WIP

Signed-off-by: Priya Wadhwa <[email protected]>

cmd/ctlog/createctconfig/main.go

@@ -63,7 +63,7 @@ var (
 	// TODO: Support ed25519
 	keyType     = flag.String("keytype", "ecdsa", "Which private key to generate [rsa,ecdsa]")
 	curveType   = flag.String("curvetype", "p256", "Curve type to use [p256, p384,p521]")
-	keyPassword = flag.String("key-password", "test", "Password for encrypting the PEM key")
+	keyPassword = flag.String("key-password", "", "Password for encrypting the PEM key")
 
 	// Supported elliptic curve functions.
 	supportedCurves = map[string]elliptic.Curve{

pkg/ctlog/config.go

@@ -33,7 +33,6 @@ import (
 	"github.com/google/certificate-transparency-go/trillian/ctfe/configpb"
 	"github.com/google/trillian/crypto/keyspb"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
-	"go.step.sm/crypto/pemutil"
 	"google.golang.org/protobuf/encoding/prototext"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -327,12 +326,14 @@ func (c *Config) marshalSecrets() (map[string][]byte, error) {
 		Bytes: marshalledPrivKey,
 	}
 	// Encrypt the pem
-	encryptedBlock, err := pemutil.EncryptPKCS8PrivateKey(rand.Reader, block.Bytes, []byte(c.PrivKeyPassword), x509.PEMCipherAES256)
-	if err != nil {
-		return nil, fmt.Errorf("failed to encrypt private key: %w", err)
+	if c.PrivKeyPassword != "" {
+		block, err = x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, []byte(c.PrivKeyPassword), x509.PEMCipherAES256) // nolint
+		if err != nil {
+			return nil, fmt.Errorf("failed to encrypt private key: %w", err)
+		}
 	}
 
-	privPEM := pem.EncodeToMemory(encryptedBlock)
+	privPEM := pem.EncodeToMemory(block)
 	if privPEM == nil {
 		return nil, fmt.Errorf("failed to encode encrypted private key")
 	}