Use a public key for the main webserver's TLSA record.

author Mark Wooding <mdw@distorted.org.uk>

Wed, 27 Jan 2016 14:04:30 +0000 (14:04 +0000)

committer Mark Wooding <mdw@distorted.org.uk>

Wed, 27 Jan 2016 14:04:30 +0000 (14:04 +0000)
author Mark Wooding <mdw@distorted.org.uk>
Wed, 27 Jan 2016 14:04:30 +0000 (14:04 +0000)
committer Mark Wooding <mdw@distorted.org.uk>
Wed, 27 Jan 2016 14:04:30 +0000 (14:04 +0000)
diff --git a/certs/http-server-www#1.cert b/certs/http-server-www#1.cert

deleted file mode 100644 (file)

index 29a6326..0000000
--- a/certs/http-server-www#1.cert
+++ /dev/null
@@ -1,130 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1387014 (0x152a06)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
-        Validity
-            Not Before: Dec 20 04:07:45 2014 GMT
-            Not After : Dec 21 00:30:39 2015 GMT
-        Subject: C=GB, CN=www.distorted.org.uk/emailAddress=webmaster@distorted.org.uk
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (3072 bit)
-                Modulus:
-                    00:9f:62:f3:4c:fa:9a:4c:62:c8:31:c3:54:6f:b5:
-                    7b:9e:cc:9c:e0:d8:fd:4e:b6:6c:97:d0:28:c4:1e:
-                    09:07:07:e2:85:42:ad:d5:49:2d:94:06:55:9e:99:
-                    0c:c8:f7:0b:6a:72:ad:5d:2c:66:cc:df:84:ea:88:
-                    46:43:a9:39:42:d7:d4:09:3f:1b:26:39:c6:69:71:
-                    ae:f2:02:98:db:79:13:b4:d3:26:60:8b:c5:eb:fb:
-                    c7:51:84:3a:64:0b:e3:02:e9:13:8e:fa:a6:b7:cb:
-                    66:49:55:9e:e3:cb:9a:a4:ed:0c:3a:4b:c1:e0:de:
-                    e8:03:29:88:8d:b6:43:bd:c5:e6:a0:c6:04:78:1d:
-                    6f:65:48:8f:7d:13:e9:3e:ae:b2:03:df:43:57:19:
-                    f9:8f:85:15:dc:4f:78:3b:65:5b:90:46:28:5f:32:
-                    4c:5b:8c:29:69:73:ba:fc:00:25:5c:2b:7a:2d:26:
-                    d1:ad:7b:28:07:21:db:27:ea:b3:81:7b:25:a5:e4:
-                    cc:ec:d6:85:88:63:c3:29:7e:10:e6:3c:cb:2a:1d:
-                    77:72:c0:bb:34:b8:c9:62:3e:bf:d8:f5:e6:d8:d5:
-                    73:df:5b:1e:90:f4:aa:51:d0:7f:f3:16:03:43:31:
-                    d5:4b:1e:91:1e:92:0f:e9:dc:95:36:9a:0e:80:60:
-                    d3:98:c7:62:fb:af:76:87:e7:9b:0f:7e:1d:be:dc:
-                    22:1a:46:ff:b7:5b:39:01:79:cd:3a:ef:25:16:3c:
-                    86:6a:e1:1e:f4:e8:cb:0b:ff:cd:4c:66:dc:36:50:
-                    77:9d:1a:35:77:5a:85:89:b0:ea:fb:43:0f:7f:19:
-                    7f:d8:dd:6a:cd:a3:c3:85:12:3e:e3:39:5b:89:ec:
-                    fc:78:df:39:2e:ae:94:7e:1a:ac:62:0c:dc:5a:fc:
-                    09:b6:9f:82:4d:2c:ad:f3:2b:68:44:22:da:42:ca:
-                    85:d6:9c:46:e5:37:cc:7d:65:c5:62:e3:d8:e5:58:
-                    28:01:18:1b:27:40:d6:d5:dd:e5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Key Encipherment, Key Agreement
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication
-            X509v3 Subject Key Identifier: 
-                A9:DF:AD:DC:D2:3B:DD:6A:E6:AF:CC:B1:28:60:3A:5F:5E:29:D0:85
-            X509v3 Authority Key Identifier: 
-                keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45
-
-            X509v3 Subject Alternative Name: 
-                DNS:www.distorted.org.uk, DNS:distorted.org.uk
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.2.1
-                Policy: 1.3.6.1.4.1.23223.1.2.3
-                  CPS: http://www.startssl.com/policy.pdf
-                  User Notice:
-                    Organization: StartCom Certification Authority
-                    Number: 1
-                    Explicit Text: This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.startssl.com/crt1-crl.crl
-
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
-                CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt
-
-            X509v3 Issuer Alternative Name: 
-                URI:http://www.startssl.com/
-    Signature Algorithm: sha256WithRSAEncryption
-         a7:cc:45:92:89:84:06:e0:39:20:4e:37:58:f2:02:e3:6c:c9:
-         43:c6:d9:06:68:ea:fe:40:e3:d8:b3:a2:3c:63:8a:03:86:76:
-         83:83:38:2b:ea:9d:14:f9:2a:89:8d:0c:31:d4:83:f5:ac:5c:
-         fc:fc:2b:ac:f7:a8:7c:2f:b9:1b:2d:7d:8d:dd:ea:45:89:d5:
-         3a:24:f1:9b:1e:9c:ef:25:4c:6c:77:37:4f:48:d3:79:1c:fe:
-         ef:a5:29:8c:3e:f1:42:be:83:50:6a:73:c2:46:4e:5c:a7:5a:
-         fc:0f:73:1e:c8:fd:e6:a9:45:5a:61:d4:5b:35:06:6a:60:b3:
-         79:77:e3:8a:bd:12:d7:47:cd:cc:7d:2f:f2:cc:9c:c5:fe:97:
-         98:72:6f:1a:c1:9e:5e:57:99:a6:93:b0:9a:bd:4c:f6:14:e3:
-         c7:16:9a:28:2b:b2:36:5e:b7:1c:8e:d3:bf:97:ed:07:11:1d:
-         6d:d4:51:e4:90:e1:18:b2:7a:15:d5:ec:bf:1b:b5:3c:8d:a5:
-         69:28:da:cb:47:a9:68:be:eb:0e:3b:58:49:c1:9d:5c:8d:c6:
-         c6:e1:2a:28:c1:f0:66:e9:c4:e9:7f:50:3e:f3:d8:ad:47:39:
-         cf:f9:65:ee:d8:e4:61:b2:48:db:c0:92:1b:bb:1d:55:6d:c4:
-         5d:52:7c:0c
------BEGIN CERTIFICATE-----
-MIIGzjCCBbagAwIBAgIDFSoGMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
-TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
-YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
-MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQxMjIwMDQwNzQ1
-WhcNMTUxMjIxMDAzMDM5WjBXMQswCQYDVQQGEwJHQjEdMBsGA1UEAxMUd3d3LmRp
-c3RvcnRlZC5vcmcudWsxKTAnBgkqhkiG9w0BCQEWGndlYm1hc3RlckBkaXN0b3J0
-ZWQub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAn2LzTPqa
-TGLIMcNUb7V7nsyc4Nj9TrZsl9AoxB4JBwfihUKt1UktlAZVnpkMyPcLanKtXSxm
-zN+E6ohGQ6k5QtfUCT8bJjnGaXGu8gKY23kTtNMmYIvF6/vHUYQ6ZAvjAukTjvqm
-t8tmSVWe48uapO0MOkvB4N7oAymIjbZDvcXmoMYEeB1vZUiPfRPpPq6yA99DVxn5
-j4UV3E94O2VbkEYoXzJMW4wpaXO6/AAlXCt6LSbRrXsoByHbJ+qzgXslpeTM7NaF
-iGPDKX4Q5jzLKh13csC7NLjJYj6/2PXm2NVz31sekPSqUdB/8xYDQzHVSx6RHpIP
-6dyVNpoOgGDTmMdi+692h+ebD34dvtwiGkb/t1s5AXnNOu8lFjyGauEe9OjLC//N
-TGbcNlB3nRo1d1qFibDq+0MPfxl/2N1qzaPDhRI+4zlbiez8eN85Lq6UfhqsYgzc
-WvwJtp+CTSyt8ytoRCLaQsqF1pxG5TfMfWXFYuPY5VgoARgbJ0DW1d3lAgMBAAGj
-ggLrMIIC5zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDATBgNVHSUEDDAKBggrBgEF
-BQcDATAdBgNVHQ4EFgQUqd+t3NI73Wrmr8yxKGA6X14p0IUwHwYDVR0jBBgwFoAU
-60I00Jiwq5/0G2sI98xkLu8OLEUwMQYDVR0RBCowKIIUd3d3LmRpc3RvcnRlZC5v
-cmcudWuCEGRpc3RvcnRlZC5vcmcudWswggFWBgNVHSAEggFNMIIBSTAIBgZngQwB
-AgEwggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cu
-c3RhcnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0
-Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmlj
-YXRlIHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRp
-b24gcmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlh
-bmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ug
-b2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAo
-oCaGJGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYB
-BQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29t
-L3N1Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0
-YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0S
-BBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBCwUAA4IB
-AQCnzEWSiYQG4DkgTjdY8gLjbMlDxtkGaOr+QOPYs6I8Y4oDhnaDgzgr6p0U+SqJ
-jQwx1IP1rFz8/Cus96h8L7kbLX2N3epFidU6JPGbHpzvJUxsdzdPSNN5HP7vpSmM
-PvFCvoNQanPCRk5cp1r8D3MeyP3mqUVaYdRbNQZqYLN5d+OKvRLXR83MfS/yzJzF
-/peYcm8awZ5eV5mmk7CavUz2FOPHFpooK7I2XrccjtO/l+0HER1t1FHkkOEYsnoV
-1ey/G7U8jaVpKNrLR6lovusOO1hJwZ1cjcbG4SoowfBm6cTpf1A+89itRznP+WXu
-2ORhskjbwJIbux1VbcRdUnwM
------END CERTIFICATE-----
diff --git a/distorted.lisp b/distorted.lisp

index 0277696..da00125 100644 (file)
--- a/distorted.lisp
+++ b/distorted.lisp
@@ -148,7 +148,7 @@
    ((git www mail) (colo :svc stratocaster.colo :sshfp "stratocaster")
                   (jump :svc stratocaster.jump :sshfp "stratocaster"))
    ((www @) :tlsa (:https (:service-certificate-constraint
-                         :certificate :sha-256 #p"http-server-www#1")))
+                         :public-key :sha-256 #p"https-stratocaster")))
    ((git mail) :tlsa (:https #1=(:trust-anchor-assertion
                                 :certificate :sha-256 #p"distorted-ca")))
    (www-cache :tlsa (3127 #1#))
diff --git a/keys/https-stratocaster.pub b/keys/https-stratocaster.pub

new file mode 100644 (file)

index 0000000..4bf1c97
--- /dev/null
+++ b/keys/https-stratocaster.pub
@@ -0,0 +1,11 @@
+-----BEGIN PUBLIC KEY-----
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAn2LzTPqaTGLIMcNUb7V7
+nsyc4Nj9TrZsl9AoxB4JBwfihUKt1UktlAZVnpkMyPcLanKtXSxmzN+E6ohGQ6k5
+QtfUCT8bJjnGaXGu8gKY23kTtNMmYIvF6/vHUYQ6ZAvjAukTjvqmt8tmSVWe48ua
+pO0MOkvB4N7oAymIjbZDvcXmoMYEeB1vZUiPfRPpPq6yA99DVxn5j4UV3E94O2Vb
+kEYoXzJMW4wpaXO6/AAlXCt6LSbRrXsoByHbJ+qzgXslpeTM7NaFiGPDKX4Q5jzL
+Kh13csC7NLjJYj6/2PXm2NVz31sekPSqUdB/8xYDQzHVSx6RHpIP6dyVNpoOgGDT
+mMdi+692h+ebD34dvtwiGkb/t1s5AXnNOu8lFjyGauEe9OjLC//NTGbcNlB3nRo1
+d1qFibDq+0MPfxl/2N1qzaPDhRI+4zlbiez8eN85Lq6UfhqsYgzcWvwJtp+CTSyt
+8ytoRCLaQsqF1pxG5TfMfWXFYuPY5VgoARgbJ0DW1d3lAgMBAAE=
+-----END PUBLIC KEY-----
author	Mark Wooding <mdw@distorted.org.uk>
	Wed, 27 Jan 2016 14:04:30 +0000 (14:04 +0000)
committer	Mark Wooding <mdw@distorted.org.uk>
	Wed, 27 Jan 2016 14:04:30 +0000 (14:04 +0000)
certs/http-server-www#1.cert	[deleted file]	patch \| blob \| blame \| history
distorted.lisp		patch \| blob \| blame \| history
keys/https-stratocaster.pub	[new file with mode: 0644]	patch \| blob