func moveKeysWithNewPassphrase(oldKeyStore, newKeyStore *trustmanager.KeyFileStore, outputPassphrase string) error { // List all files but no symlinks for _, f := range oldKeyStore.ListFiles(false) { fullKeyPath := strings.TrimSpace(strings.TrimSuffix(f, filepath.Ext(f))) relKeyPath := strings.TrimPrefix(fullKeyPath, oldKeyStore.BaseDir()) relKeyPath = strings.TrimPrefix(relKeyPath, string(filepath.Separator)) pemBytes, err := oldKeyStore.Get(relKeyPath) if err != nil { return err } block, _ := pem.Decode(pemBytes) if block == nil { return ErrNoValidPrivateKey } if !x509.IsEncryptedPEMBlock(block) { // Key is not encrypted. Parse it, and add it // to the temporary store as an encrypted key. privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "") if err != nil { return err } err = newKeyStore.AddEncryptedKey(relKeyPath, privKey, outputPassphrase) } else { // Encrypted key - pass it through without // decrypting err = newKeyStore.Add(relKeyPath, pemBytes) } if err != nil { return err } } return nil }