[ARCH-334] Pre-requisites for EVM support (#1664)

* Wip

* Switch to get for more consistent naming

* mod tidy

* Fix test

* Remove dup fn

* Offchain keyring also family agnostic

* Rename

Author: connorwstein

keystore/go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/ethereum/go-ethereum v1.16.2
 	github.com/natefinch/atomic v1.0.1
 	github.com/smartcontractkit/chainlink-common v0.9.6
+	github.com/smartcontractkit/libocr v0.0.0-20250707144819-babe0ec4e358
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/crypto v0.42.0
 	google.golang.org/protobuf v1.36.9
@@ -76,7 +77,6 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.4 // indirect
 	github.com/smartcontractkit/freeport v0.1.3-0.20250716200817-cb5dfd0e369e // indirect
-	github.com/smartcontractkit/libocr v0.0.0-20250707144819-babe0ec4e358 // indirect
 	github.com/supranational/blst v0.3.14 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect

keystore/keystore.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"slices"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -25,6 +26,38 @@ import (
 	"github.com/smartcontractkit/chainlink-common/keystore/serialization"
 )
 
+type KeyPath []string
+
+func (k KeyPath) String() string {
+	return joinKeySegments(k...)
+}
+
+func (k KeyPath) Base() string {
+	return k[len(k)-1]
+}
+
+func NewKeyPath(segments ...string) KeyPath {
+	return segments
+}
+
+func NewKeyPathFromString(fullName string) KeyPath {
+	return strings.Split(fullName, "/")
+}
+
+// joinKeySegments joins path-like key name segments using "/" and avoids double slashes.
+// Empty segments are skipped so joinKeySegments("EVM", "TX", "my-key") => "EVM/TX/my-key".
+func joinKeySegments(segments ...string) string {
+	cleaned := make([]string, 0, len(segments))
+	for _, s := range segments {
+		s = strings.Trim(s, "/")
+		if s == "" {
+			continue
+		}
+		cleaned = append(cleaned, s)
+	}
+	return strings.Join(cleaned, "/")
+}
+
 type KeyType string
 
 func (k KeyType) String() string {

keystore/keystore_internal_test.go

@@ -30,3 +30,23 @@ func TestPublicKeyFromPrivateKey(t *testing.T) {
 	// We use SEC1 (uncompressed) format for ECDH public keys.
 	require.Equal(t, 65, len(pubKey))
 }
+
+func TestJoinKeySegments(t *testing.T) {
+	tests := []struct {
+		segments []string
+		expected string
+	}{
+		{segments: []string{"EVM", "TX", "my-key"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "/TX", "my-key"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX/", "my-key"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "/my-key"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", ""}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", "/"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", "//"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", "///"}, expected: "EVM/TX/my-key"},
+		{segments: []string{"EVM", "TX", "my-key", "////"}, expected: "EVM/TX/my-key"},
+	}
+	for _, tt := range tests {
+		require.Equal(t, tt.expected, joinKeySegments(tt.segments...))
+	}
+}

keystore/ocr2offchain/ocr2_offchain_keyring.go

@@ -0,0 +1,152 @@
+package ocr2offchain
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/smartcontractkit/chainlink-common/keystore"
+	ocrtypes "github.com/smartcontractkit/libocr/offchainreporting2plus/types"
+	"golang.org/x/crypto/curve25519"
+)
+
+const (
+	OCR2OffchainSigning    = "ocr2_offchain_signing"
+	OCR2OffchainEncryption = "ocr2_offchain_encryption"
+	OCR2OffchainPrefix     = "ocr2_offchain"
+)
+
+func CreateOCR2OffchainKeyring(ctx context.Context, ks keystore.Keystore, keyringName string) (ocrtypes.OffchainKeyring, error) {
+	signingKeyPath := keystore.NewKeyPath(OCR2OffchainPrefix, keyringName, OCR2OffchainSigning)
+	encryptionKeyPath := keystore.NewKeyPath(OCR2OffchainPrefix, keyringName, OCR2OffchainEncryption)
+	createReq := keystore.CreateKeysRequest{
+		Keys: []keystore.CreateKeyRequest{
+			{
+				KeyName: signingKeyPath.String(),
+				KeyType: keystore.Ed25519,
+			},
+			{
+				KeyName: encryptionKeyPath.String(),
+				KeyType: keystore.X25519,
+			},
+		},
+	}
+	resp, err := ks.CreateKeys(ctx, createReq)
+	if err != nil {
+		return nil, err
+	}
+	if len(resp.Keys) != 2 {
+		return nil, fmt.Errorf("expected 2 keys, got %d", len(resp.Keys))
+	}
+	return &evmOffchainKeyring{
+		ks:                    ks,
+		signingKeyPath:        signingKeyPath,
+		encryptionKeyPath:     encryptionKeyPath,
+		offchainKey:           resp.Keys[0].KeyInfo,
+		offchainEncryptionKey: resp.Keys[1].KeyInfo,
+	}, nil
+}
+
+// ListOCR2OffchainKeyrings lists OCR2 offchain keyrings. If no local names provided, returns all OCR2 offchain keyrings.
+func GetOCR2OffchainKeyrings(ctx context.Context, ks keystore.Keystore, keyRingNames []string) ([]ocrtypes.OffchainKeyring, error) {
+	var names []string
+	if len(keyRingNames) > 0 {
+		for _, keyRingName := range keyRingNames {
+			names = append(names, keystore.NewKeyPath(OCR2OffchainPrefix, keyRingName, OCR2OffchainSigning).String())
+			names = append(names, keystore.NewKeyPath(OCR2OffchainPrefix, keyRingName, OCR2OffchainEncryption).String())
+		}
+	}
+
+	getReq := keystore.GetKeysRequest{KeyNames: names}
+	resp, err := ks.GetKeys(ctx, getReq)
+	if err != nil {
+		return nil, err
+	}
+
+	// Group by keyrings.
+	keyRingMap := make(map[string][]keystore.KeyInfo)
+	for _, key := range resp.Keys {
+		if !strings.HasPrefix(key.KeyInfo.Name, keystore.NewKeyPath(OCR2OffchainPrefix).String()) {
+			continue
+		}
+		keyPath := keystore.NewKeyPathFromString(key.KeyInfo.Name)
+		// Example:
+		// /ocr2_offchain/keyring_name/ocr2_offchain_signing
+		// /ocr2_offchain/keyring_name/ocr2_offchain_encryption
+		// Group by keyring name (first 3 segments: ocr2_offchain/keyring_name)
+		keyRingMap[keyPath[:2].String()] = append(keyRingMap[keyPath[:2].String()], key.KeyInfo)
+	}
+
+	var keyrings []ocrtypes.OffchainKeyring
+	for _, keyInfos := range keyRingMap {
+		// Find signing and encryption keys
+		var signingKey, encryptionKey keystore.KeyInfo
+		for _, keyInfo := range keyInfos {
+			if strings.HasSuffix(keyInfo.Name, OCR2OffchainSigning) {
+				signingKey = keyInfo
+			} else if strings.HasSuffix(keyInfo.Name, OCR2OffchainEncryption) {
+				encryptionKey = keyInfo
+			}
+		}
+		keyrings = append(keyrings, &evmOffchainKeyring{
+			ks:                    ks,
+			signingKeyPath:        keystore.NewKeyPathFromString(signingKey.Name),
+			encryptionKeyPath:     keystore.NewKeyPathFromString(encryptionKey.Name),
+			offchainKey:           signingKey,
+			offchainEncryptionKey: encryptionKey,
+		})
+	}
+	return keyrings, nil
+}
+
+var _ ocrtypes.OffchainKeyring = &evmOffchainKeyring{}
+
+type evmOffchainKeyring struct {
+	ks                    keystore.Keystore
+	signingKeyPath        keystore.KeyPath
+	encryptionKeyPath     keystore.KeyPath
+	offchainKey           keystore.KeyInfo
+	offchainEncryptionKey keystore.KeyInfo
+}
+
+func (k *evmOffchainKeyring) ConfigEncryptionKeyPath() keystore.KeyPath {
+	return k.encryptionKeyPath
+}
+
+func (k *evmOffchainKeyring) ConfigSigningKeyPath() keystore.KeyPath {
+	return k.signingKeyPath
+}
+
+func (k *evmOffchainKeyring) OffchainPublicKey() ocrtypes.OffchainPublicKey {
+	var pubKey ocrtypes.OffchainPublicKey
+	copy(pubKey[:], k.offchainKey.PublicKey)
+	return pubKey
+}
+
+func (k *evmOffchainKeyring) ConfigEncryptionPublicKey() ocrtypes.ConfigEncryptionPublicKey {
+	var pubKey ocrtypes.ConfigEncryptionPublicKey
+	copy(pubKey[:], k.offchainEncryptionKey.PublicKey)
+	return pubKey
+}
+
+func (k *evmOffchainKeyring) OffchainSign(msg []byte) ([]byte, error) {
+	signResp, err := k.ks.Sign(context.Background(), keystore.SignRequest{
+		KeyName: k.offchainKey.Name,
+		Data:    msg,
+	})
+	return signResp.Signature, err
+}
+
+func (k *evmOffchainKeyring) ConfigDiffieHellman(point [curve25519.PointSize]byte) ([curve25519.PointSize]byte, error) {
+	resp, err := k.ks.DeriveSharedSecret(context.Background(), keystore.DeriveSharedSecretRequest{
+		KeyName:      k.offchainEncryptionKey.Name,
+		RemotePubKey: point[:],
+	})
+	if err != nil {
+		return [curve25519.PointSize]byte{}, err
+	}
+
+	var sharedPoint [curve25519.PointSize]byte
+	copy(sharedPoint[:], resp.SharedSecret)
+	return sharedPoint, nil
+}

keystore/ocr2offchain/ocr2_offchain_keyring_test.go

@@ -0,0 +1,75 @@
+package ocr2offchain_test
+
+import (
+	"testing"
+
+	commonks "github.com/smartcontractkit/chainlink-common/keystore"
+	"github.com/smartcontractkit/chainlink-common/keystore/ocr2offchain"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOCR2OffchainKeyring(t *testing.T) {
+	storage := commonks.NewMemoryStorage()
+	ctx := t.Context()
+	ks, err := commonks.LoadKeystore(ctx, storage, "test-password")
+	require.NoError(t, err)
+	keyring, err := ocr2offchain.CreateOCR2OffchainKeyring(ctx, ks, "test-ocr2-offchain-keyring")
+	require.NoError(t, err)
+	require.NotNil(t, keyring)
+
+	msg := []byte("test-message")
+	signature, err := keyring.OffchainSign(msg)
+	require.NoError(t, err)
+	require.NotNil(t, signature)
+
+	keyrings, err := ocr2offchain.GetOCR2OffchainKeyrings(ctx, ks, []string{"test-ocr2-offchain-keyring"})
+	require.NoError(t, err)
+	require.Equal(t, 1, len(keyrings))
+	require.Equal(t, keyring.OffchainPublicKey(), keyrings[0].OffchainPublicKey())
+	require.Equal(t, keyring.ConfigEncryptionPublicKey(), keyrings[0].ConfigEncryptionPublicKey())
+
+	// List all works
+	allKeyrings, err := ocr2offchain.GetOCR2OffchainKeyrings(ctx, ks, []string{})
+	require.NoError(t, err)
+	require.Equal(t, 1, len(allKeyrings))
+
+	// List non-existent errors.
+	nonExistentKeyrings, err := ocr2offchain.GetOCR2OffchainKeyrings(ctx, ks, []string{"non-existent-ocr2-offchain-keyring"})
+	require.Error(t, err)
+	require.Nil(t, nonExistentKeyrings)
+
+	// Can create multiple.
+	keyring2, err := ocr2offchain.CreateOCR2OffchainKeyring(ctx, ks, "test-ocr2-offchain-keyring-2")
+	require.NoError(t, err)
+	require.NotNil(t, keyring2)
+	msg2 := []byte("test-message-2")
+	signature2, err := keyring2.OffchainSign(msg2)
+	require.NoError(t, err)
+	require.NotNil(t, signature2)
+
+	// List by name works.
+	keyrings2, err := ocr2offchain.GetOCR2OffchainKeyrings(ctx, ks, []string{"test-ocr2-offchain-keyring-2"})
+	require.NoError(t, err)
+	require.Equal(t, 1, len(keyrings2))
+	require.Equal(t, keyring2.OffchainPublicKey(), keyrings2[0].OffchainPublicKey())
+	require.Equal(t, keyring2.ConfigEncryptionPublicKey(), keyrings2[0].ConfigEncryptionPublicKey())
+
+	// List all works with multiple.
+	allKeyrings2, err := ocr2offchain.GetOCR2OffchainKeyrings(ctx, ks, []string{})
+	require.NoError(t, err)
+	require.Equal(t, 2, len(allKeyrings2))
+
+	sig, err := allKeyrings[0].OffchainSign([]byte("test-message"))
+	require.NoError(t, err)
+	require.NotNil(t, sig)
+
+	pubkey := allKeyrings[0].OffchainPublicKey()
+	valid, err := ks.Verify(ctx, commonks.VerifyRequest{
+		KeyType:   commonks.Ed25519,
+		PublicKey: pubkey[:],
+		Data:      []byte("test-message"),
+		Signature: sig,
+	})
+	require.NoError(t, err)
+	require.True(t, valid.Valid)
+}