Encrypted PEM keys

[fpseverino]

New API Proposal: Support for encrypted PEM private keys

Motivation:

Currently, the library can read and handle unencrypted PEM-encoded private keys, but it can't directly load encrypted PEM keys. This can be a limitation in scenarios where users need to store their private keys in an insecure place or when working with third-party APIs that give the users encrypted PEM keys (e.g., PassKit/Apple Wallet).
Also, there is a bit of inconsistency within the ecosystem, as NIOSSL supports them, but only for TLS/SSL related stuff.

Importance:

The best solution I know of at the moment is to use an openssl executable (where available) inside a blocking Process. That's how we do it currently in the vapor-community/PassKit library.

cc @0xTim

[Lukasa]

Thanks for filing this!

One of the wrinkles of supporting encrypted PEM keys is that those encryption schemes often rely on very weak cryptography that we don't otherwise want to support in Swift Crypto. A similar issue occurs with PKCS#12 support.

I think a pragmatic compromise might be to add interfaces in CryptoExtras that directly call into the underlying BoringSSL functions to perform the decryption, rather than attempt to add fully-fledged support for those cryptosystems to Crypto itself.

See-also #263.