Am 03.07.19 um 14:12 schrieb o haya:
> Hi Felix,
> Also, here is the code you posted, but slightly modified so that it uses a
> certificate serial number in Hex when it builds the cId (this code so far
> only tests the conversion of the hex-ascii serial number to integer, and uses
> that integer serial number to call).
> I am testing this because, eventually, the test plan I need will take in a
> CSV with a bunch of cert serial numbers and send OCSP requests for those.
> import java.io.BufferedReader;import java.io.FileReader;import java.io.Reader;
> import org.bouncycastle.cert.ocsp.CertificateID;import
> org.bouncycastle.cert.ocsp.OCSPReq;import
> org.bouncycastle.cert.ocsp.OCSPReqBuilder;import
> org.bouncycastle.cert.X509CertificateHolder;import
> org.bouncycastle.openssl.PEMParser;import
> org.bouncycastle.operator.DigestCalculatorProvider;import
> org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
> String fName = vars.get("certpath");Reader fR = new BufferedReader(new
> FileReader(fName));PEMParser pPar = new PEMParser(fR);X509CertificateHolder
> obj = (X509CertificateHolder)pPar.readObject();DigestCalculatorProvider dCP =
> newJcaDigestCalculatorProviderBuilder().build();
> String certSerialNumber =
> obj.getSerialNumber();log.info("++++++++++++++++++++ certSerialNumber=[" +
> certSerialNumber + "]");
> // Test Converting a HEX-STRING to int/biginteger, and then passing that into
> the dCP.get()...// This is a precursor to using a CSV file with Hex cert
> serial numbersint numericSerialNumber = Integer.valueOf( "35C1",
> 16);log.info("++++++++++++++++++++++ numericSerialNumber=[" +
> numericSerialNumber + "]");
> //CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
> obj, obj.getSerialNumber());CertificateID cId = new
> CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, numericSerialNumber);
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();byte[] asn1seq =
> oReq.getEncoded();String sb = new String(asn1seq,
> "ISO-8859-1");vars.put("ocspReq", sb);
The above code is not really readable :)
If you don't use code in your samplers, remove it. Otherwise it is
probably OK to use the cert IDs directly instead of reading them from
the certs.
Felix
>
>
>
>
>
>
>
> On Wednesday, July 3, 2019, 11:49:51 AM UTC, [email protected]
> <[email protected]> wrote:
>
> Hi Felix,
>
> Sorry for the delay. I am working with several different OCSP Responders and
> was busy trying to get one of them working.
>
> Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!
>
> Also, the Assertion succeeded, but I need to get the Assertion code to look
> into the response more. The current Assertion code checks that the response
> was "OK", but for this load test, I need to check to see if the response
> actually says "revoked", because the OCSP responder will respond "OK" even if
> it doesn't find a match for the cert I am checking. Then, I have to look for
> "revoked" or "Revocation" to confirm that I got a "positive" revocation from
> the CRL.
>
> Right now, it looks like I can get the response data/text, but it is *maybe*
> DER encoded or something. I added the following to the Assertion code you
> posted:
>
> // ADDED TO TRY TO GET RESPONSE INFORMATION...
> String responseStream = new String(instream, "ISO-8859-1");
> log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" +
> responseStream + "]");
> and in the Jmeter.log I am getting something that looks like DER-encoded
> information??
> I've uploaded a screenshot of the Jmeter logging:
> New photo by O haya
>
> |
> |
> |
> | | |
>
> |
>
> |
> |
> | |
> New photo by O haya
>
>
> |
>
> |
>
> |
>
>
>
> Can I convert that encoded string in the Assertion code, to something that
> the code can then check for the word/string like "revoked" or "Revocation"?
> Thanks!Jim
>
>
>
>
>
>
>
>
>
>
> On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[email protected]>
> wrote:
>
> Hi,
>
> Wow! Thanks! I will give this a try a little later and post back.
>
> Thanks,
> Jim
>
>
> On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher
> <[email protected]> wrote:
>
> I think I have got the example working. I attached a jmx file and a cert
> to this mail and maybe we are lucky and the mailing list doesn't strip
> it from the mail.
>
> In case it does:
>
> Add the variable "certpath" to your testplan (either by a cvs datasource
> for more than one cert, or via the test plan root element). It should
> point to your x509 certificates path.
>
> Add a HTTP Sampler with method POST, the "Body Data" tab selected and
> filled with "${ocspReq}".
>
> Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
> with the following content:
>
> import java.io.BufferedReader;
> import java.io.FileReader;
> import java.io.Reader;
>
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.cert.X509CertificateHolder;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
> String fName = vars.get("certpath");
> Reader fR = new BufferedReader(new FileReader(fName));
> PEMParser pPar = new PEMParser(fR);
> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
> DigestCalculatorProvider dCP = new
> JcaDigestCalculatorProviderBuilder().build();
> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
> obj, obj.getSerialNumber());
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
> byte[] asn1seq = oReq.getEncoded();
> String sb = new String(asn1seq, "ISO-8859-1");
> vars.put("ocspReq", sb);
>
> Add a JSR223 Assertion to the sampler (set to groovy, again) containing:
>
> import org.bouncycastle.cert.ocsp.OCSPResp;
>
> def sR = ctx.getPreviousResult();
> byte[] instream = sR.getResponseData();
> OCSPResp oResp = new OCSPResp(instream);
> assert oResp.getStatus() ==0
>
> Add a Header Manager to the sampler with the following set:
>
> Content-Type application/ocsp-request
> Accept application/ocsp-response
>
> It seemed to work for me (famous last words)
>
> One important change was to use "ISO-8859-1" for the encoding of the string.
>
> Felix
>
> Am 01.07.19 um 22:42 schrieb [email protected]:
>> Hi,
>>
>> This Java app:
>>
>> import java.io.*;
>> import java.math.BigInteger;
>> import java.security.Security;
>> import java.util.*;
>> import org.bouncycastle.cert.*;
>> import org.bouncycastle.cert.ocsp.CertificateID;
>> import org.bouncycastle.cert.ocsp.OCSPReq;
>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>> import org.bouncycastle.asn1.*;
>> import org.bouncycastle.openssl.*;
>> import org.bouncycastle.openssl.PEMParser;
>> import org.bouncycastle.util.io.pem.*;
>> import org.bouncycastle.pkcs.*;
>> import org.bouncycastle.operator.DigestCalculatorProvider;
>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>
>>
>> public class jmeterdebug1 {
>>
>> public static void main(String[] args) {
>> // TODO Auto-generated method stub
>>
>>
>> String BC = "BC"; //"${securityProvider}";
>> String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem";
>> //"${certpath}
>> try {
>> Reader fR = new BufferedReader(new FileReader(fName));
>> PEMParser pPar = new PEMParser(fR);
>>
>> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>>
>> Security.addProvider(new
>> org.bouncycastle.jce.provider.BouncyCastleProvider());
>>
>> DigestCalculatorProvider dCP = new
>> JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>>
>> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
>> obj, obj.getSerialNumber());
>>
>> OCSPReqBuilder oRB = new OCSPReqBuilder();
>> oRB.addRequest(cId);
>> OCSPReq oReq = oRB.build();
>>
>> byte[] asn1seq = oReq.getEncoded();
>>
>> String sb = new String(asn1seq);
>>
>> System.out.println("sb=[" + sb + "]");
>>
>> } catch (Exception e) {
>> System.out.println("*** ERROR ** [" + e + "]");
>> e.printStackTrace();
>> }
>>
>> //sampler.getArguments().getArgument(0).setValue(sb);
>>
>>
>>
>> }
>>
>> }
>>
>>
>> Outputs:
>>
>> sb=[0B0@0>0<0:0 +
>>
>>
>> So I am guessing that the 'sb' is supposed to be used to populate the POST
>> body via the line that I have commented out above
>> ("sampler.getArguments().getArgument(0).setValue(sb);")??
>>
>>
>> So if I just uncomment that line in the equivalent code in the Jmeter
>> Beanshell Preprocessor code, is there something additional that I need to do
>> to get the HTTP request to use that for the BODY?
>>
>> Also, FYI, I added several Debug listeners, but I don't see any variable
>> named "sb" in their output? What do I need to do so that I can see the
>> contents of that var in the Debug?
>>
>>
>>
>> Thanks,
>> Jim
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher
>> <[email protected]> wrote:
>>
>>
>>
>> Am 1. Juli 2019 21:49:37 MESZ schrieb [email protected]:
>>> Hi,
>>>
>>> Hmm. It seems like the example test plan isn't as complete as I had
>>> hoped :(....
>>>
>>> FYI, I think the reference to "the public key infrastructure" is to
>>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
>> Seems sensible.
>>
>>> FYI, I am going to try to get this working/debug this as a Java app
>>> first, and then I can try to make a groovy version after that, once it
>>> is clean. I'm hoping that that makes it easier for me, initially.
>> Small steps is a good way to go.
>>
>>> I will post back in a bit...
>> Great
>> Felix
>>
>>> Jim
>>>
>>>
>>>
>>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>>> <[email protected]> wrote:
>>>
>>>
>>> Am 01.07.19 um 19:16 schrieb [email protected]:
>>>> Hi,
>>>>
>>>> I am trying to implement a Jmeter load test for an OCSP responder,
>>> and I found this page, but haven't been able to get it working:
>>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>>
>>>> - The first problem that I ran into is where it says "2. Download the
>>> public key infrastructure and provider ". The link for the "provider"
>>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>>> sure what the "the public key infrastructure" is supposed to download?
>>> I think that the "public key infrastructure" means your certificates.
>>> If
>>> you download the bouncycastle provider, you probably should take the
>>> newest version of it: https://bouncycastle.org/latest_releases.html
>>>> - Also, for the HTTP Request element, it says "The URL of the
>>> responder is defined in the variable section of the script.", but I am
>>> not sure what it is referring to when it says "the variable section of
>>> the script"?
>>>
>>> I guess that the "user defined variables" table on the test plan (root)
>>> element is meant. But on the other hand, the text misses to add a
>>> variable reference on the http sampler (my guess is, that it is hidden
>>> in the http defaults element, that are not described further in the
>>> text), so you are free to add your URL to the http sampler yourself.
>>>
>>> And now to a few things you haven't asked :)
>>>
>>> * Use groovy instead of beanshell whenever possible.
>>>
>>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>>> vars.get("...") instead
>>>
>>> * Instead of
>>>
>>> Failure = false;
>>> if (oResp.getStatus() != 0) {
>>> Failure = true;
>>>
>>> }
>>>
>>> you could use
>>>
>>> Failure = oResp.getStatus() != 0;
>>>
>>> or if you feel groovy: Failure = oResp.status != 0
>>>
>>>
>>>> Is anyone familiar with this test plan, and gotten it working?
>>> Note, that I have no OCSP server and thus have not tried to get it
>>> really working.
>>>
>>> Felix
>>>
>>>> Thanks,
>>>> Jim
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [email protected]
>>>> For additional commands, e-mail: [email protected]
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
