Hi,
Sorry about the code formatting :(... Yahoo email did that I think....
FYI, I use the CRL to extract/generate a file that contains the serial numbers
of all the certificates in the CRL (via "openssl crl...").
I then prepend the path to the issuer cert (plus a comma) to each line.
I want to use the resulting CSV file as into to my Jmeter test plan, e.g., so,
eventually, I can do load testing where it is sending OCSP requests for
multiple issuing certs.
So I modified the code you posted (for the Sampler) to do that, and that is
working now.
Re. the JSR233 Assertion processing:
I haven't gotten that completely working yet.
The Assertion code you provided just checks the response, which is typically
just "OK", regardless of whether the <issuer,serial number> is in the CRL or
not, but for my load test, I want to check that the response actually says
"revoked".
Here's the Assertion code that I have so far, but it is not working yet :(....
//Add a JSR223 Assertion to the sampler (set to groovy,again) containing:
import org.bouncycastle.cert.ocsp.OCSPResp;
def sR = ctx.getPreviousResult();
byte[] instream = sR.getResponseData();
InputStream is = new ByteArrayInputStream(instream);
BufferedReader in1 = new BufferedReader(newInputStreamReader(is, "ISO-8859-1"));
StringBuilder logCommandOutput = new StringBuilder();
String line;
while( (line = in1.readLine()) != null) {
logCommandOutput.append(line);
}
in1.close();
log.info("RESPONSE: " +logCommandOutput.toString());
String passToAssertion = logCommandOutput.toString();
String passedResponse = passToAssertion ;
if (passedResponse.contains("Revocation")) {
log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN
ASSERTION: FOUND Revocation in Response, soPASSED!!");
} else {
log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN
ASSERTION: DID NOT FIND Revocation in Response, soFAILED!!");
AssertionResult.setFailure(false);
AssertionResult.setFailureMessage("JSR223Assertion did not find
'Revocation'");
}
The problems that I am having:
1) It is not finding the string "Revocation" in the response, i.e., the "if
(passedResponse.contains("Revocation"))" is failing.
I think the reason this is failing is that I am still not converting the
response into text (FYI, code, similar to above worked, in another test plan I
am working on, using "openssl ocsp" and BeanShell Sampler/Assertion), so then
the ".contains()" fails.
2) The code at the end, which is supposed to tell Jmeter whether or not the
Assertion failed or succeeded is not working. In particular, it is not
informing Jmeter that the Assertion failed when the Assertion fails.
Jim
On Wednesday, July 3, 2019, 12:40:20 PM UTC, Felix Schumacher
<[email protected]> wrote:
Am 03.07.19 um 14:12 schrieb o haya:
> Hi Felix,
> Also, here is the code you posted, but slightly modified so that it uses a
> certificate serial number in Hex when it builds the cId (this code so far
> only tests the conversion of the hex-ascii serial number to integer, and uses
> that integer serial number to call).
> I am testing this because, eventually, the test plan I need will take in a
> CSV with a bunch of cert serial numbers and send OCSP requests for those.
> import java.io.BufferedReader;import java.io.FileReader;import java.io.Reader;
> import org.bouncycastle.cert.ocsp.CertificateID;import
> org.bouncycastle.cert.ocsp.OCSPReq;import
> org.bouncycastle.cert.ocsp.OCSPReqBuilder;import
> org.bouncycastle.cert.X509CertificateHolder;import
> org.bouncycastle.openssl.PEMParser;import
> org.bouncycastle.operator.DigestCalculatorProvider;import
> org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
> String fName = vars.get("certpath");Reader fR = new BufferedReader(new
> FileReader(fName));PEMParser pPar = new PEMParser(fR);X509CertificateHolder
> obj = (X509CertificateHolder)pPar.readObject();DigestCalculatorProvider dCP =
> newJcaDigestCalculatorProviderBuilder().build();
> String certSerialNumber =
> obj.getSerialNumber();log.info("++++++++++++++++++++ certSerialNumber=[" +
> certSerialNumber + "]");
> // Test Converting a HEX-STRING to int/biginteger, and then passing that into
> the dCP.get()...// This is a precursor to using a CSV file with Hex cert
> serial numbersint numericSerialNumber = Integer.valueOf( "35C1",
> 16);log.info("++++++++++++++++++++++ numericSerialNumber=[" +
> numericSerialNumber + "]");
> //CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
> obj, obj.getSerialNumber());CertificateID cId = new
> CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, numericSerialNumber);
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();byte[] asn1seq =
> oReq.getEncoded();String sb = new String(asn1seq,
> "ISO-8859-1");vars.put("ocspReq", sb);
The above code is not really readable :)
If you don't use code in your samplers, remove it. Otherwise it is
probably OK to use the cert IDs directly instead of reading them from
the certs.
Felix
>
>
>
>
>
>
>
> On Wednesday, July 3, 2019, 11:49:51 AM UTC, [email protected]
><[email protected]> wrote:
>
> Hi Felix,
>
> Sorry for the delay. I am working with several different OCSP Responders and
> was busy trying to get one of them working.
>
> Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!
>
> Also, the Assertion succeeded, but I need to get the Assertion code to look
> into the response more. The current Assertion code checks that the response
> was "OK", but for this load test, I need to check to see if the response
> actually says "revoked", because the OCSP responder will respond "OK" even if
> it doesn't find a match for the cert I am checking. Then, I have to look for
> "revoked" or "Revocation" to confirm that I got a "positive" revocation from
> the CRL.
>
> Right now, it looks like I can get the response data/text, but it is *maybe*
> DER encoded or something. I added the following to the Assertion code you
> posted:
>
> // ADDED TO TRY TO GET RESPONSE INFORMATION...
> String responseStream = new String(instream, "ISO-8859-1");
> log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" +
> responseStream + "]");
> and in the Jmeter.log I am getting something that looks like DER-encoded
> information??
> I've uploaded a screenshot of the Jmeter logging:
> New photo by O haya
>
> |
> |
> |
> | | |
>
> |
>
> |
> |
> | |
> New photo by O haya
>
>
> |
>
> |
>
> |
>
>
>
> Can I convert that encoded string in the Assertion code, to something that
> the code can then check for the word/string like "revoked" or "Revocation"?
> Thanks!Jim
>
>
>
>
>
>
>
>
>
>
> On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[email protected]>
> wrote:
>
> Hi,
>
> Wow! Thanks! I will give this a try a little later and post back.
>
> Thanks,
> Jim
>
>
> On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher
> <[email protected]> wrote:
>
> I think I have got the example working. I attached a jmx file and a cert
> to this mail and maybe we are lucky and the mailing list doesn't strip
> it from the mail.
>
> In case it does:
>
> Add the variable "certpath" to your testplan (either by a cvs datasource
> for more than one cert, or via the test plan root element). It should
> point to your x509 certificates path.
>
> Add a HTTP Sampler with method POST, the "Body Data" tab selected and
> filled with "${ocspReq}".
>
> Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
> with the following content:
>
> import java.io.BufferedReader;
> import java.io.FileReader;
> import java.io.Reader;
>
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.cert.X509CertificateHolder;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
> String fName = vars.get("certpath");
> Reader fR = new BufferedReader(new FileReader(fName));
> PEMParser pPar = new PEMParser(fR);
> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
> DigestCalculatorProvider dCP = new
> JcaDigestCalculatorProviderBuilder().build();
> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
> obj, obj.getSerialNumber());
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
> byte[] asn1seq = oReq.getEncoded();
> String sb = new String(asn1seq, "ISO-8859-1");
> vars.put("ocspReq", sb);
>
> Add a JSR223 Assertion to the sampler (set to groovy, again) containing:
>
> import org.bouncycastle.cert.ocsp.OCSPResp;
>
> def sR = ctx.getPreviousResult();
> byte[] instream = sR.getResponseData();
> OCSPResp oResp = new OCSPResp(instream);
> assert oResp.getStatus() ==0
>
> Add a Header Manager to the sampler with the following set:
>
> Content-Type application/ocsp-request
> Accept application/ocsp-response
>
> It seemed to work for me (famous last words)
>
> One important change was to use "ISO-8859-1" for the encoding of the string.
>
> Felix
>
> Am 01.07.19 um 22:42 schrieb [email protected]:
>> Hi,
>>
>> This Java app:
>>
>> import java.io.*;
>> import java.math.BigInteger;
>> import java.security.Security;
>> import java.util.*;
>> import org.bouncycastle.cert.*;
>> import org.bouncycastle.cert.ocsp.CertificateID;
>> import org.bouncycastle.cert.ocsp.OCSPReq;
>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>> import org.bouncycastle.asn1.*;
>> import org.bouncycastle.openssl.*;
>> import org.bouncycastle.openssl.PEMParser;
>> import org.bouncycastle.util.io.pem.*;
>> import org.bouncycastle.pkcs.*;
>> import org.bouncycastle.operator.DigestCalculatorProvider;
>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>
>>
>> public class jmeterdebug1 {
>>
>> public static void main(String[] args) {
>> // TODO Auto-generated method stub
>>
>>
>> String BC = "BC"; //"${securityProvider}";
>> String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem";
>> //"${certpath}
>> try {
>> Reader fR = new BufferedReader(new FileReader(fName));
>> PEMParser pPar = new PEMParser(fR);
>>
>> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>>
>> Security.addProvider(new
>> org.bouncycastle.jce.provider.BouncyCastleProvider());
>>
>> DigestCalculatorProvider dCP = new
>> JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>>
>> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
>> obj, obj.getSerialNumber());
>>
>> OCSPReqBuilder oRB = new OCSPReqBuilder();
>> oRB.addRequest(cId);
>> OCSPReq oReq = oRB.build();
>>
>> byte[] asn1seq = oReq.getEncoded();
>>
>> String sb = new String(asn1seq);
>>
>> System.out.println("sb=[" + sb + "]");
>>
>> } catch (Exception e) {
>> System.out.println("*** ERROR ** [" + e + "]");
>> e.printStackTrace();
>> }
>>
>> //sampler.getArguments().getArgument(0).setValue(sb);
>>
>>
>>
>> }
>>
>> }
>>
>>
>> Outputs:
>>
>> sb=[0B0@0>0<0:0 +
>>
>>
>> So I am guessing that the 'sb' is supposed to be used to populate the POST
>> body via the line that I have commented out above
>> ("sampler.getArguments().getArgument(0).setValue(sb);")??
>>
>>
>> So if I just uncomment that line in the equivalent code in the Jmeter
>> Beanshell Preprocessor code, is there something additional that I need to do
>> to get the HTTP request to use that for the BODY?
>>
>> Also, FYI, I added several Debug listeners, but I don't see any variable
>> named "sb" in their output? What do I need to do so that I can see the
>> contents of that var in the Debug?
>>
>>
>>
>> Thanks,
>> Jim
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher
>> <[email protected]> wrote:
>>
>>
>>
>> Am 1. Juli 2019 21:49:37 MESZ schrieb [email protected]:
>>> Hi,
>>>
>>> Hmm. It seems like the example test plan isn't as complete as I had
>>> hoped :(....
>>>
>>> FYI, I think the reference to "the public key infrastructure" is to
>>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
>> Seems sensible.
>>
>>> FYI, I am going to try to get this working/debug this as a Java app
>>> first, and then I can try to make a groovy version after that, once it
>>> is clean. I'm hoping that that makes it easier for me, initially.
>> Small steps is a good way to go.
>>
>>> I will post back in a bit...
>> Great
>> Felix
>>
>>> Jim
>>>
>>>
>>>
>>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>>> <[email protected]> wrote:
>>>
>>>
>>> Am 01.07.19 um 19:16 schrieb [email protected]:
>>>> Hi,
>>>>
>>>> I am trying to implement a Jmeter load test for an OCSP responder,
>>> and I found this page, but haven't been able to get it working:
>>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>>
>>>> - The first problem that I ran into is where it says "2. Download the
>>> public key infrastructure and provider ". The link for the "provider"
>>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>>> sure what the "the public key infrastructure" is supposed to download?
>>> I think that the "public key infrastructure" means your certificates.
>>> If
>>> you download the bouncycastle provider, you probably should take the
>>> newest version of it: https://bouncycastle.org/latest_releases.html
>>>> - Also, for the HTTP Request element, it says "The URL of the
>>> responder is defined in the variable section of the script.", but I am
>>> not sure what it is referring to when it says "the variable section of
>>> the script"?
>>>
>>> I guess that the "user defined variables" table on the test plan (root)
>>> element is meant. But on the other hand, the text misses to add a
>>> variable reference on the http sampler (my guess is, that it is hidden
>>> in the http defaults element, that are not described further in the
>>> text), so you are free to add your URL to the http sampler yourself.
>>>
>>> And now to a few things you haven't asked :)
>>>
>>> * Use groovy instead of beanshell whenever possible.
>>>
>>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>>> vars.get("...") instead
>>>
>>> * Instead of
>>>
>>> Failure = false;
>>> if (oResp.getStatus() != 0) {
>>> Failure = true;
>>>
>>> }
>>>
>>> you could use
>>>
>>> Failure = oResp.getStatus() != 0;
>>>
>>> or if you feel groovy: Failure = oResp.status != 0
>>>
>>>
>>>> Is anyone familiar with this test plan, and gotten it working?
>>> Note, that I have no OCSP server and thus have not tried to get it
>>> really working.
>>>
>>> Felix
>>>
>>>> Thanks,
>>>> Jim
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [email protected]
>>>> For additional commands, e-mail: [email protected]
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
