feat(plugins): add keystore list and update commands, deprecate --keystore-factory

Add remaining keystore subcommands to Toolkit.jar:
- `keystore list`: display all keystore files and addresses in a directory
- `keystore update <address>`: re-encrypt a keystore with a new password

Both support --keystore-dir, --json, and --password-file options.

Add deprecation warning to --keystore-factory in FullNode.jar, directing
users to the new Toolkit.jar keystore commands. The old REPL continues
to function normally during the transition period.

Author: Barbatos

crypto/src/test/java/org/tron/keystore/CrossImplTest.java

@@ -7,9 +7,12 @@
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.File;
+import java.io.InputStream;
+import java.util.Arrays;
 import org.junit.Test;
 import org.tron.common.crypto.SignInterface;
 import org.tron.common.crypto.SignUtils;
+import org.tron.common.utils.ByteArray;
 import org.tron.common.utils.Utils;
 
 /**
@@ -25,6 +28,56 @@ public class CrossImplTest {
   private static final ObjectMapper MAPPER = new ObjectMapper()
       .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
 
+  // --- web3j standard test vectors (known password + private key) ---
+
+  private static final String WEB3J_PASSWORD = "Insecure Pa55w0rd";
+  private static final String WEB3J_SECRET =
+      "a392604efc2fad9c0b3da43b5f698a2e3f270f170d859912be0d54742275c5f6";
+
+  @Test
+  public void testDecryptWeb3jPbkdf2Fixture() throws Exception {
+    WalletFile walletFile = loadFixture("keystore-fixtures/web3j-pbkdf2.json");
+    SignInterface recovered = Wallet.decrypt(WEB3J_PASSWORD, walletFile, true);
+    assertEquals("Private key must match web3j test vector",
+        WEB3J_SECRET, ByteArray.toHexString(recovered.getPrivateKey()));
+  }
+
+  @Test
+  public void testDecryptWeb3jScryptFixture() throws Exception {
+    WalletFile walletFile = loadFixture("keystore-fixtures/web3j-scrypt.json");
+    SignInterface recovered = Wallet.decrypt(WEB3J_PASSWORD, walletFile, true);
+    assertEquals("Private key must match web3j test vector",
+        WEB3J_SECRET, ByteArray.toHexString(recovered.getPrivateKey()));
+  }
+
+  // --- geth-generated fixtures (can decrypt, address matches) ---
+
+  @Test
+  public void testDecryptGethStandardScrypt() throws Exception {
+    WalletFile walletFile = loadFixture("keystore-fixtures/geth-scrypt-standard.json");
+    SignInterface recovered = Wallet.decrypt("testpassword123", walletFile, true);
+    assertNotNull("Must decrypt geth standard scrypt keystore", recovered);
+    assertNotNull("Recovered key must not be null", recovered.getPrivateKey());
+    // Geth stores 20-byte Ethereum address, TRON uses 21-byte (0x41 prefix).
+    byte[] tronAddr = recovered.getAddress();
+    String ethAddr = ByteArray.toHexString(Arrays.copyOfRange(tronAddr, 1, tronAddr.length));
+    assertEquals("Recovered address must match geth keystore address",
+        walletFile.getAddress(), ethAddr);
+  }
+
+  @Test
+  public void testDecryptGethLightScrypt() throws Exception {
+    WalletFile walletFile = loadFixture("keystore-fixtures/geth-scrypt-light.json");
+    SignInterface recovered = Wallet.decrypt("lightkdfpass456", walletFile, true);
+    assertNotNull("Must decrypt geth light scrypt keystore", recovered);
+    byte[] tronAddr = recovered.getAddress();
+    String ethAddr = ByteArray.toHexString(Arrays.copyOfRange(tronAddr, 1, tronAddr.length));
+    assertEquals("Recovered address must match geth keystore address",
+        walletFile.getAddress(), ethAddr);
+  }
+
+  // --- java-tron self roundtrip ---
+
   @Test
   public void testLightKeystoreRoundtrip() throws Exception {
     String password = "testpassword123";
@@ -111,4 +164,10 @@ public void testLoadCredentialsIntegration() throws Exception {
       tempDir.delete();
     }
   }
+
+  private WalletFile loadFixture(String resourcePath) throws Exception {
+    InputStream is = getClass().getClassLoader().getResourceAsStream(resourcePath);
+    assertNotNull("Fixture not found: " + resourcePath, is);
+    return MAPPER.readValue(is, WalletFile.class);
+  }
 }

crypto/src/test/resources/keystore-fixtures/geth-scrypt-light.json

@@ -0,0 +1 @@
+{"address":"0591c156bc7a2c6721dab295b297c70dfcaf9cea","crypto":{"cipher":"aes-128-ctr","ciphertext":"0bff085a14b71b375d6870dfe6ddb1297c0be9decf7e2dca518000485edda2d8","cipherparams":{"iv":"7185a287f8062c077ad6d296f3447045"},"kdf":"scrypt","kdfparams":{"dklen":32,"n":4096,"p":6,"r":8,"salt":"8ddcff7ceb9b58bf2539bc9a72102ca5dbc6e2ffd2230ee9f7656700ecba8d42"},"mac":"dc8e83351d90fff0b7871b828679b3e56fdd5d544c9ec0d40dcb0c227a187f2b"},"id":"0eb9a704-4fb0-41b6-8a2d-50d82d9d22d9","version":3}

crypto/src/test/resources/keystore-fixtures/geth-scrypt-standard.json

@@ -0,0 +1 @@
+{"address":"df0b7c3dfbc67776d47b61780fc5fba60072db74","crypto":{"cipher":"aes-128-ctr","ciphertext":"22d21d1b9e93e947f8f58f16ae9992e5230eec3e7e92093c848ef4c6bb7450b7","cipherparams":{"iv":"541f95abfab2037ebd22ef546aa1226c"},"kdf":"scrypt","kdfparams":{"dklen":32,"n":262144,"p":1,"r":8,"salt":"2846f8bd29a38dd7a43d44ad07eb0f4b9e526a37737600a60495cca045883e2b"},"mac":"bbe9a1eebf91f503fe0515e8dae1a9be68f9ecdfa9669a48afaf12c5a4abf9e3"},"id":"3cc4db6a-b837-45a6-95e0-f9bf7d79cd19","version":3}

crypto/src/test/resources/keystore-fixtures/web3j-pbkdf2.json

@@ -0,0 +1,19 @@
+{
+    "crypto" : {
+        "cipher" : "aes-128-ctr",
+        "cipherparams" : {
+            "iv" : "02ebc768684e5576900376114625ee6f"
+        },
+        "ciphertext" : "7ad5c9dd2c95f34a92ebb86740b92103a5d1cc4c2eabf3b9a59e1f83f3181216",
+        "kdf" : "pbkdf2",
+        "kdfparams" : {
+            "c" : 262144,
+            "dklen" : 32,
+            "prf" : "hmac-sha256",
+            "salt" : "0e4cf3893b25bb81efaae565728b5b7cde6a84e224cbf9aed3d69a31c981b702"
+        },
+        "mac" : "2b29e4641ec17f4dc8b86fc8592090b50109b372529c30b001d4d96249edaf62"
+    },
+    "id" : "af0451b4-6020-4ef0-91ec-794a5a965b01",
+    "version" : 3
+}

crypto/src/test/resources/keystore-fixtures/web3j-scrypt.json

@@ -0,0 +1,20 @@
+{
+    "crypto" : {
+        "cipher" : "aes-128-ctr",
+        "cipherparams" : {
+            "iv" : "3021e1ef4774dfc5b08307f3a4c8df00"
+        },
+        "ciphertext" : "4dd29ba18478b98cf07a8a44167acdf7e04de59777c4b9c139e3d3fa5cb0b931",
+        "kdf" : "scrypt",
+        "kdfparams" : {
+            "dklen" : 32,
+            "n" : 262144,
+            "r" : 8,
+            "p" : 1,
+            "salt" : "4f9f68c71989eb3887cd947c80b9555fce528f210199d35c35279beb8c2da5ca"
+        },
+        "mac" : "7e8f2192767af9be18e7a373c1986d9190fcaa43ad689bbb01a62dbde159338d"
+    },
+    "id" : "7654525c-17e0-4df5-94b5-c7fde752c9d2",
+    "version" : 3
+}

framework/src/main/java/org/tron/program/KeystoreFactory.java

@@ -20,6 +20,14 @@ public class KeystoreFactory {
   private static final String FilePath = "Wallet";
 
   public static void start() {
+    System.err.println("WARNING: --keystore-factory is deprecated and will be removed "
+        + "in a future release.");
+    System.err.println("Please use: java -jar Toolkit.jar keystore <command>");
+    System.err.println("  keystore new       - Generate a new keystore");
+    System.err.println("  keystore import    - Import a private key");
+    System.err.println("  keystore list      - List keystores");
+    System.err.println("  keystore update    - Change password");
+    System.err.println();
     KeystoreFactory cli = new KeystoreFactory();
     cli.run();
   }

framework/src/test/java/org/tron/program/KeystoreFactoryDeprecationTest.java

@@ -0,0 +1,37 @@
+package org.tron.program;
+
+import static org.junit.Assert.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.PrintStream;
+import java.nio.charset.StandardCharsets;
+import org.junit.Test;
+
+/**
+ * Verifies that --keystore-factory prints deprecation warning to stderr.
+ */
+public class KeystoreFactoryDeprecationTest {
+
+  @Test
+  public void testDeprecationWarningPrinted() throws Exception {
+    PrintStream originalErr = System.err;
+    PrintStream originalIn = System.out;
+    ByteArrayOutputStream errContent = new ByteArrayOutputStream();
+    System.setErr(new PrintStream(errContent));
+
+    // Provide "exit" via stdin so the REPL terminates immediately
+    System.setIn(new java.io.ByteArrayInputStream("exit\n".getBytes()));
+    try {
+      KeystoreFactory.start();
+    } finally {
+      System.setErr(originalErr);
+      System.setIn(System.in);
+    }
+
+    String errOutput = errContent.toString("UTF-8");
+    assertTrue("Should contain deprecation warning",
+        errOutput.contains("--keystore-factory is deprecated"));
+    assertTrue("Should point to Toolkit.jar",
+        errOutput.contains("Toolkit.jar keystore"));
+  }
+}

plugins/src/main/java/common/org/tron/plugins/Keystore.java

@@ -9,7 +9,9 @@
     description = "Manage keystore files for witness account keys.",
     subcommands = {CommandLine.HelpCommand.class,
         KeystoreNew.class,
-        KeystoreImport.class
+        KeystoreImport.class,
+        KeystoreList.class,
+        KeystoreUpdate.class
     },
     commandListHeading = "%nCommands:%n%nThe most commonly used keystore commands are:%n"
 )

plugins/src/main/java/common/org/tron/plugins/KeystoreList.java

@@ -0,0 +1,84 @@
+package org.tron.plugins;
+
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.File;
+import java.util.concurrent.Callable;
+import org.tron.keystore.WalletFile;
+import picocli.CommandLine.Command;
+import picocli.CommandLine.Option;
+
+@Command(name = "list",
+    mixinStandardHelpOptions = true,
+    description = "List all keystore files in a directory.")
+public class KeystoreList implements Callable<Integer> {
+
+  private static final ObjectMapper MAPPER = new ObjectMapper()
+      .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+
+  @Option(names = {"--keystore-dir"},
+      description = "Keystore directory (default: ./Wallet)",
+      defaultValue = "Wallet")
+  private File keystoreDir;
+
+  @Option(names = {"--json"},
+      description = "Output in JSON format")
+  private boolean json;
+
+  @Override
+  public Integer call() {
+    if (!keystoreDir.exists() || !keystoreDir.isDirectory()) {
+      if (json) {
+        System.out.println("{\"keystores\":[]}");
+      } else {
+        System.out.println("No keystores found in: " + keystoreDir.getAbsolutePath());
+      }
+      return 0;
+    }
+
+    File[] files = keystoreDir.listFiles((dir, name) -> name.endsWith(".json"));
+    if (files == null || files.length == 0) {
+      if (json) {
+        System.out.println("{\"keystores\":[]}");
+      } else {
+        System.out.println("No keystores found in: " + keystoreDir.getAbsolutePath());
+      }
+      return 0;
+    }
+
+    if (json) {
+      System.out.print("{\"keystores\":[");
+    }
+
+    int count = 0;
+    for (File file : files) {
+      try {
+        WalletFile walletFile = MAPPER.readValue(file, WalletFile.class);
+        if (walletFile.getAddress() == null || walletFile.getCrypto() == null) {
+          continue;
+        }
+        if (json) {
+          if (count > 0) {
+            System.out.print(",");
+          }
+          System.out.printf("{\"address\":\"%s\",\"file\":\"%s\"}",
+              walletFile.getAddress(), file.getName());
+        } else {
+          System.out.printf("%-45s %s%n", walletFile.getAddress(), file.getName());
+        }
+        count++;
+      } catch (Exception e) {
+        // Skip files that aren't valid keystore JSON
+      }
+    }
+
+    if (json) {
+      System.out.println("]}");
+    }
+
+    if (!json && count == 0) {
+      System.out.println("No valid keystores found in: " + keystoreDir.getAbsolutePath());
+    }
+    return 0;
+  }
+}