Minor.

Author: pavel-raykov

keystore/admin.go

@@ -6,14 +6,19 @@ import (
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rand"
+	"encoding/json"
 	"fmt"
 	"maps"
 	"time"
 
+	gethkeystore "github.com/ethereum/go-ethereum/accounts/keystore"
 	"golang.org/x/crypto/curve25519"
+	"google.golang.org/protobuf/proto"
 
 	"github.com/ethereum/go-ethereum/crypto"
+
 	"github.com/smartcontractkit/chainlink-common/keystore/internal"
+	"github.com/smartcontractkit/chainlink-common/keystore/serialization"
 )
 
 var (
@@ -52,8 +57,8 @@ type ImportKeysRequest struct {
 
 type ImportKeyRequest struct {
 	KeyName string
-	KeyType KeyType
 	Data    []byte
+	Enc     EncryptionParams
 }
 
 type ImportKeysResponse struct{}
@@ -227,12 +232,91 @@ func (k *keystore) DeleteKeys(ctx context.Context, req DeleteKeysRequest) (Delet
 	return DeleteKeysResponse{}, nil
 }
 
-func (k *keystore) ImportKeys(ctx context.Context, req ImportKeysRequest) (ImportKeysResponse, error) {
+func (ks *keystore) ImportKeys(ctx context.Context, req ImportKeysRequest) (ImportKeysResponse, error) {
+	ks.mu.Lock()
+	defer ks.mu.Unlock()
+
+	ksCopy := maps.Clone(ks.keystore)
+	for _, keyReq := range req.Keys {
+		if err := ValidKeyName(keyReq.KeyName); err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("%w: %s", ErrInvalidKeyName, err)
+		}
+		if _, ok := ksCopy[keyReq.KeyName]; ok {
+			return ImportKeysResponse{}, fmt.Errorf("%w: %s", ErrKeyAlreadyExists, keyReq.KeyName)
+		}
+		if err := ValidKeyName(keyReq.KeyName); err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("%w: %s", ErrInvalidKeyName, err)
+		}
+		encData := gethkeystore.CryptoJSON{}
+		err := json.Unmarshal(keyReq.Data, &encData)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to unmarshal encrypted import data: %w", keyReq.KeyName, err)
+		}
+		decData, err := gethkeystore.DecryptDataV3(encData, keyReq.Enc.Password)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to decrypt key: %w", keyReq.KeyName, err)
+		}
+		keypb := &serialization.Key{}
+		err = proto.Unmarshal(decData, keypb)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to unmarshal key: %w", keyReq.KeyName, err)
+		}
+		pkRaw := internal.NewRaw(keypb.PrivateKey)
+		keyType := KeyType(keypb.KeyType)
+		publicKey, err := publicKeyFromPrivateKey(pkRaw, keyType)
+		if err != nil {
+			return ImportKeysResponse{}, fmt.Errorf("key = %s, failed to get public key from private key: %w", keyReq.KeyName, err)
+		}
+		metadata := keypb.Metadata
+		if metadata == nil {
+			metadata = []byte{}
+		}
+		ksCopy[keyReq.KeyName] = newKey(keyType, pkRaw, publicKey, time.Unix(keypb.CreatedAt, 0), metadata)
+	}
+	// Persist it to storage.
+	if err := ks.save(ctx, ksCopy); err != nil {
+		return ImportKeysResponse{}, fmt.Errorf("failed to save keystore: %w", err)
+	}
+	// If we succeed to save, update the in memory keystore.
+	ks.keystore = ksCopy
 	return ImportKeysResponse{}, nil
 }
 
-func (k *keystore) ExportKeys(ctx context.Context, req ExportKeysRequest) (ExportKeysResponse, error) {
-	return ExportKeysResponse{}, nil
+func (ks *keystore) ExportKeys(_ context.Context, req ExportKeysRequest) (ExportKeysResponse, error) {
+	ks.mu.Lock()
+	defer ks.mu.Unlock()
+
+	result := ExportKeysResponse{}
+	for _, keyReq := range req.Keys {
+		if key, ok := ks.keystore[keyReq.KeyName]; !ok {
+			return ExportKeysResponse{}, fmt.Errorf("%w: %s", ErrKeyNotFound, keyReq.KeyName)
+		} else {
+			keypb := &serialization.Key{
+				Name:       keyReq.KeyName,
+				KeyType:    string(key.keyType),
+				PrivateKey: internal.Bytes(key.privateKey),
+				CreatedAt:  key.createdAt.Unix(),
+				Metadata:   key.metadata,
+			}
+			serialized, err := proto.Marshal(keypb)
+			if err != nil {
+				return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to marshal key: %w", keyReq.KeyName, err)
+			}
+			encData, err := gethkeystore.EncryptDataV3(serialized, []byte(keyReq.Enc.Password), keyReq.Enc.ScryptParams.N, keyReq.Enc.ScryptParams.P)
+			if err != nil {
+				return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to encrypt key: %w", keyReq.KeyName, err)
+			}
+			encDataBytes, err := json.Marshal(encData)
+			if err != nil {
+				return ExportKeysResponse{}, fmt.Errorf("key = %s, failed to marshal encrypted key: %w", keyReq.KeyName, err)
+			}
+			result.Keys = append(result.Keys, ExportKeyResponse{
+				KeyName: keyReq.KeyName,
+				Data:    encDataBytes,
+			})
+		}
+	}
+	return result, nil
 }
 
 func (ks *keystore) SetMetadata(ctx context.Context, req SetMetadataRequest) (SetMetadataResponse, error) {

keystore/admin_test.go

@@ -210,3 +210,59 @@ func TestKeystore_ConcurrentCreateAndRead(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, numWriters*keysPerWriter, len(resp.Keys))
 }
+
+func TestKeystore_ExportImport(t *testing.T) {
+	t.Parallel()
+
+	ks1, err := keystore.LoadKeystore(t.Context(), keystore.NewMemoryStorage(), keystore.EncryptionParams{
+		Password:     "ks1",
+		ScryptParams: keystore.FastScryptParams,
+	})
+	require.NoError(t, err)
+	_, err = ks1.CreateKeys(t.Context(), keystore.CreateKeysRequest{
+		Keys: []keystore.CreateKeyRequest{
+			{KeyName: "key1", KeyType: keystore.Ed25519},
+		},
+	})
+	require.NoError(t, err)
+	exportParams := keystore.EncryptionParams{
+		Password:     "export-pass",
+		ScryptParams: keystore.FastScryptParams,
+	}
+	exportResponse, err := ks1.ExportKeys(t.Context(), keystore.ExportKeysRequest{
+		Keys: []keystore.ExportKeyParam{
+			{KeyName: "key1", Enc: exportParams},
+		},
+	})
+	require.Len(t, exportResponse.Keys, 1)
+	ks2, err := keystore.LoadKeystore(t.Context(), keystore.NewMemoryStorage(), keystore.EncryptionParams{
+		Password:     "ks2",
+		ScryptParams: keystore.FastScryptParams,
+	})
+	_, err = ks2.ImportKeys(t.Context(), keystore.ImportKeysRequest{
+		Keys: []keystore.ImportKeyRequest{
+			{KeyName: "key1", Enc: exportParams, Data: exportResponse.Keys[0].Data},
+		},
+	})
+	require.NoError(t, err)
+
+	n1, err := ks1.GetKeys(t.Context(), keystore.GetKeysRequest{KeyNames: []string{"key1"}})
+	require.NoError(t, err)
+	n2, err := ks2.GetKeys(t.Context(), keystore.GetKeysRequest{KeyNames: []string{"key1"}})
+	require.Equal(t, n1, n2)
+
+	testData := []byte("hello world")
+	signature, err := ks2.Sign(t.Context(), keystore.SignRequest{
+		KeyName: "key1",
+		Data:    testData,
+	})
+	require.NoError(t, err)
+	verifyResp, err := ks1.Verify(t.Context(), keystore.VerifyRequest{
+		KeyType:   keystore.Ed25519,
+		PublicKey: n1.Keys[0].KeyInfo.PublicKey,
+		Data:      testData,
+		Signature: signature.Signature,
+	})
+	require.NoError(t, err)
+	require.True(t, verifyResp.Valid)
+}

keystore/keystore.go

@@ -143,9 +143,9 @@ func newKey(keyType KeyType, privateKey internal.Raw, publicKey []byte, createdA
 	}
 }
 
-// EncryptionParams controls password-based encryption cost.
-// N and P are scrypt parameters; higher values increase CPU/memory cost.
+// EncryptionParams controls password-based encryption.
 // Password is the secret used to derive the encryption key.
+// ScryptParams control CPU/memory cost.
 type EncryptionParams struct {
 	Password     string
 	ScryptParams ScryptParams