Am 03.07.19 um 17:44 schrieb [email protected]:
> Hi,
> Sorry about the code formatting :(... Yahoo email did that I think....
>
> FYI, I use the CRL to extract/generate a file that contains the serial
> numbers of all the certificates in the CRL (via "openssl crl...").
> I then prepend the path to the issuer cert (plus a comma) to each line.
> I want to use the resulting CSV file as into to my Jmeter test plan, e.g.,
> so, eventually, I can do load testing where it is sending OCSP requests for
> multiple issuing certs.
> So I modified the code you posted (for the Sampler) to do that, and that is
> working now.
>
>
> Re. the JSR233 Assertion processing:
>
> I haven't gotten that completely working yet.
> The Assertion code you provided just checks the response, which is typically
> just "OK", regardless of whether the <issuer,serial number> is in the CRL or
> not, but for my load test, I want to check that the response actually says
> "revoked".
> Here's the Assertion code that I have so far, but it is not working yet :(....
Do you have a test sample (cert id and ocsp provider) that gives a
response that is "revoked"? And have you tried to look at the
responseObject as I asked in my previous mail?
Felix
>
>
> //Add a JSR223 Assertion to the sampler (set to groovy,again) containing:
>
> import org.bouncycastle.cert.ocsp.OCSPResp;
> def sR = ctx.getPreviousResult();
> byte[] instream = sR.getResponseData();
>
>
>
>
> InputStream is = new ByteArrayInputStream(instream);
>
> BufferedReader in1 = new BufferedReader(newInputStreamReader(is,
> "ISO-8859-1"));
>
>
>
> StringBuilder logCommandOutput = new StringBuilder();
>
> String line;
>
> while( (line = in1.readLine()) != null) {
>
> logCommandOutput.append(line);
>
> }
>
> in1.close();
>
> log.info("RESPONSE: " +logCommandOutput.toString());
>
>
>
> String passToAssertion = logCommandOutput.toString();
> String passedResponse = passToAssertion ;
> if (passedResponse.contains("Revocation")) {
>
>
> log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN
> ASSERTION: FOUND Revocation in Response, soPASSED!!");
>
> } else {
>
>
> log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN
> ASSERTION: DID NOT FIND Revocation in Response, soFAILED!!");
>
> AssertionResult.setFailure(false);
>
> AssertionResult.setFailureMessage("JSR223Assertion did not
> find 'Revocation'");
>
> }
>
> The problems that I am having:
> 1) It is not finding the string "Revocation" in the response, i.e., the "if
> (passedResponse.contains("Revocation"))" is failing.
>
> I think the reason this is failing is that I am still not converting the
> response into text (FYI, code, similar to above worked, in another test plan
> I am working on, using "openssl ocsp" and BeanShell Sampler/Assertion), so
> then the ".contains()" fails.
>
> 2) The code at the end, which is supposed to tell Jmeter whether or not the
> Assertion failed or succeeded is not working. In particular, it is not
> informing Jmeter that the Assertion failed when the Assertion fails.
>
> Jim
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Wednesday, July 3, 2019, 12:40:20 PM UTC, Felix Schumacher
> <[email protected]> wrote:
>
>
> Am 03.07.19 um 14:12 schrieb o haya:
>> Hi Felix,
>> Also, here is the code you posted, but slightly modified so that it uses a
>> certificate serial number in Hex when it builds the cId (this code so far
>> only tests the conversion of the hex-ascii serial number to integer, and
>> uses that integer serial number to call).
>> I am testing this because, eventually, the test plan I need will take in a
>> CSV with a bunch of cert serial numbers and send OCSP requests for those.
>> import java.io.BufferedReader;import java.io.FileReader;import
>> java.io.Reader;
>> import org.bouncycastle.cert.ocsp.CertificateID;import
>> org.bouncycastle.cert.ocsp.OCSPReq;import
>> org.bouncycastle.cert.ocsp.OCSPReqBuilder;import
>> org.bouncycastle.cert.X509CertificateHolder;import
>> org.bouncycastle.openssl.PEMParser;import
>> org.bouncycastle.operator.DigestCalculatorProvider;import
>> org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>> String fName = vars.get("certpath");Reader fR = new BufferedReader(new
>> FileReader(fName));PEMParser pPar = new PEMParser(fR);X509CertificateHolder
>> obj = (X509CertificateHolder)pPar.readObject();DigestCalculatorProvider dCP
>> = newJcaDigestCalculatorProviderBuilder().build();
>> String certSerialNumber =
>> obj.getSerialNumber();log.info("++++++++++++++++++++ certSerialNumber=[" +
>> certSerialNumber + "]");
>> // Test Converting a HEX-STRING to int/biginteger, and then passing that
>> into the dCP.get()...// This is a precursor to using a CSV file with Hex
>> cert serial numbersint numericSerialNumber = Integer.valueOf( "35C1",
>> 16);log.info("++++++++++++++++++++++ numericSerialNumber=[" +
>> numericSerialNumber + "]");
>> //CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
>> obj, obj.getSerialNumber());CertificateID cId = new
>> CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, numericSerialNumber);
>> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();byte[] asn1seq =
>> oReq.getEncoded();String sb = new String(asn1seq,
>> "ISO-8859-1");vars.put("ocspReq", sb);
> The above code is not really readable :)
>
> If you don't use code in your samplers, remove it. Otherwise it is
> probably OK to use the cert IDs directly instead of reading them from
> the certs.
>
> Felix
>
>>
>>
>>
>>
>>
>>
>> On Wednesday, July 3, 2019, 11:49:51 AM UTC, [email protected]
>> <[email protected]> wrote:
>>
>> Hi Felix,
>>
>> Sorry for the delay. I am working with several different OCSP Responders
>> and was busy trying to get one of them working.
>>
>> Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!
>>
>> Also, the Assertion succeeded, but I need to get the Assertion code to look
>> into the response more. The current Assertion code checks that the response
>> was "OK", but for this load test, I need to check to see if the response
>> actually says "revoked", because the OCSP responder will respond "OK" even
>> if it doesn't find a match for the cert I am checking. Then, I have to look
>> for "revoked" or "Revocation" to confirm that I got a "positive" revocation
>> from the CRL.
>>
>> Right now, it looks like I can get the response data/text, but it is *maybe*
>> DER encoded or something. I added the following to the Assertion code you
>> posted:
>>
>> // ADDED TO TRY TO GET RESPONSE INFORMATION...
>> String responseStream = new String(instream, "ISO-8859-1");
>> log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" +
>> responseStream + "]");
>> and in the Jmeter.log I am getting something that looks like DER-encoded
>> information??
>> I've uploaded a screenshot of the Jmeter logging:
>> New photo by O haya
>>
>> |
>> |
>> |
>> | | |
>>
>> |
>>
>> |
>> |
>> | |
>> New photo by O haya
>>
>>
>> |
>>
>> |
>>
>> |
>>
>>
>>
>> Can I convert that encoded string in the Assertion code, to something that
>> the code can then check for the word/string like "revoked" or "Revocation"?
>> Thanks!Jim
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[email protected]>
>> wrote:
>>
>> Hi,
>>
>> Wow! Thanks! I will give this a try a little later and post back.
>>
>> Thanks,
>> Jim
>>
>>
>> On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher
>> <[email protected]> wrote:
>>
>> I think I have got the example working. I attached a jmx file and a cert
>> to this mail and maybe we are lucky and the mailing list doesn't strip
>> it from the mail.
>>
>> In case it does:
>>
>> Add the variable "certpath" to your testplan (either by a cvs datasource
>> for more than one cert, or via the test plan root element). It should
>> point to your x509 certificates path.
>>
>> Add a HTTP Sampler with method POST, the "Body Data" tab selected and
>> filled with "${ocspReq}".
>>
>> Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
>> with the following content:
>>
>> import java.io.BufferedReader;
>> import java.io.FileReader;
>> import java.io.Reader;
>>
>> import org.bouncycastle.cert.ocsp.CertificateID;
>> import org.bouncycastle.cert.ocsp.OCSPReq;
>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>> import org.bouncycastle.cert.X509CertificateHolder;
>> import org.bouncycastle.openssl.PEMParser;
>> import org.bouncycastle.operator.DigestCalculatorProvider;
>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>
>> String fName = vars.get("certpath");
>> Reader fR = new BufferedReader(new FileReader(fName));
>> PEMParser pPar = new PEMParser(fR);
>> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>> DigestCalculatorProvider dCP = new
>> JcaDigestCalculatorProviderBuilder().build();
>> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
>> obj, obj.getSerialNumber());
>> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
>> byte[] asn1seq = oReq.getEncoded();
>> String sb = new String(asn1seq, "ISO-8859-1");
>> vars.put("ocspReq", sb);
>>
>> Add a JSR223 Assertion to the sampler (set to groovy, again) containing:
>>
>> import org.bouncycastle.cert.ocsp.OCSPResp;
>>
>> def sR = ctx.getPreviousResult();
>> byte[] instream = sR.getResponseData();
>> OCSPResp oResp = new OCSPResp(instream);
>> assert oResp.getStatus() ==0
>>
>> Add a Header Manager to the sampler with the following set:
>>
>> Content-Type application/ocsp-request
>> Accept application/ocsp-response
>>
>> It seemed to work for me (famous last words)
>>
>> One important change was to use "ISO-8859-1" for the encoding of the string.
>>
>> Felix
>>
>> Am 01.07.19 um 22:42 schrieb [email protected]:
>>> Hi,
>>>
>>> This Java app:
>>>
>>> import java.io.*;
>>> import java.math.BigInteger;
>>> import java.security.Security;
>>> import java.util.*;
>>> import org.bouncycastle.cert.*;
>>> import org.bouncycastle.cert.ocsp.CertificateID;
>>> import org.bouncycastle.cert.ocsp.OCSPReq;
>>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>>> import org.bouncycastle.asn1.*;
>>> import org.bouncycastle.openssl.*;
>>> import org.bouncycastle.openssl.PEMParser;
>>> import org.bouncycastle.util.io.pem.*;
>>> import org.bouncycastle.pkcs.*;
>>> import org.bouncycastle.operator.DigestCalculatorProvider;
>>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>>
>>>
>>> public class jmeterdebug1 {
>>>
>>> public static void main(String[] args) {
>>> // TODO Auto-generated method stub
>>>
>>>
>>> String BC = "BC"; //"${securityProvider}";
>>> String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem";
>>> //"${certpath}
>>> try {
>>> Reader fR = new BufferedReader(new FileReader(fName));
>>> PEMParser pPar = new PEMParser(fR);
>>>
>>> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>>>
>>> Security.addProvider(new
>>> org.bouncycastle.jce.provider.BouncyCastleProvider());
>>>
>>> DigestCalculatorProvider dCP = new
>>> JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>>>
>>> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
>>> obj, obj.getSerialNumber());
>>>
>>> OCSPReqBuilder oRB = new OCSPReqBuilder();
>>> oRB.addRequest(cId);
>>> OCSPReq oReq = oRB.build();
>>>
>>> byte[] asn1seq = oReq.getEncoded();
>>>
>>> String sb = new String(asn1seq);
>>>
>>> System.out.println("sb=[" + sb + "]");
>>>
>>> } catch (Exception e) {
>>> System.out.println("*** ERROR ** [" + e + "]");
>>> e.printStackTrace();
>>> }
>>>
>>> //sampler.getArguments().getArgument(0).setValue(sb);
>>>
>>>
>>>
>>> }
>>>
>>> }
>>>
>>>
>>> Outputs:
>>>
>>> sb=[0B0@0>0<0:0 +
>>>
>>>
>>> So I am guessing that the 'sb' is supposed to be used to populate the POST
>>> body via the line that I have commented out above
>>> ("sampler.getArguments().getArgument(0).setValue(sb);")??
>>>
>>>
>>> So if I just uncomment that line in the equivalent code in the Jmeter
>>> Beanshell Preprocessor code, is there something additional that I need to
>>> do to get the HTTP request to use that for the BODY?
>>>
>>> Also, FYI, I added several Debug listeners, but I don't see any variable
>>> named "sb" in their output? What do I need to do so that I can see the
>>> contents of that var in the Debug?
>>>
>>>
>>>
>>> Thanks,
>>> Jim
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher
>>> <[email protected]> wrote:
>>>
>>>
>>>
>>> Am 1. Juli 2019 21:49:37 MESZ schrieb [email protected]:
>>>> Hi,
>>>>
>>>> Hmm. It seems like the example test plan isn't as complete as I had
>>>> hoped :(....
>>>>
>>>> FYI, I think the reference to "the public key infrastructure" is to
>>>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
>>> Seems sensible.
>>>
>>>> FYI, I am going to try to get this working/debug this as a Java app
>>>> first, and then I can try to make a groovy version after that, once it
>>>> is clean. I'm hoping that that makes it easier for me, initially.
>>> Small steps is a good way to go.
>>>
>>>> I will post back in a bit...
>>> Great
>>> Felix
>>>
>>>> Jim
>>>>
>>>>
>>>>
>>>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>>>> <[email protected]> wrote:
>>>>
>>>>
>>>> Am 01.07.19 um 19:16 schrieb [email protected]:
>>>>> Hi,
>>>>>
>>>>> I am trying to implement a Jmeter load test for an OCSP responder,
>>>> and I found this page, but haven't been able to get it working:
>>>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>>>
>>>>> - The first problem that I ran into is where it says "2. Download the
>>>> public key infrastructure and provider ". The link for the "provider"
>>>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>>>> sure what the "the public key infrastructure" is supposed to download?
>>>> I think that the "public key infrastructure" means your certificates.
>>>> If
>>>> you download the bouncycastle provider, you probably should take the
>>>> newest version of it: https://bouncycastle.org/latest_releases.html
>>>>> - Also, for the HTTP Request element, it says "The URL of the
>>>> responder is defined in the variable section of the script.", but I am
>>>> not sure what it is referring to when it says "the variable section of
>>>> the script"?
>>>>
>>>> I guess that the "user defined variables" table on the test plan (root)
>>>> element is meant. But on the other hand, the text misses to add a
>>>> variable reference on the http sampler (my guess is, that it is hidden
>>>> in the http defaults element, that are not described further in the
>>>> text), so you are free to add your URL to the http sampler yourself.
>>>>
>>>> And now to a few things you haven't asked :)
>>>>
>>>> * Use groovy instead of beanshell whenever possible.
>>>>
>>>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>>>> vars.get("...") instead
>>>>
>>>> * Instead of
>>>>
>>>> Failure = false;
>>>> if (oResp.getStatus() != 0) {
>>>> Failure = true;
>>>>
>>>> }
>>>>
>>>> you could use
>>>>
>>>> Failure = oResp.getStatus() != 0;
>>>>
>>>> or if you feel groovy: Failure = oResp.status != 0
>>>>
>>>>
>>>>> Is anyone familiar with this test plan, and gotten it working?
>>>> Note, that I have no OCSP server and thus have not tried to get it
>>>> really working.
>>>>
>>>> Felix
>>>>
>>>>> Thanks,
>>>>> Jim
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [email protected]
>>>>> For additional commands, e-mail: [email protected]
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [email protected]
>>>> For additional commands, e-mail: [email protected]
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
