Add ECDSA support, via updated OpenSC pkcs11 engine.

This works on Debian Jessie (8.8) with the jessie-backports version of
libengine-pkcs11-openssl:

    cryptech-alpha              3.0.1496536286
    libengine-pkcs11-openssl    0.4.3-1~bpo8+1
    opensc                      0.14.0-2
    openssl                     1.0.1t-1+deb8u6

Version dependencies between OpenSSL and OpenSC are an even worse
swamp than usual at the moment, due to API changes in OpenSSL 1.1, so
it's anybody's guess whether this works on any other platform.  YMMV.

1 files changed, 13 insertions, 7 deletions

diff --git a/create-keys.sh b/create-keys.sh
index 5cfda45..e3630d9 100755
--- a/create-keys.sh
+++ b/create-keys.sh
@@ -1,11 +1,17 @@
 #!/bin/sh -
 
-. ./environment.sh
+# pkcs11-tool's naming scheme for key types is buried in code.
+# The useful choices in our case appear to be:
+#
+#  rsa:1024
+#  rsa:2048
+#  EC:prime256v1
+#  EC:prime384v1
+
+: ${key_type='EC:prime256v1'}
 
-# Not really sure which silly name to use for the EC curve, doc is not great.  prime256v1?  ansiX9p256r1?  secp256r1?
-# If I had to guess, ansiX9p256r1, so try that:   --key-type EC:ansiX9p256r1
-# Still having trouble with OpenSSL using this key, so revert to RSA for now, try ECDSA again later.
+. ./environment.sh
 
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader  --key-type rsa:2048
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris   --key-type rsa:2048
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type rsa:2848
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader  --key-type "$key_type"
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris   --key-type "$key_type"
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type "$key_type"