From f25602ccd18bce7a3d5429e9180942c2e92dc1f0 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob.mottram@codethink.co.uk>
Date: Wed, 10 Aug 2016 10:02:04 +0100
Subject: [PATCH] Set maximum pinning age

---
 src/freedombone-pin-cert | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/freedombone-pin-cert b/src/freedombone-pin-cert
index 78b21dad..396ad2bf 100755
--- a/src/freedombone-pin-cert
+++ b/src/freedombone-pin-cert
@@ -35,6 +35,9 @@ export TEXTDOMAINDIR="/usr/share/locale"
 
 WEBSITES_DIRECTORY=/etc/nginx/sites-available
 
+# 90 days
+PIN_MAX_AGE=7776000
+
 function pin_all_certs {
     if [ ! -d $WEBSITES_DIRECTORY ]; then
         return
@@ -52,7 +55,7 @@ function pin_all_certs {
                     BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
                     if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then
 
-                        PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
+                        PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"
                         sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file
                         echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
                     fi