams{
+		Password:     "ks1",
+		ScryptParams: keystore.FastScryptParams,
+	})
+	ks2, err := keystore.LoadKeystore(t.Context(), keystore.NewMemoryStorage(), keystore.EncryptionParams{
+		Password:     "ks2",
+		ScryptParams: keystore.FastScryptParams,
+	})
+
+	t.Run("export and import", func(t *testing.T) {
+		exportParams := keystore.EncryptionParams{
+			Password:     "export-pass",
+			ScryptParams: keystore.FastScryptParams,
+		}
+		_, err = ks1.CreateKeys(t.Context(), keystore.CreateKeysRequest{
+			Keys: []keystore.CreateKeyRequest{
+				{KeyName: "key1", KeyType: keystore.Ed25519},
+			},
+		})
+		require.NoError(t, err)
+		exportResponse, err := ks1.ExportKeys(t.Context(), keystore.ExportKeysRequest{
+			Keys: []keystore.ExportKeyParam{
+				{KeyName: "key1", Enc: exportParams},
+			},
+		})
+		require.NoError(t, err)
+		require.Len(t, exportResponse.Keys, 1)
+		_, err = ks2.ImportKeys(t.Context(), keystore.ImportKeysRequest{
+			Keys: []keystore.ImportKeyRequest{
+				{KeyName: "key1", Password: exportParams.Password, Data: exportResponse.Keys[0].Data},
+			},
+		})
+		require.NoError(t, err)
+		key1ks1, err := ks1.GetKeys(t.Context(), keystore.GetKeysRequest{KeyNames: []string{"key1"}})
+		require.NoError(t, err)
+		key1ks2, err := ks2.GetKeys(t.Context(), keystore.GetKeysRequest{KeyNames: []string{"key1"}})
+		require.Equal(t, key1ks1, key1ks2)
+
+		// We cannot compare private keys directly, so we test that signing with key1 from ks1 and verifying
+		// with key1 from ks2 works as if the two keys are the same.
+		testData := []byte("hello world")
+		signature, err := ks2.Sign(t.Context(), keystore.SignRequest{
+			KeyName: "key1",
+			Data:    testData,
+		})
+		require.NoError(t, err)
+		verifyResp, err := ks1.Verify(t.Context(), keystore.VerifyRequest{
+			KeyType:   keystore.Ed25519,
+			PublicKey: key1ks1.Keys[0].KeyInfo.PublicKey,
+			Data:      testData,
+			Signature: signature.Signature,
+		})
+		require.NoError(t, err)
+		require.True(t, verifyResp.Valid)
+	})
+
+	t.Run("export non-existent key", func(t *testing.T) {
+		_, err = ks1.ExportKeys(t.Context(), keystore.ExportKeysRequest{
+			Keys: []keystore.ExportKeyParam{
+				{KeyName: "key2", Enc: keystore.EncryptionParams{}},
+			},
+		})
+		require.ErrorIs(t, err, keystore.ErrKeyNotFound)
+	})
+
+	t.Run("import existing key", func(t *testing.T) {
+		_, err = ks2.ImportKeys(t.Context(), keystore.ImportKeysRequest{
+			Keys: []keystore.ImportKeyRequest{
+				{KeyName: "key1", Password: "", Data: []byte{}},
+			},
+		})
+		require.ErrorIs(t, err, keystore.ErrKeyAlreadyExists)
+	})
+}

keystore/keystore.go

@@ -143,9 +143,9 @@ func newKey(keyType KeyType, privateKey internal.Raw, publicKey []byte, createdA
 	}
 }
 
-// EncryptionParams controls password-based encryption cost.
-// N and P are scrypt parameters; higher values increase CPU/memory cost.
+// EncryptionParams controls password-based encryption.
 // Password is the secret used to derive the encryption key.
+// ScryptParams control CPU/memory cost.
 type EncryptionParams struct {
 	Password     string
 	ScryptParams ScryptParams