Am 03.07.19 um 13:49 schrieb [email protected]: > Hi Felix, > > Sorry for the delay. I am working with several different OCSP Responders and > was busy trying to get one of them working. > > Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!! > > Also, the Assertion succeeded, but I need to get the Assertion code to look > into the response more. The current Assertion code checks that the response > was "OK", but for this load test, I need to check to see if the response > actually says "revoked", because the OCSP responder will respond "OK" even if > it doesn't find a match for the cert I am checking. Then, I have to look for > "revoked" or "Revocation" to confirm that I got a "positive" revocation from > the CRL. > > Right now, it looks like I can get the response data/text, but it is *maybe* > DER encoded or something. I added the following to the Assertion code you > posted: > > // ADDED TO TRY TO GET RESPONSE INFORMATION... > String responseStream = new String(instream, "ISO-8859-1"); > log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" + > responseStream + "]"); > and in the Jmeter.log I am getting something that looks like DER-encoded > information?? > I've uploaded a screenshot of the Jmeter logging:
Why did you try to add a screenshot? Why not copy the text here? Images are almost always stripped by the mailing list manager, as in this case. Have you tried to get the responseObject from the OCSPResp with rResp.getResponseObject() and looked at that for more information? In my case it resulted in a BasicOCSPResp Object, which had more methods, which could be useful to explore. > New photo by O haya > > | > | > | > | | | > > | > > | > | > | | > New photo by O haya > > > | > > | > > | > > > > Can I convert that encoded string in the Assertion code, to something that > the code can then check for the word/string like "revoked" or "Revocation"? A simple way would be to use a regex match in the groovy assertion like 'assert responseStream =~ /revoked|Revocation/' But even better would be to work the API for the real method to get that information. Otherwise you might report all certificates for a cert with revoked in its name as revoked. Felix > Thanks!Jim > > > > > > > > > > > On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[email protected]> > wrote: > > Hi, > > Wow! Thanks! I will give this a try a little later and post back. > > Thanks, > Jim > > > On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher > <[email protected]> wrote: > > I think I have got the example working. I attached a jmx file and a cert > to this mail and maybe we are lucky and the mailing list doesn't strip > it from the mail. > > In case it does: > > Add the variable "certpath" to your testplan (either by a cvs datasource > for more than one cert, or via the test plan root element). It should > point to your x509 certificates path. > > Add a HTTP Sampler with method POST, the "Body Data" tab selected and > filled with "${ocspReq}". > > Add a JSR223 PreProcessor to the sampler (set to groovy -- the default) > with the following content: > > import java.io.BufferedReader; > import java.io.FileReader; > import java.io.Reader; > > import org.bouncycastle.cert.ocsp.CertificateID; > import org.bouncycastle.cert.ocsp.OCSPReq; > import org.bouncycastle.cert.ocsp.OCSPReqBuilder; > import org.bouncycastle.cert.X509CertificateHolder; > import org.bouncycastle.openssl.PEMParser; > import org.bouncycastle.operator.DigestCalculatorProvider; > import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; > > String fName = vars.get("certpath"); > Reader fR = new BufferedReader(new FileReader(fName)); > PEMParser pPar = new PEMParser(fR); > X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject(); > DigestCalculatorProvider dCP = new > JcaDigestCalculatorProviderBuilder().build(); > CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), > obj, obj.getSerialNumber()); > OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build(); > byte[] asn1seq = oReq.getEncoded(); > String sb = new String(asn1seq, "ISO-8859-1"); > vars.put("ocspReq", sb); > > Add a JSR223 Assertion to the sampler (set to groovy, again) containing: > > import org.bouncycastle.cert.ocsp.OCSPResp; > > def sR = ctx.getPreviousResult(); > byte[] instream = sR.getResponseData(); > OCSPResp oResp = new OCSPResp(instream); > assert oResp.getStatus() ==0 > > Add a Header Manager to the sampler with the following set: > > Content-Type application/ocsp-request > Accept application/ocsp-response > > It seemed to work for me (famous last words) > > One important change was to use "ISO-8859-1" for the encoding of the string. > > Felix > > Am 01.07.19 um 22:42 schrieb [email protected]: >> Hi, >> >> This Java app: >> >> import java.io.*; >> import java.math.BigInteger; >> import java.security.Security; >> import java.util.*; >> import org.bouncycastle.cert.*; >> import org.bouncycastle.cert.ocsp.CertificateID; >> import org.bouncycastle.cert.ocsp.OCSPReq; >> import org.bouncycastle.cert.ocsp.OCSPReqBuilder; >> import org.bouncycastle.asn1.*; >> import org.bouncycastle.openssl.*; >> import org.bouncycastle.openssl.PEMParser; >> import org.bouncycastle.util.io.pem.*; >> import org.bouncycastle.pkcs.*; >> import org.bouncycastle.operator.DigestCalculatorProvider; >> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; >> >> >> public class jmeterdebug1 { >> >> public static void main(String[] args) { >> // TODO Auto-generated method stub >> >> >> String BC = "BC"; //"${securityProvider}"; >> String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; >> //"${certpath} >> try { >> Reader fR = new BufferedReader(new FileReader(fName)); >> PEMParser pPar = new PEMParser(fR); >> >> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject(); >> >> Security.addProvider(new >> org.bouncycastle.jce.provider.BouncyCastleProvider()); >> >> DigestCalculatorProvider dCP = new >> JcaDigestCalculatorProviderBuilder().setProvider(BC).build(); >> >> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), >> obj, obj.getSerialNumber()); >> >> OCSPReqBuilder oRB = new OCSPReqBuilder(); >> oRB.addRequest(cId); >> OCSPReq oReq = oRB.build(); >> >> byte[] asn1seq = oReq.getEncoded(); >> >> String sb = new String(asn1seq); >> >> System.out.println("sb=[" + sb + "]"); >> >> } catch (Exception e) { >> System.out.println("*** ERROR ** [" + e + "]"); >> e.printStackTrace(); >> } >> >> //sampler.getArguments().getArgument(0).setValue(sb); >> >> >> >> } >> >> } >> >> >> Outputs: >> >> sb=[0B0@0>0<0:0 + >> >> >> So I am guessing that the 'sb' is supposed to be used to populate the POST >> body via the line that I have commented out above >> ("sampler.getArguments().getArgument(0).setValue(sb);")?? >> >> >> So if I just uncomment that line in the equivalent code in the Jmeter >> Beanshell Preprocessor code, is there something additional that I need to do >> to get the HTTP request to use that for the BODY? >> >> Also, FYI, I added several Debug listeners, but I don't see any variable >> named "sb" in their output? What do I need to do so that I can see the >> contents of that var in the Debug? >> >> >> >> Thanks, >> Jim >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher >> <[email protected]> wrote: >> >> >> >> Am 1. Juli 2019 21:49:37 MESZ schrieb [email protected]: >>> Hi, >>> >>> Hmm. It seems like the example test plan isn't as complete as I had >>> hoped :(.... >>> >>> FYI, I think the reference to "the public key infrastructure" is to >>> another bouncycastle package, "bcpkix-jdk15on-162.jar". >> Seems sensible. >> >>> FYI, I am going to try to get this working/debug this as a Java app >>> first, and then I can try to make a groovy version after that, once it >>> is clean. I'm hoping that that makes it easier for me, initially. >> Small steps is a good way to go. >> >>> I will post back in a bit... >> Great >> Felix >> >>> Jim >>> >>> >>> >>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher >>> <[email protected]> wrote: >>> >>> >>> Am 01.07.19 um 19:16 schrieb [email protected]: >>>> Hi, >>>> >>>> I am trying to implement a Jmeter load test for an OCSP responder, >>> and I found this page, but haven't been able to get it working: >>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/ >>>> >>>> - The first problem that I ran into is where it says "2. Download the >>> public key infrastructure and provider ". The link for the "provider" >>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not >>> sure what the "the public key infrastructure" is supposed to download? >>> I think that the "public key infrastructure" means your certificates. >>> If >>> you download the bouncycastle provider, you probably should take the >>> newest version of it: https://bouncycastle.org/latest_releases.html >>>> - Also, for the HTTP Request element, it says "The URL of the >>> responder is defined in the variable section of the script.", but I am >>> not sure what it is referring to when it says "the variable section of >>> the script"? >>> >>> I guess that the "user defined variables" table on the test plan (root) >>> element is meant. But on the other hand, the text misses to add a >>> variable reference on the http sampler (my guess is, that it is hidden >>> in the http defaults element, that are not described further in the >>> text), so you are free to add your URL to the http sampler yourself. >>> >>> And now to a few things you haven't asked :) >>> >>> * Use groovy instead of beanshell whenever possible. >>> >>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use >>> vars.get("...") instead >>> >>> * Instead of >>> >>> Failure = false; >>> if (oResp.getStatus() != 0) { >>> Failure = true; >>> >>> } >>> >>> you could use >>> >>> Failure = oResp.getStatus() != 0; >>> >>> or if you feel groovy: Failure = oResp.status != 0 >>> >>> >>>> Is anyone familiar with this test plan, and gotten it working? >>> Note, that I have no OCSP server and thus have not tried to get it >>> really working. >>> >>> Felix >>> >>>> Thanks, >>>> Jim >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
