From 7f3fc711d26e4f510bfe51e35efaef077af66de5 Mon Sep 17 00:00:00 2001
From: Priya Wadhwa <priyawadhwa@priyas-mbp.lan>
Date: Wed, 16 Oct 2024 22:52:05 -0400
Subject: [PATCH 1/2] Replace deprecated function EncryptPEMBlock

I already replaced this deprecated function in rekor and fulcio, this PR replaces it everywhere else it's used as well.

Signed-off-by: Priya Wadhwa <priyawadhwa@priyas-mbp.lan>
---
 cmd/fulcio/createcerts/main.go  | 2 +-
 cmd/tsa/createcertchain/main.go | 3 ++-
 pkg/ctlog/config.go             | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/cmd/fulcio/createcerts/main.go b/cmd/fulcio/createcerts/main.go
index 6d2f5a786..a0290b34c 100644
--- a/cmd/fulcio/createcerts/main.go
+++ b/cmd/fulcio/createcerts/main.go
@@ -152,7 +152,7 @@ func createAll() ([]byte, []byte, []byte, string, error) {
 	// Encrypt the pem
 	block, err = pemutil.EncryptPKCS8PrivateKey(rand.Reader, block.Bytes, []byte(pwd), x509.PEMCipherAES256)
 	if err != nil {
-		return nil, nil, nil, "", fmt.Errorf("EncryptPEMBlock failed: %w", err)
+		return nil, nil, nil, "", fmt.Errorf("EncryptPKCS8PrivateKey failed: %w", err)
 	}
 
 	privPEM := pem.EncodeToMemory(block)
diff --git a/cmd/tsa/createcertchain/main.go b/cmd/tsa/createcertchain/main.go
index 8a4534094..c38493c96 100644
--- a/cmd/tsa/createcertchain/main.go
+++ b/cmd/tsa/createcertchain/main.go
@@ -25,6 +25,7 @@ import (
 	"os"
 
 	"github.com/google/uuid"
+	"go.step.sm/crypto/pemutil"
 
 	"github.com/sigstore/scaffolding/pkg/secret"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
@@ -98,7 +99,7 @@ func main() {
 	}
 	// Encrypt the pem with a uuid
 	pwd := uuid.New().String()
-	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, []byte(pwd), x509.PEMCipherAES256) // nolint
+	encryptedBlock, err := pemutil.EncryptPKCS8PrivateKey(rand.Reader, block.Bytes, []byte(pwd), x509.PEMCipherAES256)
 	if err != nil {
 		logging.FromContext(ctx).Fatalf("Failed to encrypt private key: %v", err)
 	}
diff --git a/pkg/ctlog/config.go b/pkg/ctlog/config.go
index dc26d28b0..9a761bef6 100644
--- a/pkg/ctlog/config.go
+++ b/pkg/ctlog/config.go
@@ -33,6 +33,7 @@ import (
 	"github.com/google/certificate-transparency-go/trillian/ctfe/configpb"
 	"github.com/google/trillian/crypto/keyspb"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"go.step.sm/crypto/pemutil"
 	"google.golang.org/protobuf/encoding/prototext"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -326,7 +327,7 @@ func (c *Config) marshalSecrets() (map[string][]byte, error) {
 		Bytes: marshalledPrivKey,
 	}
 	// Encrypt the pem
-	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, []byte(c.PrivKeyPassword), x509.PEMCipherAES256) // nolint
+	encryptedBlock, err := pemutil.EncryptPKCS8PrivateKey(rand.Reader, block.Bytes, []byte(c.PrivKeyPassword), x509.PEMCipherAES256)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt private key: %w", err)
 	}

From bd220c17c27fa0f687a5ec54cfb751be8ace106f Mon Sep 17 00:00:00 2001
From: Priya Wadhwa <priyawadhwa@priyas-mbp.lan>
Date: Wed, 16 Oct 2024 23:46:59 -0400
Subject: [PATCH 2/2] WIP

Signed-off-by: Priya Wadhwa <priyawadhwa@priyas-mbp.lan>
---
 cmd/ctlog/createctconfig/main.go |  2 +-
 pkg/ctlog/config.go              | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/cmd/ctlog/createctconfig/main.go b/cmd/ctlog/createctconfig/main.go
index 0b04379ce..5ad215047 100644
--- a/cmd/ctlog/createctconfig/main.go
+++ b/cmd/ctlog/createctconfig/main.go
@@ -63,7 +63,7 @@ var (
 	// TODO: Support ed25519
 	keyType     = flag.String("keytype", "ecdsa", "Which private key to generate [rsa,ecdsa]")
 	curveType   = flag.String("curvetype", "p256", "Curve type to use [p256, p384,p521]")
-	keyPassword = flag.String("key-password", "test", "Password for encrypting the PEM key")
+	keyPassword = flag.String("key-password", "", "Password for encrypting the PEM key")
 
 	// Supported elliptic curve functions.
 	supportedCurves = map[string]elliptic.Curve{
diff --git a/pkg/ctlog/config.go b/pkg/ctlog/config.go
index 9a761bef6..c29c2fa30 100644
--- a/pkg/ctlog/config.go
+++ b/pkg/ctlog/config.go
@@ -33,7 +33,6 @@ import (
 	"github.com/google/certificate-transparency-go/trillian/ctfe/configpb"
 	"github.com/google/trillian/crypto/keyspb"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
-	"go.step.sm/crypto/pemutil"
 	"google.golang.org/protobuf/encoding/prototext"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -327,12 +326,14 @@ func (c *Config) marshalSecrets() (map[string][]byte, error) {
 		Bytes: marshalledPrivKey,
 	}
 	// Encrypt the pem
-	encryptedBlock, err := pemutil.EncryptPKCS8PrivateKey(rand.Reader, block.Bytes, []byte(c.PrivKeyPassword), x509.PEMCipherAES256)
-	if err != nil {
-		return nil, fmt.Errorf("failed to encrypt private key: %w", err)
+	if c.PrivKeyPassword != "" {
+		block, err = x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, []byte(c.PrivKeyPassword), x509.PEMCipherAES256) // nolint
+		if err != nil {
+			return nil, fmt.Errorf("failed to encrypt private key: %w", err)
+		}
 	}
 
-	privPEM := pem.EncodeToMemory(encryptedBlock)
+	privPEM := pem.EncodeToMemory(block)
 	if privPEM == nil {
 		return nil, fmt.Errorf("failed to encode encrypted private key")
 	}