feat(plugins): add keystore list and update commands, deprecate --keystore-factory

Add remaining keystore subcommands to Toolkit.jar:
- `keystore list`: display all keystore files and addresses in a directory
- `keystore update <address>`: re-encrypt a keystore with a new password

Both support --keystore-dir, --json, and --password-file options.

Add deprecation warning to --keystore-factory in FullNode.jar, directing
users to the new Toolkit.jar keystore commands. The old REPL continues
to function normally during the transition period.

Author: Barbatos

crypto/src/main/java/org/tron/keystore/Wallet.java

@@ -204,7 +204,7 @@ public static SignInterface decrypt(String password, WalletFile walletFile,
 
     byte[] derivedMac = generateMac(derivedKey, cipherText);
 
-    if (!Arrays.equals(derivedMac, mac)) {
+    if (!java.security.MessageDigest.isEqual(derivedMac, mac)) {
       throw new CipherException("Invalid password provided");
     }
 

crypto/src/test/java/org/tron/keystore/CredentialsTest.java

@@ -30,8 +30,9 @@ public void testCreateFromSM2() {
       Credentials.create(SM2.fromNodeId(ByteUtil.hexToBytes("fffffffffff"
           + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
           + "fffffffffffffffffffffffffffffffffffffff")));
-    } catch (Exception e) {
-      Assert.assertTrue(e instanceof IllegalArgumentException);
+      Assert.fail("Expected IllegalArgumentException");
+    } catch (IllegalArgumentException e) {
+      // Expected
     }
   }
 
@@ -43,8 +44,6 @@ public void testEquals() throws NoSuchAlgorithmException {
         SecureRandom.getInstance("NativePRNG"), true));
     Assert.assertFalse("Credentials instance should be not equal!",
         credentials1.equals(credentials2));
-    Assert.assertFalse("Credentials instance hashcode should be not equal!",
-        credentials1.hashCode() == credentials2.hashCode());
   }
 
   @Test

crypto/src/test/java/org/tron/keystore/CrossImplTest.java

@@ -3,62 +3,127 @@
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.File;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
 import org.tron.common.crypto.SignInterface;
 import org.tron.common.crypto.SignUtils;
 import org.tron.common.utils.Utils;
 
 /**
- * Cross-implementation compatibility tests.
- * Verifies that keystore files can survive a roundtrip through the
- * Java implementation (encrypt → serialize → deserialize → decrypt).
+ * Format compatibility tests.
  *
- * Also verifies that keystore files generated by legacy --keystore-factory
- * code are compatible with the new library.
+ * <p>All tests generate keystores dynamically at test time — no static
+ * fixtures or secrets stored in the repository. Verifies that keystore
+ * files can survive a full roundtrip: generate keypair, encrypt, serialize
+ * to JSON file, deserialize, decrypt, compare private key and address.
  */
 public class CrossImplTest {
 
   private static final ObjectMapper MAPPER = new ObjectMapper()
       .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
 
+  @Rule
+  public TemporaryFolder tempFolder = new TemporaryFolder();
+
+  // --- Ethereum standard test vectors (from Web3 Secret Storage spec, inline) ---
+  // Source: web3j WalletTest.java — password and private key are public test data.
+
+  private static final String ETH_PASSWORD = "Insecure Pa55w0rd";
+  private static final String ETH_PRIVATE_KEY =
+      "a392604efc2fad9c0b3da43b5f698a2e3f270f170d859912be0d54742275c5f6";
+
+  private static final String ETH_PBKDF2_KEYSTORE = "{"
+      + "\"crypto\":{\"cipher\":\"aes-128-ctr\","
+      + "\"cipherparams\":{\"iv\":\"02ebc768684e5576900376114625ee6f\"},"
+      + "\"ciphertext\":\"7ad5c9dd2c95f34a92ebb86740b92103a5d1cc4c2eabf3b9a59e1f83f3181216\","
+      + "\"kdf\":\"pbkdf2\","
+      + "\"kdfparams\":{\"c\":262144,\"dklen\":32,\"prf\":\"hmac-sha256\","
+      + "\"salt\":\"0e4cf3893b25bb81efaae565728b5b7cde6a84e224cbf9aed3d69a31c981b702\"},"
+      + "\"mac\":\"2b29e4641ec17f4dc8b86fc8592090b50109b372529c30b001d4d96249edaf62\"},"
+      + "\"id\":\"af0451b4-6020-4ef0-91ec-794a5a965b01\",\"version\":3}";
+
+  private static final String ETH_SCRYPT_KEYSTORE = "{"
+      + "\"crypto\":{\"cipher\":\"aes-128-ctr\","
+      + "\"cipherparams\":{\"iv\":\"3021e1ef4774dfc5b08307f3a4c8df00\"},"
+      + "\"ciphertext\":\"4dd29ba18478b98cf07a8a44167acdf7e04de59777c4b9c139e3d3fa5cb0b931\","
+      + "\"kdf\":\"scrypt\","
+      + "\"kdfparams\":{\"dklen\":32,\"n\":262144,\"r\":8,\"p\":1,"
+      + "\"salt\":\"4f9f68c71989eb3887cd947c80b9555fce528f210199d35c35279beb8c2da5ca\"},"
+      + "\"mac\":\"7e8f2192767af9be18e7a373c1986d9190fcaa43ad689bbb01a62dbde159338d\"},"
+      + "\"id\":\"7654525c-17e0-4df5-94b5-c7fde752c9d2\",\"version\":3}";
+
+  @Test
+  public void testDecryptEthPbkdf2Keystore() throws Exception {
+    WalletFile walletFile = MAPPER.readValue(ETH_PBKDF2_KEYSTORE, WalletFile.class);
+    SignInterface recovered = Wallet.decrypt(ETH_PASSWORD, walletFile, true);
+    assertEquals("Private key must match Ethereum test vector",
+        ETH_PRIVATE_KEY,
+        org.tron.common.utils.ByteArray.toHexString(recovered.getPrivateKey()));
+  }
+
   @Test
-  public void testLightKeystoreRoundtrip() throws Exception {
-    String password = "testpassword123";
+  public void testDecryptEthScryptKeystore() throws Exception {
+    WalletFile walletFile = MAPPER.readValue(ETH_SCRYPT_KEYSTORE, WalletFile.class);
+    SignInterface recovered = Wallet.decrypt(ETH_PASSWORD, walletFile, true);
+    assertEquals("Private key must match Ethereum test vector",
+        ETH_PRIVATE_KEY,
+        org.tron.common.utils.ByteArray.toHexString(recovered.getPrivateKey()));
+  }
+
+  // --- Dynamic format compatibility (no static secrets) ---
+
+  @Test
+  public void testKeystoreFormatCompatibility() throws Exception {
     SignInterface keyPair = SignUtils.getGeneratedRandomSign(Utils.getRandom(), true);
     byte[] originalKey = keyPair.getPrivateKey();
+    String password = "dynamicTest123";
 
-    // Create keystore → write to temp file → read back → decrypt
-    WalletFile walletFile = Wallet.createLight(password, keyPair);
-    File tempFile = File.createTempFile("keystore-test-", ".json");
-    tempFile.deleteOnExit();
-    MAPPER.writeValue(tempFile, walletFile);
+    WalletFile walletFile = Wallet.createStandard(password, keyPair);
 
+    // Verify Web3 Secret Storage structure
+    assertEquals("version must be 3", 3, walletFile.getVersion());
+    assertNotNull("must have address", walletFile.getAddress());
+    assertNotNull("must have crypto", walletFile.getCrypto());
+    assertEquals("cipher must be aes-128-ctr",
+        "aes-128-ctr", walletFile.getCrypto().getCipher());
+    assertTrue("kdf must be scrypt or pbkdf2",
+        "scrypt".equals(walletFile.getCrypto().getKdf())
+            || "pbkdf2".equals(walletFile.getCrypto().getKdf()));
+
+    // Write to file, read back — simulates cross-process interop
+    File tempFile = new File(tempFolder.getRoot(), "compat-test.json");
+    MAPPER.writeValue(tempFile, walletFile);
     WalletFile loaded = MAPPER.readValue(tempFile, WalletFile.class);
-    SignInterface recovered = Wallet.decrypt(password, loaded, true);
 
-    assertArrayEquals("File roundtrip must preserve private key",
+    SignInterface recovered = Wallet.decrypt(password, loaded, true);
+    assertArrayEquals("Key must survive file roundtrip",
         originalKey, recovered.getPrivateKey());
+
+    // Verify TRON address format
+    byte[] tronAddr = recovered.getAddress();
+    assertEquals("TRON address must be 21 bytes", 21, tronAddr.length);
+    assertEquals("First byte must be TRON prefix", 0x41, tronAddr[0] & 0xFF);
   }
 
   @Test
-  public void testStandardKeystoreRoundtrip() throws Exception {
-    String password = "testpassword456";
+  public void testLightScryptFormatCompatibility() throws Exception {
     SignInterface keyPair = SignUtils.getGeneratedRandomSign(Utils.getRandom(), true);
     byte[] originalKey = keyPair.getPrivateKey();
+    String password = "lightCompat456";
 
-    WalletFile walletFile = Wallet.createStandard(password, keyPair);
-    File tempFile = File.createTempFile("keystore-std-", ".json");
-    tempFile.deleteOnExit();
+    WalletFile walletFile = Wallet.createLight(password, keyPair);
+    File tempFile = new File(tempFolder.getRoot(), "light-compat.json");
     MAPPER.writeValue(tempFile, walletFile);
-
     WalletFile loaded = MAPPER.readValue(tempFile, WalletFile.class);
-    SignInterface recovered = Wallet.decrypt(password, loaded, true);
 
-    assertArrayEquals("Standard scrypt file roundtrip must preserve private key",
+    SignInterface recovered = Wallet.decrypt(password, loaded, true);
+    assertArrayEquals("Key must survive light scrypt file roundtrip",
         originalKey, recovered.getPrivateKey());
   }
 
@@ -85,30 +150,16 @@ public void testLoadCredentialsIntegration() throws Exception {
     byte[] originalKey = keyPair.getPrivateKey();
     String originalAddress = Credentials.create(keyPair).getAddress();
 
-    // Use WalletUtils full flow
-    File tempDir = new File(System.getProperty("java.io.tmpdir"), "keystore-test-" +
-        System.currentTimeMillis());
-    tempDir.mkdirs();
-    try {
-      String fileName = WalletUtils.generateWalletFile(password, keyPair, tempDir, false);
-      assertNotNull(fileName);
-
-      File keystoreFile = new File(tempDir, fileName);
-      Credentials loaded = WalletUtils.loadCredentials(password, keystoreFile, true);
-
-      assertEquals("Address must survive full WalletUtils roundtrip",
-          originalAddress, loaded.getAddress());
-      assertArrayEquals("Key must survive full WalletUtils roundtrip",
-          originalKey, loaded.getSignInterface().getPrivateKey());
-    } finally {
-      // Cleanup
-      File[] files = tempDir.listFiles();
-      if (files != null) {
-        for (File f : files) {
-          f.delete();
-        }
-      }
-      tempDir.delete();
-    }
+    File tempDir = tempFolder.newFolder("wallet-integration");
+    String fileName = WalletUtils.generateWalletFile(password, keyPair, tempDir, false);
+    assertNotNull(fileName);
+
+    File keystoreFile = new File(tempDir, fileName);
+    Credentials loaded = WalletUtils.loadCredentials(password, keystoreFile, true);
+
+    assertEquals("Address must survive full WalletUtils roundtrip",
+        originalAddress, loaded.getAddress());
+    assertArrayEquals("Key must survive full WalletUtils roundtrip",
+        originalKey, loaded.getSignInterface().getPrivateKey());
   }
 }

crypto/src/test/java/org/tron/keystore/WalletPropertyTest.java

@@ -16,7 +16,8 @@
 public class WalletPropertyTest {
 
   private static final SecureRandom RANDOM = new SecureRandom();
-  private static final String CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  private static final String CHARS =
+      "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 
   @Test
   public void encryptDecryptRoundtripLight() throws Exception {
@@ -33,10 +34,10 @@ public void encryptDecryptRoundtripLight() throws Exception {
     }
   }
 
-  @Test
+  @Test(timeout = 120000)
   public void encryptDecryptRoundtripStandard() throws Exception {
-    // Fewer iterations for standard scrypt (slow)
-    for (int i = 0; i < 5; i++) {
+    // Fewer iterations for standard scrypt (slow, ~10s each)
+    for (int i = 0; i < 2; i++) {
       String password = randomPassword(6, 16);
       SignInterface keyPair = SignUtils.getGeneratedRandomSign(Utils.getRandom(), true);
       byte[] originalKey = keyPair.getPrivateKey();

framework/src/main/java/org/tron/program/KeystoreFactory.java

@@ -15,11 +15,20 @@
 import org.tron.keystore.WalletUtils;
 
 @Slf4j(topic = "app")
+@Deprecated
 public class KeystoreFactory {
 
   private static final String FilePath = "Wallet";
 
   public static void start() {
+    System.err.println("WARNING: --keystore-factory is deprecated and will be removed "
+        + "in a future release.");
+    System.err.println("Please use: java -jar Toolkit.jar keystore <command>");
+    System.err.println("  keystore new       - Generate a new keystore");
+    System.err.println("  keystore import    - Import a private key");
+    System.err.println("  keystore list      - List keystores");
+    System.err.println("  keystore update    - Change password");
+    System.err.println();
     KeystoreFactory cli = new KeystoreFactory();
     cli.run();
   }
@@ -57,13 +66,12 @@ private void fileCheck(File file) throws IOException {
 
 
   private void genKeystore() throws CipherException, IOException {
+    boolean ecKey = CommonParameter.getInstance().isECKeyCryptoEngine();
     String password = WalletUtils.inputPassword2Twice();
 
-    SignInterface eCkey = SignUtils.getGeneratedRandomSign(Utils.random,
-        CommonParameter.getInstance().isECKeyCryptoEngine());
+    SignInterface eCkey = SignUtils.getGeneratedRandomSign(Utils.random, ecKey);
     File file = new File(FilePath);
     fileCheck(file);
-    boolean ecKey = CommonParameter.getInstance().isECKeyCryptoEngine();
     String fileName = WalletUtils.generateWalletFile(password, eCkey, file, true);
     System.out.println("Gen a keystore its name " + fileName);
     Credentials credentials = WalletUtils.loadCredentials(password, new File(file, fileName),
@@ -86,11 +94,10 @@ private void importPrivateKey() throws CipherException, IOException {
 
     String password = WalletUtils.inputPassword2Twice();
 
-    SignInterface eCkey = SignUtils.fromPrivate(ByteArray.fromHexString(privateKey),
-        CommonParameter.getInstance().isECKeyCryptoEngine());
+    boolean ecKey = CommonParameter.getInstance().isECKeyCryptoEngine();
+    SignInterface eCkey = SignUtils.fromPrivate(ByteArray.fromHexString(privateKey), ecKey);
     File file = new File(FilePath);
     fileCheck(file);
-    boolean ecKey = CommonParameter.getInstance().isECKeyCryptoEngine();
     String fileName = WalletUtils.generateWalletFile(password, eCkey, file, true);
     System.out.println("Gen a keystore its name " + fileName);
     Credentials credentials = WalletUtils.loadCredentials(password, new File(file, fileName),
@@ -99,11 +106,13 @@ private void importPrivateKey() throws CipherException, IOException {
   }
 
   private void help() {
-    System.out.println("You can enter the following command: ");
-    System.out.println("GenKeystore");
-    System.out.println("ImportPrivateKey");
-    System.out.println("Exit or Quit");
-    System.out.println("Input any one of them, you will get more tips.");
+    System.out.println("NOTE: --keystore-factory is deprecated. Use Toolkit.jar instead:");
+    System.out.println("  java -jar Toolkit.jar keystore new|import|list|update");
+    System.out.println();
+    System.out.println("Legacy commands (will be removed):");
+    System.out.println("  GenKeystore");
+    System.out.println("  ImportPrivateKey");
+    System.out.println("  Exit or Quit");
   }
 
   private void run() {