Don't process HSTS/HPKP headers when host is an IP address

net/data/ssl/scripts/generate-cross-signed-certs.sh

 #!/bin/sh
 
 # Copyright 2013 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # This script generates a two roots - one legacy one signed with MD5, and
 # another (newer) one signed with SHA256 - and has a leaf certificate signed
 # by these without any distinguishers.
 #
 # The "cross-signed" comes from the fact that both the MD5 and SHA256 roots
 # share the same Authority Key ID, Subject Key ID, Subject, and Subject Public
 # Key Info. When the chain building algorithm is evaluating paths, if it prefers
 # untrusted over trusted, then it will see the MD5 certificate as a self-signed
 # cert that is "cross-signed" by the trusted SHA256 root.
 #
 # The SHA256 root should be (temporarily) trusted, and the resulting chain
 # should be leaf -> SHA256root, not leaf -> MD5root, leaf -> SHA256root ->
 # MD5root, or leaf -> MD5root -> SHA256root
 
 try() {
-  echo "$@"
-  "$@" || exit 1
-}
-
-quiet_try() {
-    "$@" || exit 1
+  "$@" || (e=$?; echo "$@" > /dev/stderr && exit $e)

[Ryan Sleevi, 2015/04/04 00:35:24]

bash-dog says "I have no idea what's this doing" (Guessing it mutes output
unless there's an error, in which case, it spits out the command and then passes
the error code through?)

go back to try()? *shrug*

[estark, 2015/04/04 00:40:18]

So you like try/quiet_try better? My goal is to call do `blah openssl x509 -text
> ..." which means that |blah| can't print to stdout without messing up the
output file.

[Ryan Sleevi, 2015/04/04 00:46:43]

Oh, right, fair point.

Mostly my comment was alternatively phrased "I have no idea what this is doing,
so I'm relying on palmer, who I know has validated that this is valid sh syntax
per line 1 and not some crazy dialect of zsh/bash/fooblahwhateversh" and "I
really like consistency in these scripts, and this changes the expectations for
what 'try' means, so maybe we shouldn't do it, or, if we're going to do it,
update the other scripts to be consistent'

[palmer, 2015/04/04 01:48:56]

Yes, this is all standard POSIX shell syntax, no modern day crazyshell magic. It
means:

run the args as a command

if the exit code was not 0, start a subshell

in which we save the exit code,
print the failed command to stderr,
and if printing succeeded, exit with the exit code the command exited with,
rather than an arbitrary choice like 1 (else exit with echo's error code!)

That said, I would do:

    "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)

I.e. replace the "&&" with ";". That way, even if echo were to fail for some
reason :) we'd still exit with the saved error code.

We are deep into the nit-weeds on a Friday, and it makes me feel giddy

[estark, 2015/04/06 16:41:13]

Done.

[estark, 2015/04/06 16:41:13]

Done.

 }
 
 try rm -rf out
 try mkdir out
 
 try /bin/sh -c "echo 01 > out/2048-sha256-root-serial"
 try /bin/sh -c "echo 02 > out/2048-md5-root-serial"
 touch out/2048-sha256-root-index.txt
 touch out/2048-md5-root-index.txt
 
@@ skipping 40 matching lines @@
 # Generate the leaf certificates
 CA_COMMON_NAME="Test Dup-Hash Root CA" \
   try openssl ca \
     -batch \
     -extensions user_cert \
     -days 3650 \
     -in out/ok_cert.req \
     -out out/ok_cert.pem \
     -config ca.cnf
 
-quiet_try openssl x509 -text \
+try openssl x509 -text \
     -in out/2048-md5-root.pem > ../certificates/cross-signed-root-md5.pem
-quiet_try openssl x509 -text \
+try openssl x509 -text \
     -in out/2048-sha256-root.pem > ../certificates/cross-signed-root-sha256.pem
-quiet_try openssl x509 -text \
+try openssl x509 -text \
     -in out/ok_cert.pem > ../certificates/cross-signed-leaf.pem