smartcontractkit
diff --git a/‎go.md‎
Lines changed: 3 additions & 0 deletions b/‎go.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎keystore/admin.go‎
Lines changed: 107 additions & 6 deletions b/‎keystore/admin.go‎
Lines changed: 107 additions & 6 deletions
diff --git a/‎keystore/admin_test.go‎
Lines changed: 109 additions & 8 deletions b/‎keystore/admin_test.go‎
Lines changed: 109 additions & 8 deletions
@@ -15,6 +15,8 @@ flowchart LR
 	chainlink-common --> grpc-proxy
 	chainlink-common --> libocr
 	click chainlink-common href "https://github.com/smartcontractkit/chainlink-common"
+	chainlink-common/keystore --> chainlink-common
+	click chainlink-common/keystore href "https://github.com/smartcontractkit/chainlink-common"
 	chainlink-common/pkg/chipingress
 	click chainlink-common/pkg/chipingress href "https://github.com/smartcontractkit/chainlink-common"
 	chainlink-common/pkg/monitoring --> chainlink-common
@@ -40,6 +42,7 @@ flowchart LR
 
 	subgraph chainlink-common-repo[chainlink-common]
 		 chainlink-common
+		 chainlink-common/keystore
 		 chainlink-common/pkg/chipingress
 		 chainlink-common/pkg/monitoring
 		 chainlink-common/pkg/values
 
@@ -37,7 +37,7 @@ require (
 	github.com/scylladb/go-reflectx v1.0.1
 	github.com/shopspring/decimal v1.4.0
 	github.com/smartcontractkit/chain-selectors v1.0.67
-	github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.9-0.20251020164035-ab562b473fe2
+	github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.10
 	github.com/smartcontractkit/chainlink-protos/billing/go v0.0.0-20251024234028-0988426d98f4
 	github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20251021010742-3f8d3dba17d8
 	github.com/smartcontractkit/chainlink-protos/linking-service/go v0.0.0-20251002192024-d2ad9222409b
 
@@ -326,8 +326,8 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/smartcontractkit/chain-selectors v1.0.67 h1:gxTqP/JC40KDe3DE1SIsIKSTKTZEPyEU1YufO1admnw=
 github.com/smartcontractkit/chain-selectors v1.0.67/go.mod h1:xsKM0aN3YGcQKTPRPDDtPx2l4mlTN1Djmg0VVXV40b8=
-github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.9-0.20251020164035-ab562b473fe2 h1:p79eZtyBbZYumftwZGCkyKSNDvUralW7lqcTD99Ovmw=
-github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.9-0.20251020164035-ab562b473fe2/go.mod h1:oiDa54M0FwxevWwyAX773lwdWvFYYlYHHQV1LQ5HpWY=
+github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.10 h1:FJAFgXS9oqASnkS03RE1HQwYQQxrO4l46O5JSzxqLgg=
+github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.10/go.mod h1:oiDa54M0FwxevWwyAX773lwdWvFYYlYHHQV1LQ5HpWY=
 github.com/smartcontractkit/chainlink-protos/billing/go v0.0.0-20251024234028-0988426d98f4 h1:GCzrxDWn3b7jFfEA+WiYRi8CKoegsayiDoJBCjYkneE=
 github.com/smartcontractkit/chainlink-protos/billing/go v0.0.0-20251024234028-0988426d98f4/go.mod h1:HHGeDUpAsPa0pmOx7wrByCitjQ0mbUxf0R9v+g67uCA=
 github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20251021010742-3f8d3dba17d8 h1:hPeEwcvRVtwhyNXH45qbzqmscqlbygu94cROwbjyzNQ=
 
@@ -6,14 +6,19 @@ import (
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rand"
+	"encoding/json"
 	"fmt"
 	"maps"
 	"time"
 
+	gethkeystore "github.com/ethereum/go-ethereum/accounts/keystore"
 	"golang.org/x/crypto/curve25519"
+	"google.golang.org/protobuf/proto"
 
 	"github.com/ethereum/go-ethereum/crypto"
+
 	"github.com/smartcontractkit/chainlink-common/keystore/internal"
+	"github.com/smartcontractkit/chainlink-common/keystore/serialization"
 )
 
 var (
@@ -51,9 +56,9 @@ type ImportKeysRequest struct {
 }
 
 type ImportKeyRequest struct {
-	KeyName string
-	KeyType KeyType
-	Data    []byte
+	KeyName  string
+	Data     []byte
+	Password string
 }
 
 type ImportKeysResponse struct{}
@@ -227,14 +232,110 @@ func (k *keystore) DeleteKeys(ctx context.Context, req DeleteKeysRequest) (Delet
 	return DeleteKeysResponse{}, nil
 }
 
-func (k *keystore) ImportKeys(ctx context.Context, req ImportKeysRequest) (ImportKeysResponse, error) {
+func (ks *keystore) ImportKeys(ctx context.Context, req ImportKeysRequest) (ImportKeysResponse, error) {
+	ks.mu.Lock()
+	defer ks.mu.Unlock()
+
+	ksCopy := maps.Clone(ks.keystore)
+	for _, keyReq := range req.Keys {
+		if err := ValidKeyName(keyReq.KeyName); err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("%w: %s", ErrInvalidKeyName, err)
+		}
+		if _, ok := ksCopy[keyReq.KeyName]; ok {
+			return ImportKeysResponse{}, fmt.Errorf("%w: %s", ErrKeyAlreadyExists, keyReq.KeyName)
+		}
+		encData := gethkeystore.CryptoJSON{}
+		err := json.Unmarshal(keyReq.Data, &encData)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to unmarshal encrypted import data: %w", keyReq.KeyName, err)
+		}
+		decData, err := gethkeystore.DecryptDataV3(encData, keyReq.Password)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to decrypt key: %w", keyReq.KeyName, err)
+		}
+		keypb := &serialization.Key{}
+		err = proto.Unmarshal(decData, keypb)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to unmarshal key: %w", keyReq.KeyName, err)
+		}
+		pkRaw := internal.NewRaw(keypb.PrivateKey)
+		keyType := KeyType(keypb.KeyType)
+		publicKey, err := publicKeyFromPrivateKey(pkRaw, keyType)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to get public key from private key: %w", keyReq.KeyName, err)
+		}
+		metadata := keypb.Metadata
+		// The proto compiler sets empty slices to nil during the serialization (https://github.com/golang/protobuf/issues/1348).
+		// We set metadata back to empty slice to be consistent with the Create method which initializes it as such.
+		if metadata == nil {
+			metadata = []byte{}
+		}
+		ksCopy[keyReq.KeyName] = newKey(keyType, pkRaw, publicKey, time.Unix(keypb.CreatedAt, 0), metadata)
+	}
+	// Persist it to storage.
+	if err := ks.save(ctx, ksCopy); err != nil {
+		return ImportKeysResponse{}, fmt.Errorf("failed to save keystore: %w", err)
+	}
+	// If we succeed to save, update the in memory keystore.
+	ks.keystore = ksCopy
 	return ImportKeysResponse{}, nil
 }
 
-func (k *keystore) ExportKeys(ctx context.Context, req ExportKeysRequest) (ExportKeysResponse, error) {
-	return ExportKeysResponse{}, nil
+func (ks *keystore) ExportKeys(_ context.Context, req ExportKeysRequest) (ExportKeysResponse, error) {
+	ks.mu.RLock()
+	defer ks.mu.RUnlock()
+
+	result := ExportKeysResponse{}
+	for _, keyReq := range req.Keys {
+		key, ok := ks.keystore[keyReq.KeyName]
+		if !ok {
+			return ExportKeysResponse{}, fmt.Errorf("%w: %s", ErrKeyNotFound, keyReq.KeyName)
+		}
+		keypb := &serialization.Key{
+			Name:       keyReq.KeyName,
+			KeyType:    string(key.keyType),
+			PrivateKey: internal.Bytes(key.privateKey),
+			CreatedAt:  key.createdAt.Unix(),
+			Metadata:   key.metadata,
+		}
+		serialized, err := proto.Marshal(keypb)
+		if err != nil {
+			return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to marshal key: %w", keyReq.KeyName, err)
+		}
+		encData, err := gethkeystore.EncryptDataV3(serialized, []byte(keyReq.Enc.Password), keyReq.Enc.ScryptParams.N, keyReq.Enc.ScryptParams.P)
+		if err != nil {
+			return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to encrypt key: %w", keyReq.KeyName, err)
+		}
+		encDataBytes, err := json.Marshal(encData)
+		if err != nil {
+			return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to marshal encrypted key: %w", keyReq.KeyName, err)
+		}
+		result.Keys = append(result.Keys, ExportKeyResponse{
+			KeyName: keyReq.KeyName,
+			Data:    encDataBytes,
+		})
+	}
+	return result, nil
 }
 
 func (ks *keystore) SetMetadata(ctx context.Context, req SetMetadataRequest) (SetMetadataResponse, error) {
+	ks.mu.Lock()
+	defer ks.mu.Unlock()
+
+	ksCopy := maps.Clone(ks.keystore)
+	for _, metReq := range req.Updates {
+		key, ok := ksCopy[metReq.KeyName]
+		if !ok {
+			return SetMetadataResponse{}, fmt.Errorf("%w: %s", ErrKeyNotFound, metReq.KeyName)
+		}
+		key.metadata = metReq.Metadata
+		ksCopy[metReq.KeyName] = key
+	}
+	// Persist it to storage.
+	if err := ks.save(ctx, ksCopy); err != nil {
+		return SetMetadataResponse{}, fmt.Errorf("failed to save keystore: %w", err)
+	}
+	// If we succeed to save, update the in memory keystore.
+	ks.keystore = ksCopy
 	return SetMetadataResponse{}, nil
 }
@@ -111,10 +111,7 @@ func TestKeystore_CreateDeleteReadKeys(t *testing.T) {
 	for _, tt := range tt {
 		t.Run(tt.name, func(t *testing.T) {
 			storage := keystore.NewMemoryStorage()
-			ks, err := keystore.LoadKeystore(ctx, storage, keystore.EncryptionParams{
-				Password:     "test-password",
-				ScryptParams: keystore.FastScryptParams,
-			})
+			ks, err := keystore.LoadKeystore(ctx, storage, "test-password", keystore.WithScryptParams(keystore.FastScryptParams))
 			require.NoError(t, err)
 			for _, op := range tt.keyOps {
 				switch op.op {
@@ -163,10 +160,7 @@ func TestKeystore_ConcurrentCreateAndRead(t *testing.T) {
 
 	ctx := context.Background()
 	st := keystore.NewMemoryStorage()
-	ks, err := keystore.LoadKeystore(ctx, st, keystore.EncryptionParams{
-		Password:     "test",
-		ScryptParams: keystore.FastScryptParams,
-	})
+	ks, err := keystore.LoadKeystore(ctx, st, "test", keystore.WithScryptParams(keystore.FastScryptParams))
 	require.NoError(t, err)
 
 	const (
@@ -210,3 +204,110 @@ func TestKeystore_ConcurrentCreateAndRead(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, numWriters*keysPerWriter, len(resp.Keys))
 }
+
+func TestKeystore_ExportImport(t *testing.T) {
+	ks1, err := keystore.LoadKeystore(t.Context(), keystore.NewMemoryStorage(), "ks1")
+	require.NoError(t, err)
+	ks2, err := keystore.LoadKeystore(t.Context(), keystore.NewMemoryStorage(), "ks2")
+	require.NoError(t, err)
+
+	t.Run("export and import", func(t *testing.T) {
+		exportParams := keystore.EncryptionParams{
+			Password:     "export-pass",
+			ScryptParams: keystore.FastScryptParams,
+		}
+		_, err = ks1.CreateKeys(t.Context(), keystore.CreateKeysRequest{
+			Keys: []keystore.CreateKeyRequest{
+				{KeyName: "key1", KeyType: keystore.Ed25519},
+			},
+		})
+		require.NoError(t, err)
+		exportResponse, err := ks1.ExportKeys(t.Context(), keystore.ExportKeysRequest{
+			Keys: []keystore.ExportKeyParam{
+				{KeyName: "key1", Enc: exportParams},
+			},
+		})
+		require.NoError(t, err)
+		require.Len(t, exportResponse.Keys, 1)
+		_, err = ks2.ImportKeys(t.Context(), keystore.ImportKeysRequest{
+			Keys: []keystore.ImportKeyRequest{
+				{KeyName: "key1", Password: exportParams.Password, Data: exportResponse.Keys[0].Data},
+			},
+		})
+		require.NoError(t, err)
+		key1ks1, err := ks1.GetKeys(t.Context(), keystore.GetKeysRequest{KeyNames: []string{"key1"}})
+		require.NoError(t, err)
+		key1ks2, err := ks2.GetKeys(t.Context(), keystore.GetKeysRequest{KeyNames: []string{"key1"}})
+		require.Equal(t, key1ks1, key1ks2)
+
+		// We cannot compare private keys directly, so we test that signing with key1 from ks1 and verifying
+		// with key1 from ks2 works as if the two keys are the same.
+		testData := []byte("hello world")
+		signature, err := ks2.Sign(t.Context(), keystore.SignRequest{
+			KeyName: "key1",
+			Data:    testData,
+		})
+		require.NoError(t, err)
+		verifyResp, err := ks1.Verify(t.Context(), keystore.VerifyRequest{
+			KeyType:   keystore.Ed25519,
+			PublicKey: key1ks1.Keys[0].KeyInfo.PublicKey,
+			Data:      testData,
+			Signature: signature.Signature,
+		})
+		require.NoError(t, err)
+		require.True(t, verifyResp.Valid)
+	})
+
+	t.Run("export non-existent key", func(t *testing.T) {
+		_, err = ks1.ExportKeys(t.Context(), keystore.ExportKeysRequest{
+			Keys: []keystore.ExportKeyParam{
+				{KeyName: "key2", Enc: keystore.EncryptionParams{}},
+			},
+		})
+		require.ErrorIs(t, err, keystore.ErrKeyNotFound)
+	})
+
+	t.Run("import existing key", func(t *testing.T) {
+		_, err = ks2.ImportKeys(t.Context(), keystore.ImportKeysRequest{
+			Keys: []keystore.ImportKeyRequest{
+				{KeyName: "key1", Password: "", Data: []byte{}},
+			},
+		})
+		require.ErrorIs(t, err, keystore.ErrKeyAlreadyExists)
+	})
+}
+
+func TestKeystore_SetMetadata(t *testing.T) {
+	ks, err := keystore.LoadKeystore(t.Context(), keystore.NewMemoryStorage(), "ks")
+	require.NoError(t, err)
+
+	t.Run("update existing key", func(t *testing.T) {
+		_, err = ks.CreateKeys(t.Context(), keystore.CreateKeysRequest{
+			Keys: []keystore.CreateKeyRequest{
+				{KeyName: "key1", KeyType: keystore.Ed25519},
+			},
+		})
+		require.NoError(t, err)
+
+		_, err = ks.SetMetadata(t.Context(), keystore.SetMetadataRequest{
+			[]keystore.SetMetadataUpdate{
+				{KeyName: "key1", Metadata: []byte("my-metadata")},
+			},
+		})
+		require.NoError(t, err)
+
+		keysResp, err := ks.GetKeys(t.Context(), keystore.GetKeysRequest{KeyNames: []string{"key1"}})
+		require.NoError(t, err)
+		require.Len(t, keysResp.Keys, 1)
+		assert.Equal(t, []byte("my-metadata"), keysResp.Keys[0].KeyInfo.Metadata)
+	})
+
+	t.Run("update non-existent key", func(t *testing.T) {
+		_, err = ks.SetMetadata(t.Context(), keystore.SetMetadataRequest{
+			[]keystore.SetMetadataUpdate{
+				{KeyName: "key2", Metadata: []byte("")},
+			},
+		})
+		require.ErrorIs(t, err, keystore.ErrKeyNotFound)
+	})
+}