feat(plugins): add keystore list and update commands, deprecate --keystore-factory

Add remaining keystore subcommands to Toolkit.jar:
- `keystore list`: display all keystore files and addresses in a directory
- `keystore update <address>`: re-encrypt a keystore with a new password

Both support --keystore-dir, --json, and --password-file options.

Add deprecation warning to --keystore-factory in FullNode.jar, directing
users to the new Toolkit.jar keystore commands. The old REPL continues
to function normally during the transition period.

Author: Barbatos

crypto/src/test/java/org/tron/keystore/CrossImplTest.java

@@ -3,62 +3,113 @@
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.File;
+import java.io.InputStream;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
 import org.tron.common.crypto.SignInterface;
 import org.tron.common.crypto.SignUtils;
+import org.tron.common.utils.ByteArray;
 import org.tron.common.utils.Utils;
 
 /**
  * Cross-implementation compatibility tests.
- * Verifies that keystore files can survive a roundtrip through the
- * Java implementation (encrypt → serialize → deserialize → decrypt).
  *
- * Also verifies that keystore files generated by legacy --keystore-factory
- * code are compatible with the new library.
+ * <p>Static fixtures (web3j-pbkdf2.json, web3j-scrypt.json) are standard
+ * Ethereum test vectors from the Web3 Secret Storage specification.
+ * Password and private key are publicly documented — see fixtures/README.md.
+ *
+ * <p>Format compatibility with geth/other clients is verified dynamically:
+ * generate keystore at test time, serialize to file, deserialize back,
+ * verify private key and address survive the roundtrip. No static secrets
+ * stored in the repository.
  */
 public class CrossImplTest {
 
   private static final ObjectMapper MAPPER = new ObjectMapper()
       .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
 
+  @Rule
+  public TemporaryFolder tempFolder = new TemporaryFolder();
+
+  // --- Standard Ethereum test vectors (public, from Web3 Secret Storage spec) ---
+
+  private static final String WEB3J_PASSWORD = "Insecure Pa55w0rd";
+  private static final String WEB3J_SECRET =
+      "a392604efc2fad9c0b3da43b5f698a2e3f270f170d859912be0d54742275c5f6";
+
+  @Test
+  public void testDecryptWeb3jPbkdf2Fixture() throws Exception {
+    WalletFile walletFile = loadFixture("keystore-fixtures/web3j-pbkdf2.json");
+    SignInterface recovered = Wallet.decrypt(WEB3J_PASSWORD, walletFile, true);
+    assertEquals("Private key must match web3j test vector",
+        WEB3J_SECRET, ByteArray.toHexString(recovered.getPrivateKey()));
+  }
+
   @Test
-  public void testLightKeystoreRoundtrip() throws Exception {
-    String password = "testpassword123";
+  public void testDecryptWeb3jScryptFixture() throws Exception {
+    WalletFile walletFile = loadFixture("keystore-fixtures/web3j-scrypt.json");
+    SignInterface recovered = Wallet.decrypt(WEB3J_PASSWORD, walletFile, true);
+    assertEquals("Private key must match web3j test vector",
+        WEB3J_SECRET, ByteArray.toHexString(recovered.getPrivateKey()));
+  }
+
+  // --- Dynamic format compatibility (no static secrets) ---
+
+  @Test
+  public void testKeystoreFormatCompatibility() throws Exception {
+    // Dynamically generate, serialize, deserialize — verifies the JSON format
+    // is correct and can survive a roundtrip (same format geth/web3j produce)
     SignInterface keyPair = SignUtils.getGeneratedRandomSign(Utils.getRandom(), true);
     byte[] originalKey = keyPair.getPrivateKey();
+    String password = "dynamicTest123";
 
-    // Create keystore → write to temp file → read back → decrypt
-    WalletFile walletFile = Wallet.createLight(password, keyPair);
-    File tempFile = File.createTempFile("keystore-test-", ".json");
-    tempFile.deleteOnExit();
-    MAPPER.writeValue(tempFile, walletFile);
+    WalletFile walletFile = Wallet.createStandard(password, keyPair);
 
+    // Verify the generated file has correct Web3 Secret Storage structure
+    assertEquals("version must be 3", 3, walletFile.getVersion());
+    assertNotNull("must have address", walletFile.getAddress());
+    assertNotNull("must have crypto", walletFile.getCrypto());
+    assertEquals("cipher must be aes-128-ctr",
+        "aes-128-ctr", walletFile.getCrypto().getCipher());
+    assertTrue("kdf must be scrypt or pbkdf2",
+        "scrypt".equals(walletFile.getCrypto().getKdf())
+            || "pbkdf2".equals(walletFile.getCrypto().getKdf()));
+
+    // Write to file, read back — simulates cross-process interop
+    File tempFile = new File(tempFolder.getRoot(), "compat-test.json");
+    MAPPER.writeValue(tempFile, walletFile);
     WalletFile loaded = MAPPER.readValue(tempFile, WalletFile.class);
-    SignInterface recovered = Wallet.decrypt(password, loaded, true);
 
-    assertArrayEquals("File roundtrip must preserve private key",
+    // Decrypt the deserialized file
+    SignInterface recovered = Wallet.decrypt(password, loaded, true);
+    assertArrayEquals("Key must survive file roundtrip",
         originalKey, recovered.getPrivateKey());
+
+    // Verify TRON address format
+    byte[] tronAddr = recovered.getAddress();
+    assertEquals("TRON address must be 21 bytes", 21, tronAddr.length);
+    assertEquals("First byte must be TRON prefix", 0x41, tronAddr[0] & 0xFF);
   }
 
   @Test
-  public void testStandardKeystoreRoundtrip() throws Exception {
-    String password = "testpassword456";
+  public void testLightScryptFormatCompatibility() throws Exception {
     SignInterface keyPair = SignUtils.getGeneratedRandomSign(Utils.getRandom(), true);
     byte[] originalKey = keyPair.getPrivateKey();
+    String password = "lightCompat456";
 
-    WalletFile walletFile = Wallet.createStandard(password, keyPair);
-    File tempFile = File.createTempFile("keystore-std-", ".json");
-    tempFile.deleteOnExit();
+    WalletFile walletFile = Wallet.createLight(password, keyPair);
+    File tempFile = new File(tempFolder.getRoot(), "light-compat.json");
     MAPPER.writeValue(tempFile, walletFile);
-
     WalletFile loaded = MAPPER.readValue(tempFile, WalletFile.class);
-    SignInterface recovered = Wallet.decrypt(password, loaded, true);
 
-    assertArrayEquals("Standard scrypt file roundtrip must preserve private key",
+    SignInterface recovered = Wallet.decrypt(password, loaded, true);
+    assertArrayEquals("Key must survive light scrypt file roundtrip",
         originalKey, recovered.getPrivateKey());
   }
 
@@ -85,30 +136,22 @@ public void testLoadCredentialsIntegration() throws Exception {
     byte[] originalKey = keyPair.getPrivateKey();
     String originalAddress = Credentials.create(keyPair).getAddress();
 
-    // Use WalletUtils full flow
-    File tempDir = new File(System.getProperty("java.io.tmpdir"), "keystore-test-" +
-        System.currentTimeMillis());
-    tempDir.mkdirs();
-    try {
-      String fileName = WalletUtils.generateWalletFile(password, keyPair, tempDir, false);
-      assertNotNull(fileName);
-
-      File keystoreFile = new File(tempDir, fileName);
-      Credentials loaded = WalletUtils.loadCredentials(password, keystoreFile, true);
-
-      assertEquals("Address must survive full WalletUtils roundtrip",
-          originalAddress, loaded.getAddress());
-      assertArrayEquals("Key must survive full WalletUtils roundtrip",
-          originalKey, loaded.getSignInterface().getPrivateKey());
-    } finally {
-      // Cleanup
-      File[] files = tempDir.listFiles();
-      if (files != null) {
-        for (File f : files) {
-          f.delete();
-        }
-      }
-      tempDir.delete();
-    }
+    File tempDir = tempFolder.newFolder("wallet-integration");
+    String fileName = WalletUtils.generateWalletFile(password, keyPair, tempDir, false);
+    assertNotNull(fileName);
+
+    File keystoreFile = new File(tempDir, fileName);
+    Credentials loaded = WalletUtils.loadCredentials(password, keystoreFile, true);
+
+    assertEquals("Address must survive full WalletUtils roundtrip",
+        originalAddress, loaded.getAddress());
+    assertArrayEquals("Key must survive full WalletUtils roundtrip",
+        originalKey, loaded.getSignInterface().getPrivateKey());
+  }
+
+  private WalletFile loadFixture(String resourcePath) throws Exception {
+    InputStream is = getClass().getClassLoader().getResourceAsStream(resourcePath);
+    assertNotNull("Fixture not found: " + resourcePath, is);
+    return MAPPER.readValue(is, WalletFile.class);
   }
 }

crypto/src/test/resources/keystore-fixtures/README.md

@@ -0,0 +1,15 @@
+# Keystore Test Fixtures
+
+These files are **standard Ethereum test vectors** from the
+[Web3 Secret Storage Definition](https://github.com/ethereum/wiki/wiki/Web3-Secret-Storage-Definition).
+
+They are used to verify cross-implementation compatibility. The password
+and private key are publicly documented in the specification and do NOT
+control any real assets on any blockchain.
+
+| File | KDF | Source |
+|------|-----|--------|
+| web3j-pbkdf2.json | PBKDF2 | web3j project / Ethereum wiki |
+| web3j-scrypt.json | Scrypt | web3j project / Ethereum wiki |
+
+Password: `Insecure Pa55w0rd` (public test vector)

crypto/src/test/resources/keystore-fixtures/web3j-pbkdf2.json

@@ -0,0 +1,19 @@
+{
+    "crypto" : {
+        "cipher" : "aes-128-ctr",
+        "cipherparams" : {
+            "iv" : "02ebc768684e5576900376114625ee6f"
+        },
+        "ciphertext" : "7ad5c9dd2c95f34a92ebb86740b92103a5d1cc4c2eabf3b9a59e1f83f3181216",
+        "kdf" : "pbkdf2",
+        "kdfparams" : {
+            "c" : 262144,
+            "dklen" : 32,
+            "prf" : "hmac-sha256",
+            "salt" : "0e4cf3893b25bb81efaae565728b5b7cde6a84e224cbf9aed3d69a31c981b702"
+        },
+        "mac" : "2b29e4641ec17f4dc8b86fc8592090b50109b372529c30b001d4d96249edaf62"
+    },
+    "id" : "af0451b4-6020-4ef0-91ec-794a5a965b01",
+    "version" : 3
+}

crypto/src/test/resources/keystore-fixtures/web3j-scrypt.json

@@ -0,0 +1,20 @@
+{
+    "crypto" : {
+        "cipher" : "aes-128-ctr",
+        "cipherparams" : {
+            "iv" : "3021e1ef4774dfc5b08307f3a4c8df00"
+        },
+        "ciphertext" : "4dd29ba18478b98cf07a8a44167acdf7e04de59777c4b9c139e3d3fa5cb0b931",
+        "kdf" : "scrypt",
+        "kdfparams" : {
+            "dklen" : 32,
+            "n" : 262144,
+            "r" : 8,
+            "p" : 1,
+            "salt" : "4f9f68c71989eb3887cd947c80b9555fce528f210199d35c35279beb8c2da5ca"
+        },
+        "mac" : "7e8f2192767af9be18e7a373c1986d9190fcaa43ad689bbb01a62dbde159338d"
+    },
+    "id" : "7654525c-17e0-4df5-94b5-c7fde752c9d2",
+    "version" : 3
+}

framework/src/main/java/org/tron/program/KeystoreFactory.java

@@ -15,11 +15,20 @@
 import org.tron.keystore.WalletUtils;
 
 @Slf4j(topic = "app")
+@Deprecated
 public class KeystoreFactory {
 
   private static final String FilePath = "Wallet";
 
   public static void start() {
+    System.err.println("WARNING: --keystore-factory is deprecated and will be removed "
+        + "in a future release.");
+    System.err.println("Please use: java -jar Toolkit.jar keystore <command>");
+    System.err.println("  keystore new       - Generate a new keystore");
+    System.err.println("  keystore import    - Import a private key");
+    System.err.println("  keystore list      - List keystores");
+    System.err.println("  keystore update    - Change password");
+    System.err.println();
     KeystoreFactory cli = new KeystoreFactory();
     cli.run();
   }
@@ -99,11 +108,13 @@ private void importPrivateKey() throws CipherException, IOException {
   }
 
   private void help() {
-    System.out.println("You can enter the following command: ");
-    System.out.println("GenKeystore");
-    System.out.println("ImportPrivateKey");
-    System.out.println("Exit or Quit");
-    System.out.println("Input any one of them, you will get more tips.");
+    System.out.println("NOTE: --keystore-factory is deprecated. Use Toolkit.jar instead:");
+    System.out.println("  java -jar Toolkit.jar keystore new|import|list|update");
+    System.out.println();
+    System.out.println("Legacy commands (will be removed):");
+    System.out.println("  GenKeystore");
+    System.out.println("  ImportPrivateKey");
+    System.out.println("  Exit or Quit");
   }
 
   private void run() {

framework/src/test/java/org/tron/program/KeystoreFactoryDeprecationTest.java

@@ -0,0 +1,35 @@
+package org.tron.program;
+
+import static org.junit.Assert.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.PrintStream;
+import org.junit.Test;
+
+/**
+ * Verifies that --keystore-factory prints deprecation warning to stderr.
+ */
+public class KeystoreFactoryDeprecationTest {
+
+  @Test
+  public void testDeprecationWarningPrinted() throws Exception {
+    PrintStream originalErr = System.err;
+    InputStream originalIn = System.in;
+    ByteArrayOutputStream errContent = new ByteArrayOutputStream();
+    System.setErr(new PrintStream(errContent));
+    System.setIn(new java.io.ByteArrayInputStream("exit\n".getBytes()));
+    try {
+      KeystoreFactory.start();
+    } finally {
+      System.setErr(originalErr);
+      System.setIn(originalIn);
+    }
+
+    String errOutput = errContent.toString("UTF-8");
+    assertTrue("Should contain deprecation warning",
+        errOutput.contains("--keystore-factory is deprecated"));
+    assertTrue("Should point to Toolkit.jar",
+        errOutput.contains("Toolkit.jar keystore"));
+  }
+}

plugins/build.gradle

@@ -34,7 +34,12 @@ dependencies {
     implementation fileTree(dir: 'libs', include: '*.jar')
     testImplementation project(":framework")
     testImplementation project(":framework").sourceSets.test.output
-    implementation project(":crypto")
+    implementation(project(":crypto")) {
+        exclude group: 'io.github.tronprotocol', module: 'libp2p'
+        exclude group: 'io.prometheus'
+        exclude group: 'org.aspectj'
+        exclude group: 'org.apache.httpcomponents'
+    }
     implementation group: 'info.picocli', name: 'picocli', version: '4.6.3'
     implementation group: 'com.typesafe', name: 'config', version: '1.3.2'
     implementation group: 'me.tongfei', name: 'progressbar', version: '0.9.3'

plugins/src/main/java/common/org/tron/plugins/Keystore.java

@@ -9,7 +9,9 @@
     description = "Manage keystore files for witness account keys.",
     subcommands = {CommandLine.HelpCommand.class,
         KeystoreNew.class,
-        KeystoreImport.class
+        KeystoreImport.class,
+        KeystoreList.class,
+        KeystoreUpdate.class
     },
     commandListHeading = "%nCommands:%n%nThe most commonly used keystore commands are:%n"
 )