From 1abf88a5e8eb6bf5f618777db2fa2282194e7350 Mon Sep 17 00:00:00 2001
From: Jack Doan <jackdoan@rivian.com>
Date: Mon, 7 Oct 2024 12:41:51 -0400
Subject: [PATCH] eliminate SignPkcs11

---
 cert/sign.go            | 17 -----------------
 cmd/nebula-cert/ca.go   |  2 +-
 cmd/nebula-cert/sign.go |  4 ++--
 3 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/cert/sign.go b/cert/sign.go
index 263cf1ed8..b0bcea7ef 100644
--- a/cert/sign.go
+++ b/cert/sign.go
@@ -11,8 +11,6 @@ import (
 	"net/netip"
 	"slices"
 	"time"
-
-	"github.com/slackhq/nebula/pkclient"
 )
 
 // TBSCertificate represents a certificate intended to be signed.
@@ -76,21 +74,6 @@ func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Cert
 	}
 }
 
-func (t *TBSCertificate) SignPkcs11(signer Certificate, curve Curve, client *pkclient.PKClient) (Certificate, error) {
-	if client == nil {
-		return nil, fmt.Errorf("pkclient must be non-nil")
-	}
-	switch t.Curve {
-	case Curve_CURVE25519:
-		return nil, fmt.Errorf("only P256 is supported by PKCS#11")
-	case Curve_P256:
-		//todo: verify that pkcs11 hashes for you
-		return t.SignWith(signer, curve, client.SignASN1)
-	default:
-		return nil, fmt.Errorf("invalid curve: %s", t.Curve)
-	}
-}
-
 // SignWith will create a sealed certificate using details provided by the TBSCertificate as long as those
 // details do not violate constraints of the signing certificate.
 // If the TBSCertificate is a CA then signer must be nil.
diff --git a/cmd/nebula-cert/ca.go b/cmd/nebula-cert/ca.go
index 78416698a..248011098 100644
--- a/cmd/nebula-cert/ca.go
+++ b/cmd/nebula-cert/ca.go
@@ -272,7 +272,7 @@ func ca(args []string, out io.Writer, errOut io.Writer, pr PasswordReader) error
 	var b []byte
 
 	if isP11 {
-		c, err = t.SignPkcs11(nil, curve, p11Client)
+		c, err = t.SignWith(nil, curve, p11Client.SignASN1)
 		if err != nil {
 			return fmt.Errorf("error while signing with PKCS#11: %w", err)
 		}
diff --git a/cmd/nebula-cert/sign.go b/cmd/nebula-cert/sign.go
index 6ac045214..253ef864e 100644
--- a/cmd/nebula-cert/sign.go
+++ b/cmd/nebula-cert/sign.go
@@ -316,7 +316,7 @@ func signCert(args []string, out io.Writer, errOut io.Writer, pr PasswordReader)
 				return fmt.Errorf("error while signing: %w", err)
 			}
 		} else {
-			nc, err = t.SignPkcs11(caCert, curve, p11Client)
+			nc, err = t.SignWith(caCert, curve, p11Client.SignASN1)
 			if err != nil {
 				return fmt.Errorf("error while signing with PKCS#11: %w", err)
 			}
@@ -346,7 +346,7 @@ func signCert(args []string, out io.Writer, errOut io.Writer, pr PasswordReader)
 				return fmt.Errorf("error while signing: %w", err)
 			}
 		} else {
-			nc, err = t.SignPkcs11(caCert, curve, p11Client)
+			nc, err = t.SignWith(caCert, curve, p11Client.SignASN1)
 			if err != nil {
 				return fmt.Errorf("error while signing with PKCS#11: %w", err)
 			}