feat(crypto): warn when SR keystore is a symbolic link

Aligns WalletUtils.loadCredentials with the Lighthouse-style policy:
follow the symlink (preserving compatibility with legitimate SR
deployments that organize keystores via symlinks — e.g. encrypted-
volume mounts, container volume bindings, /opt/tron → /mnt/secrets
layouts), but emit a logger.warn so operators have a chance to notice
if a path they did not expect to be a symlink has become one.

Hard-rejecting would silently break "SR fails to start" on upgrade for
operators using these legitimate patterns; warn-and-proceed surfaces
the situation without forcing a downtime cliff.

The lstat probe uses LinkOption.NOFOLLOW_LINKS so an attacker cannot
hide the symlink by racing the check; if the lstat itself fails for
unrelated reasons (permission, fs error) we silently fall through and
let the subsequent readValue surface the real error.

Tests verify a symlinked keystore still loads end-to-end (the
Lighthouse parity path) and that a regular-file roundtrip is unaffected.

Author: Barbatos

crypto/src/main/java/org/tron/keystore/WalletUtils.java

@@ -8,8 +8,10 @@
 import java.io.IOException;
 import java.nio.file.AtomicMoveNotSupportedException;
 import java.nio.file.Files;
+import java.nio.file.LinkOption;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.BasicFileAttributes;
 import java.nio.file.attribute.PosixFilePermission;
 import java.nio.file.attribute.PosixFilePermissions;
 import java.time.ZoneOffset;
@@ -19,13 +21,15 @@
 import java.util.EnumSet;
 import java.util.Scanner;
 import java.util.Set;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.tron.common.crypto.SignInterface;
 import org.tron.core.exception.CipherException;
 
 /**
  * Utility functions for working with Wallet files.
  */
+@Slf4j(topic = "keystore")
 public class WalletUtils {
 
   private static final ObjectMapper objectMapper = new ObjectMapper();
@@ -117,10 +121,36 @@ public static void writeWalletFile(WalletFile walletFile, File destination)
 
   public static Credentials loadCredentials(String password, File source, boolean ecKey)
       throws IOException, CipherException {
+    warnIfSymbolicLink(source);
     WalletFile walletFile = objectMapper.readValue(source, WalletFile.class);
     return Credentials.create(Wallet.decrypt(password, walletFile, ecKey));
   }
 
+  /**
+   * Emit a warning if {@code source} is a symbolic link. The keystore is still
+   * read (following the symlink), preserving compatibility with legitimate
+   * deployments that use symlinks to organize keystore files (e.g.
+   * {@code /opt/tron/keystore/witness.json} -> {@code /mnt/encrypted/...},
+   * container volume-mount paths). The warning gives operators a chance to
+   * notice if a path they did not expect to be a symlink has become one — for
+   * example if an attacker with config-injection ability has redirected the
+   * SR startup keystore. This mirrors how Ethereum consensus clients (e.g.
+   * Lighthouse) handle a configured {@code voting_keystore_path}.
+   */
+  private static void warnIfSymbolicLink(File source) {
+    try {
+      BasicFileAttributes attrs = Files.readAttributes(source.toPath(),
+          BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS);
+      if (attrs.isSymbolicLink()) {
+        logger.warn("Keystore file is a symbolic link: {} — proceeding, "
+            + "but verify the symlink target points where you expect.",
+            source.getPath());
+      }
+    } catch (IOException ignored) {
+      // If we can't stat, let the subsequent readValue surface the real error.
+    }
+  }
+
   public static String getWalletFileName(WalletFile walletFile) {
     DateTimeFormatter format = DateTimeFormatter.ofPattern(
         "'UTC--'yyyy-MM-dd'T'HH-mm-ss.nVV'--'");

framework/src/test/java/org/tron/keystore/WalletUtilsWriteTest.java

@@ -166,4 +166,39 @@ public void testWriteWalletFileCleansUpTempOnFailure() throws Exception {
     assertNotNull(tempFiles);
     assertEquals("Temp file must be cleaned up on failure", 0, tempFiles.length);
   }
+
+  // ---------- loadCredentials symlink behavior ----------
+
+  @Test
+  public void testLoadCredentialsFollowsSymlinkButWarns() throws Exception {
+    Assume.assumeTrue("Symlinks only tested on POSIX",
+        !System.getProperty("os.name").toLowerCase().contains("win"));
+
+    File realDir = tempFolder.newFolder("load-symlink-target");
+    SignInterface keyPair = SignUtils.getGeneratedRandomSign(Utils.getRandom(), true);
+    String realName = WalletUtils.generateWalletFile("password123", keyPair, realDir, false);
+    File realKeystore = new File(realDir, realName);
+
+    File linkDir = tempFolder.newFolder("load-symlink-link");
+    File symlink = new File(linkDir, "witness.json");
+    Files.createSymbolicLink(symlink.toPath(), realKeystore.toPath());
+
+    // Should NOT throw — Lighthouse-style: follow the symlink, log a warning
+    // for the operator. Hard-rejecting would silently break legitimate SR
+    // deployments that organize keystores via symlinks.
+    Credentials creds =
+        WalletUtils.loadCredentials("password123", symlink, true);
+    assertNotNull(creds.getAddress());
+  }
+
+  @Test
+  public void testLoadCredentialsAcceptsRegularFile() throws Exception {
+    File dir = tempFolder.newFolder("load-ok");
+    SignInterface keyPair = SignUtils.getGeneratedRandomSign(Utils.getRandom(), true);
+    String fileName = WalletUtils.generateWalletFile("password123", keyPair, dir, false);
+
+    Credentials creds =
+        WalletUtils.loadCredentials("password123", new File(dir, fileName), true);
+    assertNotNull(creds.getAddress());
+  }
 }