Merge branch 'main' into ARCH-339-cobra-cli

Author: connorwstein

.github/workflows/keystore.yml

@@ -2,17 +2,34 @@ name: Keystore Checks
 permissions:
   contents: read
 
-on:
-  push:
-    paths:
-      - "keystore/**"
+on: push
 
 jobs:
+  changes:
+    name: detect changes
+    runs-on: ubuntu-latest
+    outputs:
+      keystore-src: ${{ steps.keystore-changes.outputs.src }}
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: keystore-changes
+        with:
+          filters: |
+            src:
+            - 'keystore/**'
+
   run-tests:
+    name: run tests
+    runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.keystore-src == 'true'
     defaults:
       run:
         working-directory: keystore
-    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -30,7 +47,13 @@ jobs:
         run: go test ./... -coverpkg=./... -coverprofile=coverage.txt
 
   build-race-tests:
+    name: race tests
     runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.keystore-src == 'true'
+    defaults:
+      run:
+        working-directory: keystore
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -61,4 +84,17 @@ jobs:
         with:
           name: go-race-results
           path: |
-            ./race.*
+            ./race.*
+
+  gate:
+    name: summary gate
+    runs-on: ubuntu-latest
+    needs: [changes, run-tests, build-race-tests]
+    if: always()
+    steps:
+      - name: Fail if any job ran and failed
+        if: needs.changes.outputs.keystore-src == 'true' &&
+          (needs.run-tests.result != 'success' || 
+           needs.build-race-tests.result != 'success')
+        run: exit 1
+

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1
 	github.com/hashicorp/go-hclog v1.6.3
-	github.com/hashicorp/go-plugin v1.6.3
+	github.com/hashicorp/go-plugin v1.7.0
 	github.com/iancoleman/strcase v0.3.0
 	github.com/invopop/jsonschema v0.13.0
 	github.com/jackc/pgx/v4 v4.18.3
@@ -83,7 +83,6 @@ require (
 	github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bufbuild/protocompile v0.14.1 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
@@ -112,7 +111,6 @@ require (
 	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/pgtype v1.14.4 // indirect
-	github.com/jhump/protoreflect v1.15.3 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect

go.sum

@@ -143,8 +143,8 @@ github.com/hako/durafmt v0.0.0-20200710122514-c0fb7b4da026 h1:BpJ2o0OR5FV7vrkDYf
 github.com/hako/durafmt v0.0.0-20200710122514-c0fb7b4da026/go.mod h1:5Scbynm8dF1XAPwIwkGPqzkM/shndPm79Jd1003hTjE=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
 github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-plugin v1.6.3 h1:xgHB+ZUSYeuJi96WtxEjzi23uh7YQpznjGh0U0UUrwg=
-github.com/hashicorp/go-plugin v1.6.3/go.mod h1:MRobyh+Wc/nYy1V4KAXUiYfzxoYhs7V1mlH1Z7iY2h0=
+github.com/hashicorp/go-plugin v1.7.0 h1:YghfQH/0QmPNc/AZMTFE3ac8fipZyZECHdDPshfk+mA=
+github.com/hashicorp/go-plugin v1.7.0/go.mod h1:BExt6KEaIYx804z8k4gRzRLEvxKVb+kn0NMcihqOqb8=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
 github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
 github.com/iancoleman/strcase v0.3.0 h1:nTXanmYxhfFAMjZL34Ov6gkzEsSJZ5DbhxWjvSASxEI=
@@ -202,8 +202,8 @@ github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0f
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jhump/protoreflect v1.15.3 h1:6SFRuqU45u9hIZPJAoZ8c28T3nK64BNdp9w6jFonzls=
-github.com/jhump/protoreflect v1.15.3/go.mod h1:4ORHmSBmlCW8fh3xHmJMGyul1zNqZK4Elxc8qKP+p1k=
+github.com/jhump/protoreflect v1.17.0 h1:qOEr613fac2lOuTgWN4tPAtLL7fUSbuJL5X5XumQh94=
+github.com/jhump/protoreflect v1.17.0/go.mod h1:h9+vUUL38jiBzck8ck+6G/aeMX8Z4QUY/NiJPwPNi+8=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=

keystore/core_keystore.go

@@ -0,0 +1,51 @@
+package keystore
+
+import (
+	"context"
+)
+
+// CoreKeystore implements the core.Keystore interface for backwards compatibility with the old keystore
+// https://github.com/smartcontractkit/chainlink-common/blob/main/pkg/types/core/keystore.go#L23
+// We don't add a dependency directly to chainlink-common here to avoid circular dependencies.
+type CoreKeystore struct {
+	ks Keystore
+}
+
+func NewCoreKeystore(ks Keystore) *CoreKeystore {
+	return &CoreKeystore{ks: ks}
+}
+
+func (c *CoreKeystore) Accounts(ctx context.Context) ([]string, error) {
+	// List all the keys in the keystore.
+	keys, err := c.ks.GetKeys(ctx, GetKeysRequest{})
+	if err != nil {
+		return nil, err
+	}
+	accounts := make([]string, 0, len(keys.Keys))
+	for _, key := range keys.Keys {
+		accounts = append(accounts, key.KeyInfo.Name)
+	}
+	return accounts, nil
+}
+
+func (c *CoreKeystore) Sign(ctx context.Context, account string, data []byte) ([]byte, error) {
+	resp, err := c.ks.Sign(ctx, SignRequest{
+		KeyName: account,
+		Data:    data,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return resp.Signature, nil
+}
+
+func (c *CoreKeystore) Decrypt(ctx context.Context, account string, data []byte) ([]byte, error) {
+	resp, err := c.ks.Decrypt(ctx, DecryptRequest{
+		KeyName:       account,
+		EncryptedData: data,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return resp.Data, nil
+}

keystore/core_keystore_test.go

@@ -0,0 +1,55 @@
+package keystore_test
+
+import (
+	"testing"
+
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/stretchr/testify/require"
+
+	"github.com/smartcontractkit/chainlink-common/keystore"
+)
+
+func TestCoreKeystore(t *testing.T) {
+	ctx := t.Context()
+
+	ks, err := keystore.LoadKeystore(t.Context(), keystore.NewMemoryStorage(), "test-password", keystore.WithScryptParams(keystore.FastScryptParams))
+	require.NoError(t, err)
+	coreKs := keystore.NewCoreKeystore(ks)
+
+	keysResp, err := ks.CreateKeys(ctx, keystore.CreateKeysRequest{
+		Keys: []keystore.CreateKeyRequest{
+			{KeyName: "encrypt", KeyType: keystore.X25519},
+			{KeyName: "sign", KeyType: keystore.ECDSA_S256},
+		},
+	})
+	require.NoError(t, err)
+	require.Equal(t, 2, len(keysResp.Keys))
+
+	accounts, err := coreKs.Accounts(ctx)
+	require.NoError(t, err)
+	require.Equal(t, []string{"encrypt", "sign"}, accounts)
+
+	signature, err := coreKs.Sign(ctx, "sign", crypto.Keccak256([]byte("test-data-to-sign")))
+	require.NoError(t, err)
+	require.NotEmpty(t, signature)
+	verifyResp, err := ks.Verify(ctx, keystore.VerifyRequest{
+		KeyType:   keysResp.Keys[1].KeyInfo.KeyType,
+		PublicKey: keysResp.Keys[1].KeyInfo.PublicKey,
+		Data:      crypto.Keccak256([]byte("test-data-to-sign")),
+		Signature: signature,
+	})
+	require.NoError(t, err)
+	require.True(t, verifyResp.Valid)
+
+	encryptedData, err := ks.Encrypt(ctx, keystore.EncryptRequest{
+		RemoteKeyType: keysResp.Keys[0].KeyInfo.KeyType,
+		RemotePubKey:  keysResp.Keys[0].KeyInfo.PublicKey,
+		Data:          []byte("test-data-to-encrypt"),
+	})
+	require.NoError(t, err)
+	require.NotEmpty(t, encryptedData)
+
+	decryptedData, err := coreKs.Decrypt(ctx, "encrypt", encryptedData.EncryptedData)
+	require.NoError(t, err)
+	require.Equal(t, []byte("test-data-to-encrypt"), decryptedData)
+}

keystore/go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/lib/pq v1.10.9
 	github.com/natefinch/atomic v1.0.1
 	github.com/smartcontractkit/chainlink-common v0.9.6
+	github.com/smartcontractkit/libocr v0.0.0-20250707144819-babe0ec4e358
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/crypto v0.42.0
@@ -78,7 +79,6 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.4 // indirect
 	github.com/smartcontractkit/freeport v0.1.3-0.20250716200817-cb5dfd0e369e // indirect
-	github.com/smartcontractkit/libocr v0.0.0-20250707144819-babe0ec4e358 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/supranational/blst v0.3.14 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect

keystore/keystore.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"slices"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -25,6 +26,38 @@ import (
 	"github.com/smartcontractkit/chainlink-common/keystore/serialization"
 )
 
+type KeyPath []string
+
+func (k KeyPath) String() string {
+	return joinKeySegments(k...)
+}
+
+func (k KeyPath) Base() string {
+	return k[len(k)-1]
+}
+
+func NewKeyPath(segments ...string) KeyPath {
+	return segments
+}
+
+func NewKeyPathFromString(fullName string) KeyPath {
+	return strings.Split(fullName, "/")
+}
+
+// joinKeySegments joins path-like key name segments using "/" and avoids double slashes.
+// Empty segments are skipped so joinKeySegments("EVM", "TX", "my-key") => "EVM/TX/my-key".
+func joinKeySegments(segments ...string) string {
+	cleaned := make([]string, 0, len(segments))
+	for _, s := range segments {
+		s = strings.Trim(s, "/")
+		if s == "" {
+			continue
+		}
+		cleaned = append(cleaned, s)
+	}
+	return strings.Join(cleaned, "/")
+}
+
 type KeyType string
 
 func (k KeyType) String() string {
@@ -52,17 +85,17 @@ const (
 	// ECDH_P256:
 	// - ECDH on P-256
 	// - Encryption with AES-GCM and HKDF-SHA256
-	ECDH_P256 KeyType = "ecdh-p256"
+	ECDH_P256 KeyType = "ECDH_P256"
 
 	// Digital signature key types.
 	// Ed25519:
 	// - Ed25519 for digital signatures.
 	// - Supports arbitrary messages sizes, no hashing required.
-	Ed25519 KeyType = "ed25519"
+	Ed25519 KeyType = "Ed25519"
 	// ECDSA_S256:
 	// - ECDSA on secp256k1 for digital signatures.
 	// - Only signs 32 byte digests. Caller must hash the data before signing.
-	ECDSA_S256 KeyType = "ecdsa-secp256k1"
+	ECDSA_S256 KeyType = "ECDSA_S256"
 )
 
 var AllKeyTypes = []KeyType{X25519, ECDH_P256, Ed25519, ECDSA_S256}

keystore/keystore_internal_test.go

@@ -30,3 +30,23 @@ func TestPublicKeyFromPrivateKey(t *testing.T) {
 	// We use SEC1 (uncompressed) format for ECDH public keys.
 	require.Equal(t, 65, len(pubKey))
 }
+
+func TestJoinKeySegments(t *testing.T) {
+	tests := []struct {
+		segments []string
+		expected string
+	}{
+		{segments: []string{"EVM", "TX", "my-key"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "/TX", "my-key"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX/", "my-key"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "/my-key"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", ""}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", "/"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", "//"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", "///"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", "////"}, expected: "EVM/TX/my-key"},
+	}
+	for _, tt := range tests {
+		require.Equal(t, tt.expected, joinKeySegments(tt.segments...))
+	}
+}