test(framework): add SR keystore loading regression tests

Barbatos · Barbatos · commit 4dbc8ce9375b · 2026-04-25T20:39:06.000+08:00
The Toolkit side (KeystoreUpdateTest) already covered both the legacy
truncation tip behavior (whitespace and non-whitespace branches) and
the address-mismatch defense, but the SR startup path through
WitnessInitializer.initFromKeystore had no equivalent coverage. Since
witnesses are the primary consumer of these fixes, exercise them here
too.

Three new tests:

* testLegacyTruncationTipFiresOnWhitespacePassword — wrong password
  containing whitespace must trigger the FullNode keystore-factory hint,
  with TronError code WITNESS_KEYSTORE_LOAD.
* testLegacyTruncationTipSuppressedOnNoWhitespacePassword — wrong
  password without whitespace must still log the load failure but must
  NOT surface the legacy tip (otherwise it would be noise on the common
  wrong-password case).
* testTamperedKeystoreRejectedAtSrLoading — a keystore whose declared
  address does not match the address derived from its encrypted private
  key must be rejected with a CipherException carrying "address
  mismatch", wrapped in TronError(WITNESS_KEYSTORE_LOAD).

A small Logback ListAppender helper attaches to the WitnessInitializer
logger to capture log output for the tip assertions.
diff --git a/framework/src/test/java/org/tron/core/config/args/WitnessInitializerKeystoreTest.java b/framework/src/test/java/org/tron/core/config/args/WitnessInitializerKeystoreTest.java
@@ -3,19 +3,29 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
 
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+import ch.qos.logback.core.read.ListAppender;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.File;
 import java.security.SecureRandom;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
+import org.slf4j.LoggerFactory;
 import org.tron.common.crypto.SignInterface;
 import org.tron.common.crypto.SignUtils;
 import org.tron.common.utils.ByteArray;
 import org.tron.common.utils.LocalWitnesses;
+import org.tron.core.exception.TronError;
 import org.tron.keystore.Credentials;
+import org.tron.keystore.WalletFile;
 import org.tron.keystore.WalletUtils;
 
 /**
@@ -83,4 +93,115 @@ public void testNewKeystoreLoadableByWitnessInitializer() {
     assertEquals("Private key must match original",
         expectedPrivateKey, result.getPrivateKeys().get(0));
   }
+
+  @Test
+  public void testLegacyTruncationTipFiresOnWhitespacePassword() {
+    // The SR startup path should mirror the Toolkit's behavior: when the
+    // supplied password contains whitespace and decryption fails, emit the
+    // legacy-truncation hint pointing operators at the FullNode keystore-
+    // factory bug. The Toolkit covers this in
+    // KeystoreUpdateTest#testUpdateLegacyTipFiresWhenPasswordHasWhitespace.
+    java.util.List<String> keystores =
+        java.util.Collections.singletonList(keystoreFileName);
+    ListAppender<ILoggingEvent> appender = attachAppender();
+    try {
+      TronError err = assertThrows(TronError.class, () ->
+          WitnessInitializer.initFromKeystore(
+              keystores, "wrong pass with spaces", null));
+      assertEquals(TronError.ErrCode.WITNESS_KEYSTORE_LOAD, err.getErrCode());
+      String logs = renderLogs(appender);
+      assertTrue("Legacy-truncation tip must fire for whitespace password,"
+              + " got: " + logs,
+          logs.contains("first whitespace-separated word"));
+    } finally {
+      detachAppender(appender);
+    }
+  }
+
+  @Test
+  public void testLegacyTruncationTipSuppressedOnNoWhitespacePassword() {
+    // For the common "wrong password" case (no whitespace), the legacy tip
+    // would be misleading noise — it must be suppressed while still surfacing
+    // the underlying load failure.
+    java.util.List<String> keystores =
+        java.util.Collections.singletonList(keystoreFileName);
+    ListAppender<ILoggingEvent> appender = attachAppender();
+    try {
+      TronError err = assertThrows(TronError.class, () ->
+          WitnessInitializer.initFromKeystore(
+              keystores, "wrongnospaces", null));
+      assertEquals(TronError.ErrCode.WITNESS_KEYSTORE_LOAD, err.getErrCode());
+      String logs = renderLogs(appender);
+      assertTrue("Witness load failure must still be logged, got: " + logs,
+          logs.contains("Witness node start failed"));
+      assertFalse("Legacy-truncation tip must NOT fire for whitespace-free"
+              + " password, got: " + logs,
+          logs.contains("first whitespace-separated word"));
+    } finally {
+      detachAppender(appender);
+    }
+  }
+
+  @Test
+  public void testTamperedKeystoreRejectedAtSrLoading() throws Exception {
+    // Address-spoofing defense: a keystore whose declared `address` field does
+    // not match the address derived from the decrypted private key must be
+    // rejected at decryption time. Without this check, an attacker who could
+    // place a file in the SR's keystore dir could trick a witness into signing
+    // with a different key while displaying a familiar address. The check
+    // lives in Wallet.decrypt; this test verifies it propagates correctly
+    // through the WitnessInitializer path.
+    File dir = new File(System.getProperty("user.dir"), DIR_NAME);
+    SignInterface keyPair = SignUtils.getGeneratedRandomSign(
+        SecureRandom.getInstance("NativePRNG"), true);
+    String pwd = "tamperpwd123";
+    String generatedName = WalletUtils.generateWalletFile(pwd, keyPair, dir, true);
+    File keystoreFile = new File(dir, generatedName);
+    try {
+      // Tamper: rewrite the address field to a different value than what the
+      // encrypted private key actually derives to.
+      ObjectMapper mapper = new ObjectMapper().configure(
+          DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+      WalletFile wf = mapper.readValue(keystoreFile, WalletFile.class);
+      String spoofedAddress = "TSpoofedSrAddressXXXXXXXXXXXXXXXXXXX";
+      wf.setAddress(spoofedAddress);
+      mapper.writeValue(keystoreFile, wf);
+
+      java.util.List<String> keystores =
+          java.util.Collections.singletonList(DIR_NAME + "/" + generatedName);
+      TronError err = assertThrows(TronError.class, () ->
+          WitnessInitializer.initFromKeystore(keystores, pwd, null));
+      assertEquals("Should be a witness keystore load failure",
+          TronError.ErrCode.WITNESS_KEYSTORE_LOAD, err.getErrCode());
+      Throwable cause = err.getCause();
+      assertNotNull("TronError must wrap the underlying CipherException", cause);
+      assertNotNull("Cause message must not be null", cause.getMessage());
+      assertTrue("Cause must mention address mismatch, got: " + cause.getMessage(),
+          cause.getMessage().contains("address mismatch"));
+    } finally {
+      keystoreFile.delete();
+    }
+  }
+
+  private static ListAppender<ILoggingEvent> attachAppender() {
+    ListAppender<ILoggingEvent> appender = new ListAppender<>();
+    appender.start();
+    Logger logger = (Logger) LoggerFactory.getLogger(WitnessInitializer.class);
+    logger.addAppender(appender);
+    return appender;
+  }
+
+  private static void detachAppender(ListAppender<ILoggingEvent> appender) {
+    Logger logger = (Logger) LoggerFactory.getLogger(WitnessInitializer.class);
+    logger.detachAppender(appender);
+    appender.stop();
+  }
+
+  private static String renderLogs(ListAppender<ILoggingEvent> appender) {
+    StringBuilder sb = new StringBuilder();
+    for (ILoggingEvent event : appender.list) {
+      sb.append(event.getFormattedMessage()).append('\n');
+    }
+    return sb.toString();
+  }
 }
