Even with a password, the encryption scheme used here is really not what
we'd want people to use. This does two things:

1. Cut down on the number of ways to use ExportEncryptedPrivateKey and
   makes it less likely someone will mistakenly use it for security
   purposes.

2. When we ported to BoringSSL, we added "raw" versions of
   PKCS8_{encrypt,decrypt} to account for confusion about two ways to
   encode the empty password. But PKCS8_{encrypt,decrypt} already
   handled this by treating NULL and "" differently. Limiting to just
   the empty password lets us trim BoringSSL's API surface in
   preparation for decoupling it from crypto/asn1.

BUG=603319

Review-Url: https://codereview.chromium.org/2608453002
Cr-Commit-Position: refs/heads/master@{#441365}