From ef430522256013665205cdda05636846cc622251 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 12 Jul 2016 03:10:33 +0200
Subject: nginx: Don't hard-code the HPKP headers.

Instead, lookup the pubkeys and compute the digests on the fly.  But
never modify the actual header snippet to avoid locking our users out.
---
 certs/hpkp-hdr.j2                         | 16 ++++++++++++++++
 certs/public-backup/fripost.org.pub       | 14 --------------
 certs/public-backup/git.fripost.org.pub   | 14 --------------
 certs/public-backup/lists.fripost.org.pub | 14 --------------
 certs/public-backup/mail.fripost.org.pub  | 14 --------------
 certs/public/fripost.org.pub.back         | 14 ++++++++++++++
 certs/public/git.fripost.org.pub.back     | 14 ++++++++++++++
 certs/public/lists.fripost.org.pub.back   | 14 ++++++++++++++
 certs/public/mail.fripost.org.pub.back    | 14 ++++++++++++++
 9 files changed, 72 insertions(+), 56 deletions(-)
 create mode 100644 certs/hpkp-hdr.j2
 delete mode 100644 certs/public-backup/fripost.org.pub
 delete mode 100644 certs/public-backup/git.fripost.org.pub
 delete mode 100644 certs/public-backup/lists.fripost.org.pub
 delete mode 100644 certs/public-backup/mail.fripost.org.pub
 create mode 100644 certs/public/fripost.org.pub.back
 create mode 100644 certs/public/git.fripost.org.pub.back
 create mode 100644 certs/public/lists.fripost.org.pub.back
 create mode 100644 certs/public/mail.fripost.org.pub.back

(limited to 'certs')

diff --git a/certs/hpkp-hdr.j2 b/certs/hpkp-hdr.j2
new file mode 100644
index 0000000..0226b5c
--- /dev/null
+++ b/certs/hpkp-hdr.j2
@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+{% set tmpl = template_path | basename %}
+{% set pubkey = "certs/public/" + tmpl.rstrip("hpkp-hdr.j2") + ".pub" %}
+
+{%- set pins = [] %}
+{% for pk in [pubkey] + lookup('pipe', 'ls -1 '+pubkey+'.back*').splitlines() -%}
+    {%- set sha256 = lookup('pipe', 'openssl pkey -pubin -outform DER <'+pk+' | openssl dgst -sha256 -binary | base64') -%}
+    {%- set _ = pins.append('pin-sha256="' + sha256 + '"') -%}
+{%- endfor %}
+
+{%- if pins | length > 0 %}
+{% set directives = pins + ['max-age=3600'] %}
+add_header Public-Key-Pins '{{ directives | join('; ') }}';
+{% endif %}
diff --git a/certs/public-backup/fripost.org.pub b/certs/public-backup/fripost.org.pub
deleted file mode 100644
index bee948f..0000000
--- a/certs/public-backup/fripost.org.pub
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs06ycSgCZ35MHeoeV/Ck
-gV5mYfZUOebnGse+vk0ATn7a+qnSgYkhAgRVg+jnN/I/oF9tNcwCex3rawzx51vw
-Etzb9gZoEXTrULCW1IJNWki5JZdilCjSmWyiw9KVEu956EAKVGagSj3lhH6q8MDQ
-tnyc0R49TC/LIIOypMQrow/HLw5Jz4FsCb7O4qaUu78RKzZkFMRB/8lEkmXxqNcX
-aXcPhugNbuC109X1oWKVD2Kj8MEoorErUSEGnbvN0eDC8p1edqKV8W7PyWM11WIH
-6WeBQOI9D6H39R/wTKrxuGFDNmVJfvMRzU5i8Pgw6J6lOW7ORv9UdQ2LvalKXUTD
-n7nOvGhdD1xpEOpkInbjZXVxVBKmcen7/jtB/aVN15RiAsmQGHHaDMJtJgf/t1bv
-wnSIn1cMJ9A1cI80zjE2VvnQk0rq+Vq2dURyaSfulRuxfLnV1uiyN28BHUFfTCUl
-BTroch484M2G5K6/BExLoaAVmQIApQXqBtE/N/mXmowV+/5V6yxoqmNCP7cG139D
-di+KzmFHZYlUWYd7RWgbsSbNkAYBAMqj4P1UtsOpfHFfq8kyGB7Smu7HhkjVlRwQ
-FHr1oGoBx2k9wuEa3HNdqwMhSWFxqqPFNwGq3ECpTJlm1Meq3qbYoDV56ZXPIVXz
-NElDYDwIvPwbTHjL6bsbBlMCAwEAAQ==
------END PUBLIC KEY-----
diff --git a/certs/public-backup/git.fripost.org.pub b/certs/public-backup/git.fripost.org.pub
deleted file mode 100644
index 1620e78..0000000
--- a/certs/public-backup/git.fripost.org.pub
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0GPDkJ0LfiO2sVyJdA13
-OuYfXzRvP/G8rC5mC3V+0yU525J3ZYNhvY5fC41wFOQc0WRRk72hE2LbgHeSvch3
-jZjyb5n29k1eichbVwUD2G6D0hYSjcn685u0CAOoRJJcRnGhf/8bcUPedmx8zsZ2
-BYtnbY2M8vF+cBiSidSQBASzTNuBrMizF6RhXcR+aQ4N2SbJl9JPCywUFnfVtgP4
-vePqKLlKCHk5tWrLU6bppgzVYBEZUfgWEztGKFiQtrY6AeITxIZzD5XOssw2Jtrk
-5b9E7qp3sSTb7xFusmgvD38/h73/mB7xJNFrpPvtNO6oQtGTkKciKG5qyUAXIpQ9
-yWh4PDntcmRj5WpDwhLZYOHJQl7rQs49up7O0oQsLI1KFmh1XGN+qo32akVJbP48
-HfDbxXcmMNbeoG16qjPZEdFY6IvZRO1sQ6CKILq3afz9NEljPLrp8yKPBmro85fa
-VDs5C+UgbSmzIOVELf1oorKyJR9UM0HtJW0ZN7Az0/DtluFWBWHwW4R5Gp9rI65L
-xob1jxfJmp5Nu2ufFRXazW6deSPOD35jKQy40XLAjscvVR5Ia16exWl1HBypJtDh
-+6chLoY//fie73Cmk7u2X+qq9zw8ikY4gRKie3x7zm2qk7ChbO6VejN3KTlkbCui
-U/riMb2cxaGQeFuIrL9eUuECAwEAAQ==
------END PUBLIC KEY-----
diff --git a/certs/public-backup/lists.fripost.org.pub b/certs/public-backup/lists.fripost.org.pub
deleted file mode 100644
index b86e615..0000000
--- a/certs/public-backup/lists.fripost.org.pub
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+b1xBNsRiiL9QdoLOjjL
-JC+4me/Hxa4FSk5tITC4J26Mo6ghf+cnQ0zF0l+Ac8ww2aFIjo+XaNXMaF0f3wUI
-D+AYSuihfsseKnoJqyaLxxmZIcgt1OrTj6hYYmtPq4VYENdGDlwTxREbalg6qCKd
-QoWcprgBVuzEOzBxkcdsD96RKOXs25uLTqsyvIuhSvR94aCkrPlJTNhYmvkvul/6
-N2ss0K3m1dy5bIHhVHSCKB85nQI8dr0mNUKwtAOEz38MIUYZjl0kLnvbgTLzr7uF
-1C/Sa/KZ1uUSU3qNJFFzEt0SZhOqgLN9B4TUBip0CrlV4d+NWD8CYA5RnbGUCrqf
-nH3wnuiuwrxjE74v2O6mQZLKuj00RuHWqLckraoSVAmDNd5MpBBH1PUtrif6+3xM
-Ww5FQ6TtBvhmbCqHe1lkfD3Txuju2gIWpTU8V6OYmYItoQnNNFRNeR8nOMsfp47o
-lNQgU70jpTcXzAXNNK/rgfzg/Qo4DBwb10buUixpfoW71jQLo+T/OUCxioVM5JUf
-a8wo7YuaLZKkF/DVKAaAQ9gwTUWOy9sfmatmiK/VfO3H6WYdbxcmW8A192qc9e2A
-G0QN2VdAiEVmcjFAZIraW7FSSwYwPueDmFXq5YJW+wsqdRJd/qaAR/FuyrdFqT0X
-BU7dKsvPbqWqV4Z+slEJ+c0CAwEAAQ==
------END PUBLIC KEY-----
diff --git a/certs/public-backup/mail.fripost.org.pub b/certs/public-backup/mail.fripost.org.pub
deleted file mode 100644
index 61ee180..0000000
--- a/certs/public-backup/mail.fripost.org.pub
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu6SUrGStZtiWiWw25pTK
-hC5PPwHnTouTbgPUSsRvjfhLvk4KcM6WI5QzHSdS/1bV5psWdsC1ceA7gSXir5K6
-maZkX+vYLqumHWd6iclsPA7XOkBf1XwXdUeLPbHMocVIeZrG6NtcRggkNwuTybqh
-LQA9r7WoLRHewxc8CMCyRHQ68XiYAFXUPuKqbhd+vWmncksFAULG82U6AYso6KrF
-8DxgvjmxQ6XQlH1vk37kLRe93FcPQFOcsEJ3OkDL124My7OWO+LlO3cWLwvHfhJf
-gRM8+SkjBvFjFZDU5Da27UCG5uIwLBTEGHG397ayMTX8bJrK56WL7HFgg00ovMTL
-T9fpgIqgxlbq2XTLG1nU/RMxvZUC20p7FKZQzpL6wLZk3zR5IYcoxIhlQemutUHQ
-hNbnXbwQUc8PAkERTDhCJZOxCbkZQdlytdl1/EV/odbbC7npI3NgLAq8z6K4MSf8
-fQaYQHoT2Nkm32nSfgw66jyLVHl2jdqufEjxQ7uAT5MOShXX/TFj+fJ4k1AJNUcF
-GY4wNYqT51O4NmTWB/m9ILGcH2JOjrf+Hg+hO24+afi0USrut4EkZTGAeKaitfmn
-sWeSmvBYpAkUgx/AxRZofSE/+UzMSuZ9jApnA1ZoQ5jJxZJYwK5w0yLwz3Y6NZWO
-zQOLM2zHti+3zNknF/kng78CAwEAAQ==
------END PUBLIC KEY-----
diff --git a/certs/public/fripost.org.pub.back b/certs/public/fripost.org.pub.back
new file mode 100644
index 0000000..bee948f
--- /dev/null
+++ b/certs/public/fripost.org.pub.back
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs06ycSgCZ35MHeoeV/Ck
+gV5mYfZUOebnGse+vk0ATn7a+qnSgYkhAgRVg+jnN/I/oF9tNcwCex3rawzx51vw
+Etzb9gZoEXTrULCW1IJNWki5JZdilCjSmWyiw9KVEu956EAKVGagSj3lhH6q8MDQ
+tnyc0R49TC/LIIOypMQrow/HLw5Jz4FsCb7O4qaUu78RKzZkFMRB/8lEkmXxqNcX
+aXcPhugNbuC109X1oWKVD2Kj8MEoorErUSEGnbvN0eDC8p1edqKV8W7PyWM11WIH
+6WeBQOI9D6H39R/wTKrxuGFDNmVJfvMRzU5i8Pgw6J6lOW7ORv9UdQ2LvalKXUTD
+n7nOvGhdD1xpEOpkInbjZXVxVBKmcen7/jtB/aVN15RiAsmQGHHaDMJtJgf/t1bv
+wnSIn1cMJ9A1cI80zjE2VvnQk0rq+Vq2dURyaSfulRuxfLnV1uiyN28BHUFfTCUl
+BTroch484M2G5K6/BExLoaAVmQIApQXqBtE/N/mXmowV+/5V6yxoqmNCP7cG139D
+di+KzmFHZYlUWYd7RWgbsSbNkAYBAMqj4P1UtsOpfHFfq8kyGB7Smu7HhkjVlRwQ
+FHr1oGoBx2k9wuEa3HNdqwMhSWFxqqPFNwGq3ECpTJlm1Meq3qbYoDV56ZXPIVXz
+NElDYDwIvPwbTHjL6bsbBlMCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/public/git.fripost.org.pub.back b/certs/public/git.fripost.org.pub.back
new file mode 100644
index 0000000..1620e78
--- /dev/null
+++ b/certs/public/git.fripost.org.pub.back
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0GPDkJ0LfiO2sVyJdA13
+OuYfXzRvP/G8rC5mC3V+0yU525J3ZYNhvY5fC41wFOQc0WRRk72hE2LbgHeSvch3
+jZjyb5n29k1eichbVwUD2G6D0hYSjcn685u0CAOoRJJcRnGhf/8bcUPedmx8zsZ2
+BYtnbY2M8vF+cBiSidSQBASzTNuBrMizF6RhXcR+aQ4N2SbJl9JPCywUFnfVtgP4
+vePqKLlKCHk5tWrLU6bppgzVYBEZUfgWEztGKFiQtrY6AeITxIZzD5XOssw2Jtrk
+5b9E7qp3sSTb7xFusmgvD38/h73/mB7xJNFrpPvtNO6oQtGTkKciKG5qyUAXIpQ9
+yWh4PDntcmRj5WpDwhLZYOHJQl7rQs49up7O0oQsLI1KFmh1XGN+qo32akVJbP48
+HfDbxXcmMNbeoG16qjPZEdFY6IvZRO1sQ6CKILq3afz9NEljPLrp8yKPBmro85fa
+VDs5C+UgbSmzIOVELf1oorKyJR9UM0HtJW0ZN7Az0/DtluFWBWHwW4R5Gp9rI65L
+xob1jxfJmp5Nu2ufFRXazW6deSPOD35jKQy40XLAjscvVR5Ia16exWl1HBypJtDh
++6chLoY//fie73Cmk7u2X+qq9zw8ikY4gRKie3x7zm2qk7ChbO6VejN3KTlkbCui
+U/riMb2cxaGQeFuIrL9eUuECAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/public/lists.fripost.org.pub.back b/certs/public/lists.fripost.org.pub.back
new file mode 100644
index 0000000..b86e615
--- /dev/null
+++ b/certs/public/lists.fripost.org.pub.back
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+b1xBNsRiiL9QdoLOjjL
+JC+4me/Hxa4FSk5tITC4J26Mo6ghf+cnQ0zF0l+Ac8ww2aFIjo+XaNXMaF0f3wUI
+D+AYSuihfsseKnoJqyaLxxmZIcgt1OrTj6hYYmtPq4VYENdGDlwTxREbalg6qCKd
+QoWcprgBVuzEOzBxkcdsD96RKOXs25uLTqsyvIuhSvR94aCkrPlJTNhYmvkvul/6
+N2ss0K3m1dy5bIHhVHSCKB85nQI8dr0mNUKwtAOEz38MIUYZjl0kLnvbgTLzr7uF
+1C/Sa/KZ1uUSU3qNJFFzEt0SZhOqgLN9B4TUBip0CrlV4d+NWD8CYA5RnbGUCrqf
+nH3wnuiuwrxjE74v2O6mQZLKuj00RuHWqLckraoSVAmDNd5MpBBH1PUtrif6+3xM
+Ww5FQ6TtBvhmbCqHe1lkfD3Txuju2gIWpTU8V6OYmYItoQnNNFRNeR8nOMsfp47o
+lNQgU70jpTcXzAXNNK/rgfzg/Qo4DBwb10buUixpfoW71jQLo+T/OUCxioVM5JUf
+a8wo7YuaLZKkF/DVKAaAQ9gwTUWOy9sfmatmiK/VfO3H6WYdbxcmW8A192qc9e2A
+G0QN2VdAiEVmcjFAZIraW7FSSwYwPueDmFXq5YJW+wsqdRJd/qaAR/FuyrdFqT0X
+BU7dKsvPbqWqV4Z+slEJ+c0CAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/public/mail.fripost.org.pub.back b/certs/public/mail.fripost.org.pub.back
new file mode 100644
index 0000000..61ee180
--- /dev/null
+++ b/certs/public/mail.fripost.org.pub.back
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu6SUrGStZtiWiWw25pTK
+hC5PPwHnTouTbgPUSsRvjfhLvk4KcM6WI5QzHSdS/1bV5psWdsC1ceA7gSXir5K6
+maZkX+vYLqumHWd6iclsPA7XOkBf1XwXdUeLPbHMocVIeZrG6NtcRggkNwuTybqh
+LQA9r7WoLRHewxc8CMCyRHQ68XiYAFXUPuKqbhd+vWmncksFAULG82U6AYso6KrF
+8DxgvjmxQ6XQlH1vk37kLRe93FcPQFOcsEJ3OkDL124My7OWO+LlO3cWLwvHfhJf
+gRM8+SkjBvFjFZDU5Da27UCG5uIwLBTEGHG397ayMTX8bJrK56WL7HFgg00ovMTL
+T9fpgIqgxlbq2XTLG1nU/RMxvZUC20p7FKZQzpL6wLZk3zR5IYcoxIhlQemutUHQ
+hNbnXbwQUc8PAkERTDhCJZOxCbkZQdlytdl1/EV/odbbC7npI3NgLAq8z6K4MSf8
+fQaYQHoT2Nkm32nSfgw66jyLVHl2jdqufEjxQ7uAT5MOShXX/TFj+fJ4k1AJNUcF
+GY4wNYqT51O4NmTWB/m9ILGcH2JOjrf+Hg+hO24+afi0USrut4EkZTGAeKaitfmn
+sWeSmvBYpAkUgx/AxRZofSE/+UzMSuZ9jApnA1ZoQ5jJxZJYwK5w0yLwz3Y6NZWO
+zQOLM2zHti+3zNknF/kng78CAwEAAQ==
+-----END PUBLIC KEY-----
-- 
cgit v1.2.3