Avoid NPE

Reported by coverity.

java/org/apache/tomcat/util/net/jsse/LocalStrings.properties

@@ -20,6 +20,7 @@ jsseUtil.excludeProtocol=The SSL protocol [{0}] which is supported in this JRE w
 jsseUtil.noDefaultProtocols=Unable to determine a default for sslEnabledProtocols. Set an explicit value to ensure the connector can start.
 
 pemFile.noMultiPrimes=The PKCS#1 certificate is in multi-prime format and Java does not provide an API for constructing an RSA private key object from that format
+pemFile.noPassword=A password is required to decrypt the private key
 pemFile.notValidRFC5915=The provided key file does not conform to RFC 5915
 pemFile.notPbkdf2=The OID [{0}] is not the correct OID for PKBDF2 which is the only permitted KDF for PBES2
 pemFile.parseError=Unable to parse the key from [{0}]

java/org/apache/tomcat/util/net/jsse/PEMFile.java

@@ -505,6 +505,9 @@ private PrivateKey toPrivateKey(String keyAlgorithm, Format format, String filen
 
 
         private byte[] deriveKeyPBKDF1(int keyLength, String password, byte[] salt) throws NoSuchAlgorithmException {
+            if (password == null) {
+                throw new IllegalArgumentException(sm.getString("pemFile.noPassword"));
+            }
             // PBKDF1-MD5 as specified by PKCS#5
             byte[] key = new byte[keyLength];
 
@@ -529,6 +532,9 @@ private byte[] deriveKeyPBKDF1(int keyLength, String password, byte[] salt) thro
 
         private byte[] deriveKeyPBKDF2(String algorithm, String password, byte[] salt, int iterations, int keyLength)
                 throws GeneralSecurityException {
+            if (password == null) {
+                throw new IllegalArgumentException(sm.getString("pemFile.noPassword"));
+            }
             SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(algorithm);
             KeySpec keySpec;
             keySpec = new PBEKeySpec(password.toCharArray(), salt, iterations, keyLength);