fix: allow unencrypted PEM

Author: JasonPowr

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## HEAD
 
+* Allow unencrypted PEM private key files by @JasonPowr
+  * `ReadPrivateKeyFile` and `FromProto` (via `PEMKeyFile`) now accept an empty password, treating the key as unencrypted. Previously, an empty password was rejected with an error.
 * Replace deprecated `golang.org/x/crypto/ed25519` with stdlib `crypto/ed25519` by @JasonPowr
 
 ## v1.7.3

crypto/keys/pem/pem.go

@@ -30,12 +30,9 @@ import (
 )
 
 // ReadPrivateKeyFile reads a PEM-encoded private key from a file.
-// The key must be protected by a password.
+// The key may be protected by a password. If password is empty, the key is
+// assumed to be unencrypted.
 func ReadPrivateKeyFile(file, password string) (crypto.Signer, error) {
-	if password == "" {
-		return nil, fmt.Errorf("pemfile: empty password for file %q", file)
-	}
-
 	keyPEM, err := os.ReadFile(file)
 	if err != nil {
 		return nil, fmt.Errorf("pemfile: error reading file %q: %v", file, err)

crypto/keys/pem/pem_test.go

@@ -76,6 +76,10 @@ func TestLoadPrivateKeyAndSign(t *testing.T) {
 			keyPath: "../../../testdata/log-rpc-server.privkey.pem",
 			keyPass: "towel",
 		},
+		{
+			desc:    "ECDSA from file without password",
+			keyPath: "../../../testdata/log-rpc-server-unencrypted.privkey.pem",
+		},
 		{
 			desc:        "Non-existent file",
 			keyPath:     "non-existent.pem",

testdata/log-rpc-server-unencrypted.privkey.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MHcCAQEEIHG5m/q2sUSa4P8pRZgYt3K0ESFSKp1qp15VjJhpLle4oAoGCCqGSM49AwEHoUQDQgAEvuynpVdR+5xSNaVBb//1fqO6Nb/nC+WvRQ4bALzy4G+QbByvO1Qpm2eUzTdDUnsLN5hp3pIXYAmtjvjY1fFZEg==
+-----END PRIVATE KEY-----