Help get OCSP responder load test working?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
Hi,

I am trying to implement a Jmeter load test for an OCSP responder, and I found this page, but haven't been able to get it working:

https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/

- The first problem that I ran into is where it says "2. Download the public key infrastructure and provider ".  The link for the "provider" works and allows me to download "bcprov-jdk15on-156.jar", but I am not sure what the "the public key infrastructure" is supposed to download?

- Also, for the HTTP Request element, it says "The URL of the responder is defined in the variable section of the script.", but I am not sure what it is referring to when it says "the variable section of the script"?

Is anyone familiar with this test plan, and gotten it working?

Thanks,
Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

Felix Schumacher

Am 01.07.19 um 19:16 schrieb [hidden email]:
> Hi,
>
> I am trying to implement a Jmeter load test for an OCSP responder, and I found this page, but haven't been able to get it working:
>
> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>
> - The first problem that I ran into is where it says "2. Download the public key infrastructure and provider ".  The link for the "provider" works and allows me to download "bcprov-jdk15on-156.jar", but I am not sure what the "the public key infrastructure" is supposed to download?
I think that the "public key infrastructure" means your certificates. If
you download the bouncycastle provider, you probably should take the
newest version of it: https://bouncycastle.org/latest_releases.html
>
> - Also, for the HTTP Request element, it says "The URL of the responder is defined in the variable section of the script.", but I am not sure what it is referring to when it says "the variable section of the script"?

I guess that the "user defined variables" table on the test plan (root)
element is meant. But on the other hand, the text misses to add a
variable reference on the http sampler (my guess is, that it is hidden
in the http defaults element, that are not described further in the
text), so you are free to add your URL to the http sampler yourself.

And now to a few things you haven't asked :)

* Use groovy instead of beanshell whenever possible.

* Don't use ${...} inside JSR223 or other Shell Samplers. Use
vars.get("...") instead

* Instead of

    Failure = false;
    if (oResp.getStatus() != 0) {
        Failure = true;

    }

 you could use

    Failure = oResp.getStatus() != 0;

or if you feel groovy: Failure = oResp.status != 0


>
> Is anyone familiar with this test plan, and gotten it working?

Note, that I have no OCSP server and thus have not tried to get it
really working.

Felix

>
> Thanks,
> Jim
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
 Hi,

Hmm. It seems like the example test plan isn't as complete as I had hoped :(....

FYI, I think the reference to "the public key infrastructure" is to another bouncycastle package, "bcpkix-jdk15on-162.jar".

FYI, I am going to try to get this working/debug this as a Java app first, and then I can try to make a groovy version after that, once it is clean. I'm hoping that that makes it easier for me, initially.


I will post back in a bit...

Jim



     On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher <[hidden email]> wrote:  
 
 
Am 01.07.19 um 19:16 schrieb [hidden email]:
> Hi,
>
> I am trying to implement a Jmeter load test for an OCSP responder, and I found this page, but haven't been able to get it working:
>
> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>
> - The first problem that I ran into is where it says "2. Download the public key infrastructure and provider ".  The link for the "provider" works and allows me to download "bcprov-jdk15on-156.jar", but I am not sure what the "the public key infrastructure" is supposed to download?
I think that the "public key infrastructure" means your certificates. If
you download the bouncycastle provider, you probably should take the
newest version of it: https://bouncycastle.org/latest_releases.html
>
> - Also, for the HTTP Request element, it says "The URL of the responder is defined in the variable section of the script.", but I am not sure what it is referring to when it says "the variable section of the script"?

I guess that the "user defined variables" table on the test plan (root)
element is meant. But on the other hand, the text misses to add a
variable reference on the http sampler (my guess is, that it is hidden
in the http defaults element, that are not described further in the
text), so you are free to add your URL to the http sampler yourself.

And now to a few things you haven't asked :)

* Use groovy instead of beanshell whenever possible.

* Don't use ${...} inside JSR223 or other Shell Samplers. Use
vars.get("...") instead

* Instead of

    Failure = false;
    if (oResp.getStatus() != 0) {
        Failure = true;

    }

 you could use

    Failure = oResp.getStatus() != 0;

or if you feel groovy: Failure = oResp.status != 0


>
> Is anyone familiar with this test plan, and gotten it working?

Note, that I have no OCSP server and thus have not tried to get it
really working.

Felix

>
> Thanks,
> Jim
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

 
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

Felix Schumacher


Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
> Hi,
>
>Hmm. It seems like the example test plan isn't as complete as I had
>hoped :(....
>
>FYI, I think the reference to "the public key infrastructure" is to
>another bouncycastle package, "bcpkix-jdk15on-162.jar".

Seems sensible.

>
>FYI, I am going to try to get this working/debug this as a Java app
>first, and then I can try to make a groovy version after that, once it
>is clean. I'm hoping that that makes it easier for me, initially.

Small steps is a good way to go.

>
>
>I will post back in a bit...

Great
 Felix

>
>Jim
>
>
>
>On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
><[hidden email]> wrote:  
>
>
>Am 01.07.19 um 19:16 schrieb [hidden email]:
>> Hi,
>>
>> I am trying to implement a Jmeter load test for an OCSP responder,
>and I found this page, but haven't been able to get it working:
>>
>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>
>> - The first problem that I ran into is where it says "2. Download the
>public key infrastructure and provider ".  The link for the "provider"
>works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>sure what the "the public key infrastructure" is supposed to download?
>I think that the "public key infrastructure" means your certificates.
>If
>you download the bouncycastle provider, you probably should take the
>newest version of it: https://bouncycastle.org/latest_releases.html
>>
>> - Also, for the HTTP Request element, it says "The URL of the
>responder is defined in the variable section of the script.", but I am
>not sure what it is referring to when it says "the variable section of
>the script"?
>
>I guess that the "user defined variables" table on the test plan (root)
>element is meant. But on the other hand, the text misses to add a
>variable reference on the http sampler (my guess is, that it is hidden
>in the http defaults element, that are not described further in the
>text), so you are free to add your URL to the http sampler yourself.
>
>And now to a few things you haven't asked :)
>
>* Use groovy instead of beanshell whenever possible.
>
>* Don't use ${...} inside JSR223 or other Shell Samplers. Use
>vars.get("...") instead
>
>* Instead of
>
>    Failure = false;
>    if (oResp.getStatus() != 0) {
>        Failure = true;
>
>    }
>
> you could use
>
>    Failure = oResp.getStatus() != 0;
>
>or if you feel groovy: Failure = oResp.status != 0
>
>
>>
>> Is anyone familiar with this test plan, and gotten it working?
>
>Note, that I have no OCSP server and thus have not tried to get it
>really working.
>
>Felix
>
>>
>> Thanks,
>> Jim
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [hidden email]
>For additional commands, e-mail: [hidden email]
>
>  

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
 Hi,

This Java app:

import java.io.*;
import java.math.BigInteger;
import java.security.Security;
import java.util.*;
import org.bouncycastle.cert.*;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.asn1.*;
import org.bouncycastle.openssl.*;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.util.io.pem.*;
import org.bouncycastle.pkcs.*;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;


public class jmeterdebug1 {

 public static void main(String[] args) {
 // TODO Auto-generated method stub
 
 
 String BC = "BC"; //"${securityProvider}";
 String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
 try {
 Reader fR = new BufferedReader(new FileReader(fName));
 PEMParser pPar = new PEMParser(fR);

 X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();

 Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

 DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();

 CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());

 OCSPReqBuilder oRB = new OCSPReqBuilder();
 oRB.addRequest(cId);
 OCSPReq oReq = oRB.build();

 byte[] asn1seq = oReq.getEncoded();
 
 String sb = new String(asn1seq);
 
 System.out.println("sb=[" + sb + "]");
 
 } catch (Exception e) {
 System.out.println("*** ERROR ** [" + e + "]");
 e.printStackTrace();
 }
 
 //sampler.getArguments().getArgument(0).setValue(sb);
 
 

 }

}


Outputs:

sb=[0B0@0>0<0:0 +


So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??


So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?

Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?



Thanks,
Jim




















     On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote:  
 
 

Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
> Hi,
>
>Hmm. It seems like the example test plan isn't as complete as I had
>hoped :(....
>
>FYI, I think the reference to "the public key infrastructure" is to
>another bouncycastle package, "bcpkix-jdk15on-162.jar".

Seems sensible.

>
>FYI, I am going to try to get this working/debug this as a Java app
>first, and then I can try to make a groovy version after that, once it
>is clean. I'm hoping that that makes it easier for me, initially.

Small steps is a good way to go.

>
>
>I will post back in a bit...

Great
 Felix

>
>Jim
>
>
>
>On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
><[hidden email]> wrote: 
>
>
>Am 01.07.19 um 19:16 schrieb [hidden email]:
>> Hi,
>>
>> I am trying to implement a Jmeter load test for an OCSP responder,
>and I found this page, but haven't been able to get it working:
>>
>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>
>> - The first problem that I ran into is where it says "2. Download the
>public key infrastructure and provider ".  The link for the "provider"
>works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>sure what the "the public key infrastructure" is supposed to download?
>I think that the "public key infrastructure" means your certificates.
>If
>you download the bouncycastle provider, you probably should take the
>newest version of it: https://bouncycastle.org/latest_releases.html
>>
>> - Also, for the HTTP Request element, it says "The URL of the
>responder is defined in the variable section of the script.", but I am
>not sure what it is referring to when it says "the variable section of
>the script"?
>
>I guess that the "user defined variables" table on the test plan (root)
>element is meant. But on the other hand, the text misses to add a
>variable reference on the http sampler (my guess is, that it is hidden
>in the http defaults element, that are not described further in the
>text), so you are free to add your URL to the http sampler yourself.
>
>And now to a few things you haven't asked :)
>
>* Use groovy instead of beanshell whenever possible.
>
>* Don't use ${...} inside JSR223 or other Shell Samplers. Use
>vars.get("...") instead
>
>* Instead of
>
>    Failure = false;
>    if (oResp.getStatus() != 0) {
>        Failure = true;
>
>    }
>
> you could use
>
>    Failure = oResp.getStatus() != 0;
>
>or if you feel groovy: Failure = oResp.status != 0
>
>
>>
>> Is anyone familiar with this test plan, and gotten it working?
>
>Note, that I have no OCSP server and thus have not tried to get it
>really working.
>
>Felix
>
>>
>> Thanks,
>> Jim
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [hidden email]
>For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
 
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

sbos-61
In reply to this post by ohaya@yahoo.com.INVALID
Hi Ohaya,

I did such a test few years ago, unfortunately I do not have the script at hand.
Also, probably most releases have changed in the meantime.

What I remember is that I needed to get understanding of the bouncy castle libraries, AND an extensive rewriting of the script, even
of the general setup was useful as a guidance.

Especially, the result checking was quite bugged.

HTH
Sergio

Il 01/07/2019 21:49, [hidden email] ha scritto:

>   Hi,
>
> Hmm. It seems like the example test plan isn't as complete as I had hoped :(....
>
> FYI, I think the reference to "the public key infrastructure" is to another bouncycastle package, "bcpkix-jdk15on-162.jar".
>
> FYI, I am going to try to get this working/debug this as a Java app first, and then I can try to make a groovy version after that, once it is clean. I'm hoping that that makes it easier for me, initially.
>
>
> I will post back in a bit...
>
> Jim
>
>
>
>       On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher <[hidden email]> wrote:
>  
>  
> Am 01.07.19 um 19:16 schrieb [hidden email]:
>> Hi,
>>
>> I am trying to implement a Jmeter load test for an OCSP responder, and I found this page, but haven't been able to get it working:
>>
>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>
>> - The first problem that I ran into is where it says "2. Download the public key infrastructure and provider ".  The link for the "provider" works and allows me to download "bcprov-jdk15on-156.jar", but I am not sure what the "the public key infrastructure" is supposed to download?
> I think that the "public key infrastructure" means your certificates. If
> you download the bouncycastle provider, you probably should take the
> newest version of it: https://bouncycastle.org/latest_releases.html
>> - Also, for the HTTP Request element, it says "The URL of the responder is defined in the variable section of the script.", but I am not sure what it is referring to when it says "the variable section of the script"?
> I guess that the "user defined variables" table on the test plan (root)
> element is meant. But on the other hand, the text misses to add a
> variable reference on the http sampler (my guess is, that it is hidden
> in the http defaults element, that are not described further in the
> text), so you are free to add your URL to the http sampler yourself.
>
> And now to a few things you haven't asked :)
>
> * Use groovy instead of beanshell whenever possible.
>
> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
> vars.get("...") instead
>
> * Instead of
>
>      Failure = false;
>      if (oResp.getStatus() != 0) {
>          Failure = true;
>
>      }
>
>   you could use
>
>      Failure = oResp.getStatus() != 0;
>
> or if you feel groovy: Failure = oResp.status != 0
>
>
>> Is anyone familiar with this test plan, and gotten it working?
> Note, that I have no OCSP server and thus have not tried to get it
> really working.
>
> Felix
>
>> Thanks,
>> Jim
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>    


--

Ing. Sergio Boso




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
  This is what I am using/trying in the Beanshell preprocessor:
import java.io.*;import java.math.BigInteger;import java.util.*;import org.bouncycastle.cert.*;import org.bouncycastle.cert.ocsp.CertificateID;import org.bouncycastle.cert.ocsp.OCSPReq;import org.bouncycastle.cert.ocsp.OCSPReqBuilder;import org.bouncycastle.asn1.*;import org.bouncycastle.openssl.*;import org.bouncycastle.openssl.PEMParser;import org.bouncycastle.util.io.pem.*;import org.bouncycastle.pkcs.*;import org.bouncycastle.operator.DigestCalculatorProvider;import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import java.security.Security;
String BC = "${securityProvider}";String fName = "${certpath}";
Reader fR = new BufferedReader(new FileReader(fName));PEMParser pPar = new PEMParser(fR);
X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
OCSPReqBuilder oRB = new OCSPReqBuilder();oRB.addRequest(cId);OCSPReq oReq = oRB.build();
byte[] asn1seq = oReq.getEncoded();
String sb = new String(asn1seq);
sampler.getArguments().getArgument(0).setValue(sb);

But when I run the Jmeter test, I am getting the following on the OCSP responder (the server side):

2019-07-01 17:20:25,625 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-1) Reading Configuration: AVAILABLE_PROTOCOLS2019-07-01 17:20:25,633 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-1) No default GlobalConfiguration exists. Creating a new one.2019-07-01 17:20:25,633 DEBUG [org.ejbca.util.ServiceControlFilter] (default task-1) Access to service OCSP is allowed. HTTP request http://127.0.0.1:8080/ejbca/publicweb/status/ocsp is let through.2019-07-01 17:20:25,634 DEBUG [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) >checkAndGetRequestBytes. Received POST request with content length: 0 from 127.0.0.12019-07-01 17:20:25,634 INFO  [org.ejbca.ui.web.LimitLengthASN1Reader] (default task-1) Not a sequence on top level. Tag was 31.2019-07-01 17:20:25,635 INFO  [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) Error processing OCSP request. Message: Not a sequence on top level. Tag was 31.2019-07-01 17:20:25,635 DEBUG [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) Error processing OCSP request. Message: Not a sequence on top level. Tag was 31.: org.cesecore.certificates.ocsp.exception.MalformedRequestException: Not a sequence on top level. Tag was 31.        at org.ejbca.ui.web.LimitLengthASN1Reader.readFirstASN1Object(LimitLengthASN1Reader.java:109)        at org.ejbca.ui.web.protocol.OCSPServlet.checkAndGetRequestBytes(OCSPServlet.java:428)        at org.ejbca.ui.web.protocol.OCSPServlet.processOcspRequest(OCSPServlet.java:251)        at org.ejbca.ui.web.protocol.OCSPServlet.doPost(OCSPServlet.java:191)        at javax.servlet.http.HttpServlet.service(HttpServlet.java:706)


So, it looks like Jmeter is not sending the BODY (the contents of "sb" from the Preprocessor?)?

Is there something else that I am missing to cause the output from the preprocessor to be used as the POST BODY?
Thanks,Jim 





    On Monday, July 1, 2019, 08:59:45 PM UTC, Sergio Boso <[hidden email]> wrote:  
 
 Hi Ohaya,

I did such a test few years ago, unfortunately I do not have the script at hand.
Also, probably most releases have changed in the meantime.

What I remember is that I needed to get understanding of the bouncy castle libraries, AND an extensive rewriting of the script, even
of the general setup was useful as a guidance.

Especially, the result checking was quite bugged.

HTH
Sergio

Il 01/07/2019 21:49, [hidden email] ha scritto:

>  Hi,
>
> Hmm. It seems like the example test plan isn't as complete as I had hoped :(....
>
> FYI, I think the reference to "the public key infrastructure" is to another bouncycastle package, "bcpkix-jdk15on-162.jar".
>
> FYI, I am going to try to get this working/debug this as a Java app first, and then I can try to make a groovy version after that, once it is clean. I'm hoping that that makes it easier for me, initially.
>
>
> I will post back in a bit...
>
> Jim
>
>
>
>      On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher <[hidden email]> wrote:


> Am 01.07.19 um 19:16 schrieb [hidden email]:
>> Hi,
>>
>> I am trying to implement a Jmeter load test for an OCSP responder, and I found this page, but haven't been able to get it working:
>>
>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>
>> - The first problem that I ran into is where it says "2. Download the public key infrastructure and provider ".  The link for the "provider" works and allows me to download "bcprov-jdk15on-156.jar", but I am not sure what the "the public key infrastructure" is supposed to download?
> I think that the "public key infrastructure" means your certificates. If
> you download the bouncycastle provider, you probably should take the
> newest version of it: https://bouncycastle.org/latest_releases.html
>> - Also, for the HTTP Request element, it says "The URL of the responder is defined in the variable section of the script.", but I am not sure what it is referring to when it says "the variable section of the script"?
> I guess that the "user defined variables" table on the test plan (root)
> element is meant. But on the other hand, the text misses to add a
> variable reference on the http sampler (my guess is, that it is hidden
> in the http defaults element, that are not described further in the
> text), so you are free to add your URL to the http sampler yourself.
>
> And now to a few things you haven't asked :)
>
> * Use groovy instead of beanshell whenever possible.
>
> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
> vars.get("...") instead
>
> * Instead of
>
>      Failure = false;
>      if (oResp.getStatus() != 0) {
>          Failure = true;
>
>      }
>
>   you could use
>
>      Failure = oResp.getStatus() != 0;
>
> or if you feel groovy: Failure = oResp.status != 0
>
>
>> Is anyone familiar with this test plan, and gotten it working?
> Note, that I have no OCSP server and thus have not tried to get it
> really working.
>
> Felix
>
>> Thanks,
>> Jim
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>   


--

Ing. Sergio Boso




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

 
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

sbos-61
You may need to install and use Wireshark to debug the packet exchange:
https://www.wireshark.org/#download

I'm very sorry, but I have no time to debug your script (and this would be a huge task, anyway)

regards

Sergio
Il 01/07/2019 23:22, o haya ha scritto:

>    This is what I am using/trying in the Beanshell preprocessor:
> import java.io.*;import java.math.BigInteger;import java.util.*;import org.bouncycastle.cert.*;import org.bouncycastle.cert.ocsp.CertificateID;import org.bouncycastle.cert.ocsp.OCSPReq;import org.bouncycastle.cert.ocsp.OCSPReqBuilder;import org.bouncycastle.asn1.*;import org.bouncycastle.openssl.*;import org.bouncycastle.openssl.PEMParser;import org.bouncycastle.util.io.pem.*;import org.bouncycastle.pkcs.*;import org.bouncycastle.operator.DigestCalculatorProvider;import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
> import java.security.Security;
> String BC = "${securityProvider}";String fName = "${certpath}";
> Reader fR = new BufferedReader(new FileReader(fName));PEMParser pPar = new PEMParser(fR);
> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
> DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
> Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
> OCSPReqBuilder oRB = new OCSPReqBuilder();oRB.addRequest(cId);OCSPReq oReq = oRB.build();
> byte[] asn1seq = oReq.getEncoded();
> String sb = new String(asn1seq);
> sampler.getArguments().getArgument(0).setValue(sb);
>
> But when I run the Jmeter test, I am getting the following on the OCSP responder (the server side):
>
> 2019-07-01 17:20:25,625 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-1) Reading Configuration: AVAILABLE_PROTOCOLS2019-07-01 17:20:25,633 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-1) No default GlobalConfiguration exists. Creating a new one.2019-07-01 17:20:25,633 DEBUG [org.ejbca.util.ServiceControlFilter] (default task-1) Access to service OCSP is allowed. HTTP request http://127.0.0.1:8080/ejbca/publicweb/status/ocsp is let through.2019-07-01 17:20:25,634 DEBUG [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) >checkAndGetRequestBytes. Received POST request with content length: 0 from 127.0.0.12019-07-01 17:20:25,634 INFO  [org.ejbca.ui.web.LimitLengthASN1Reader] (default task-1) Not a sequence on top level. Tag was 31.2019-07-01 17:20:25,635 INFO  [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) Error processing OCSP request. Message: Not a sequence on top level. Tag was 31.2019-07-01 17:20:25,635 DEBUG [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) Error processing OCSP request. Message: Not a sequence on top level. Tag was 31.: org.cesecore.certificates.ocsp.exception.MalformedRequestException: Not a sequence on top level. Tag was 31.        at org.ejbca.ui.web.LimitLengthASN1Reader.readFirstASN1Object(LimitLengthASN1Reader.java:109)        at org.ejbca.ui.web.protocol.OCSPServlet.checkAndGetRequestBytes(OCSPServlet.java:428)        at org.ejbca.ui.web.protocol.OCSPServlet.processOcspRequest(OCSPServlet.java:251)        at org.ejbca.ui.web.protocol.OCSPServlet.doPost(OCSPServlet.java:191)        at javax.servlet.http.HttpServlet.service(HttpServlet.java:706)
>
>
> So, it looks like Jmeter is not sending the BODY (the contents of "sb" from the Preprocessor?)?
>
> Is there something else that I am missing to cause the output from the preprocessor to be used as the POST BODY?
> Thanks,Jim
>
>
>
>
>
>      On Monday, July 1, 2019, 08:59:45 PM UTC, Sergio Boso <[hidden email]> wrote:
>  
>   Hi Ohaya,
>
> I did such a test few years ago, unfortunately I do not have the script at hand.
> Also, probably most releases have changed in the meantime.
>
> What I remember is that I needed to get understanding of the bouncy castle libraries, AND an extensive rewriting of the script, even
> of the general setup was useful as a guidance.
>
> Especially, the result checking was quite bugged.
>
> HTH
> Sergio
>
> Il 01/07/2019 21:49, [hidden email] ha scritto:
>>    Hi,
>>
>> Hmm. It seems like the example test plan isn't as complete as I had hoped :(....
>>
>> FYI, I think the reference to "the public key infrastructure" is to another bouncycastle package, "bcpkix-jdk15on-162.jar".
>>
>> FYI, I am going to try to get this working/debug this as a Java app first, and then I can try to make a groovy version after that, once it is clean. I'm hoping that that makes it easier for me, initially.
>>
>>
>> I will post back in a bit...
>>
>> Jim
>>
>>
>>
>>        On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher <[hidden email]> wrote:
>>    
>>    
>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>> Hi,
>>>
>>> I am trying to implement a Jmeter load test for an OCSP responder, and I found this page, but haven't been able to get it working:
>>>
>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>
>>> - The first problem that I ran into is where it says "2. Download the public key infrastructure and provider ".  The link for the "provider" works and allows me to download "bcprov-jdk15on-156.jar", but I am not sure what the "the public key infrastructure" is supposed to download?
>> I think that the "public key infrastructure" means your certificates. If
>> you download the bouncycastle provider, you probably should take the
>> newest version of it: https://bouncycastle.org/latest_releases.html
>>> - Also, for the HTTP Request element, it says "The URL of the responder is defined in the variable section of the script.", but I am not sure what it is referring to when it says "the variable section of the script"?
>> I guess that the "user defined variables" table on the test plan (root)
>> element is meant. But on the other hand, the text misses to add a
>> variable reference on the http sampler (my guess is, that it is hidden
>> in the http defaults element, that are not described further in the
>> text), so you are free to add your URL to the http sampler yourself.
>>
>> And now to a few things you haven't asked :)
>>
>> * Use groovy instead of beanshell whenever possible.
>>
>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>> vars.get("...") instead
>>
>> * Instead of
>>
>>        Failure = false;
>>        if (oResp.getStatus() != 0) {
>>            Failure = true;
>>
>>        }
>>
>>     you could use
>>
>>        Failure = oResp.getStatus() != 0;
>>
>> or if you feel groovy: Failure = oResp.status != 0
>>
>>
>>> Is anyone familiar with this test plan, and gotten it working?
>> Note, that I have no OCSP server and thus have not tried to get it
>> really working.
>>
>> Felix
>>
>>> Thanks,
>>> Jim
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
 Sergio,

No problem! I will struggle through this, hopefully :)...

Actually, I may try to switch to a different approach, like maybe have the Jmeter test run an "openssl ocsp..." command line instead of doing this in code. This is supposed to be a "quicky", but it seems like it is not turning out that way.

Thanks again!

Jim


     On Monday, July 1, 2019, 5:31:05 PM EDT, Sergio Boso <[hidden email]> wrote:  
 
 You may need to install and use Wireshark to debug the packet exchange:
https://www.wireshark.org/#download

I'm very sorry, but I have no time to debug your script (and this would be a huge task, anyway)

regards

Sergio
Il 01/07/2019 23:22, o haya ha scritto:

>   This is what I am using/trying in the Beanshell preprocessor:
> import java.io.*;import java.math.BigInteger;import java.util.*;import org.bouncycastle.cert.*;import org.bouncycastle.cert.ocsp.CertificateID;import org.bouncycastle.cert.ocsp.OCSPReq;import org.bouncycastle.cert.ocsp.OCSPReqBuilder;import org.bouncycastle.asn1.*;import org.bouncycastle.openssl.*;import org.bouncycastle.openssl.PEMParser;import org.bouncycastle.util.io.pem.*;import org.bouncycastle.pkcs.*;import org.bouncycastle.operator.DigestCalculatorProvider;import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
> import java.security.Security;
> String BC = "${securityProvider}";String fName = "${certpath}";
> Reader fR = new BufferedReader(new FileReader(fName));PEMParser pPar = new PEMParser(fR);
> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
> DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
> Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
> OCSPReqBuilder oRB = new OCSPReqBuilder();oRB.addRequest(cId);OCSPReq oReq = oRB.build();
> byte[] asn1seq = oReq.getEncoded();
> String sb = new String(asn1seq);
> sampler.getArguments().getArgument(0).setValue(sb);
>
> But when I run the Jmeter test, I am getting the following on the OCSP responder (the server side):
>
> 2019-07-01 17:20:25,625 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-1) Reading Configuration: AVAILABLE_PROTOCOLS2019-07-01 17:20:25,633 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-1) No default GlobalConfiguration exists. Creating a new one.2019-07-01 17:20:25,633 DEBUG [org.ejbca.util.ServiceControlFilter] (default task-1) Access to service OCSP is allowed. HTTP request http://127.0.0.1:8080/ejbca/publicweb/status/ocsp is let through.2019-07-01 17:20:25,634 DEBUG [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) >checkAndGetRequestBytes. Received POST request with content length: 0 from 127.0.0.12019-07-01 17:20:25,634 INFO  [org.ejbca.ui.web.LimitLengthASN1Reader] (default task-1) Not a sequence on top level. Tag was 31.2019-07-01 17:20:25,635 INFO  [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) Error processing OCSP request. Message: Not a sequence on top level. Tag was 31.2019-07-01 17:20:25,635 DEBUG [org.ejbca.ui.web.protocol.OCSPServlet] (default task-1) Error processing OCSP request. Message: Not a sequence on top level. Tag was 31.: org.cesecore.certificates.ocsp.exception.MalformedRequestException: Not a sequence on top level. Tag was 31.        at org.ejbca.ui.web.LimitLengthASN1Reader.readFirstASN1Object(LimitLengthASN1Reader.java:109)        at org.ejbca.ui.web.protocol.OCSPServlet.checkAndGetRequestBytes(OCSPServlet.java:428)        at org.ejbca.ui.web.protocol.OCSPServlet.processOcspRequest(OCSPServlet.java:251)        at org.ejbca.ui.web.protocol.OCSPServlet.doPost(OCSPServlet.java:191)        at javax.servlet.http.HttpServlet.service(HttpServlet.java:706)
>
>
> So, it looks like Jmeter is not sending the BODY (the contents of "sb" from the Preprocessor?)?
>
> Is there something else that I am missing to cause the output from the preprocessor to be used as the POST BODY?
> Thanks,Jim
>
>
>
>
>
>      On Monday, July 1, 2019, 08:59:45 PM UTC, Sergio Boso <[hidden email]> wrote:

>  Hi Ohaya,
>
> I did such a test few years ago, unfortunately I do not have the script at hand.
> Also, probably most releases have changed in the meantime.
>
> What I remember is that I needed to get understanding of the bouncy castle libraries, AND an extensive rewriting of the script, even
> of the general setup was useful as a guidance.
>
> Especially, the result checking was quite bugged.
>
> HTH
> Sergio
>
> Il 01/07/2019 21:49, [hidden email] ha scritto:
>>    Hi,
>>
>> Hmm. It seems like the example test plan isn't as complete as I had hoped :(....
>>
>> FYI, I think the reference to "the public key infrastructure" is to another bouncycastle package, "bcpkix-jdk15on-162.jar".
>>
>> FYI, I am going to try to get this working/debug this as a Java app first, and then I can try to make a groovy version after that, once it is clean. I'm hoping that that makes it easier for me, initially.
>>
>>
>> I will post back in a bit...
>>
>> Jim
>>
>>
>>
>>        On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher <[hidden email]> wrote:
>>   
>>   
>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>> Hi,
>>>
>>> I am trying to implement a Jmeter load test for an OCSP responder, and I found this page, but haven't been able to get it working:
>>>
>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>
>>> - The first problem that I ran into is where it says "2. Download the public key infrastructure and provider ".  The link for the "provider" works and allows me to download "bcprov-jdk15on-156.jar", but I am not sure what the "the public key infrastructure" is supposed to download?
>> I think that the "public key infrastructure" means your certificates. If
>> you download the bouncycastle provider, you probably should take the
>> newest version of it: https://bouncycastle.org/latest_releases.html
>>> - Also, for the HTTP Request element, it says "The URL of the responder is defined in the variable section of the script.", but I am not sure what it is referring to when it says "the variable section of the script"?
>> I guess that the "user defined variables" table on the test plan (root)
>> element is meant. But on the other hand, the text misses to add a
>> variable reference on the http sampler (my guess is, that it is hidden
>> in the http defaults element, that are not described further in the
>> text), so you are free to add your URL to the http sampler yourself.
>>
>> And now to a few things you haven't asked :)
>>
>> * Use groovy instead of beanshell whenever possible.
>>
>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>> vars.get("...") instead
>>
>> * Instead of
>>
>>        Failure = false;
>>        if (oResp.getStatus() != 0) {
>>            Failure = true;
>>
>>        }
>>
>>     you could use
>>
>>        Failure = oResp.getStatus() != 0;
>>
>> or if you feel groovy: Failure = oResp.status != 0
>>
>>
>>> Is anyone familiar with this test plan, and gotten it working?
>> Note, that I have no OCSP server and thus have not tried to get it
>> really working.
>>
>> Felix
>>
>>> Thanks,
>>> Jim
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
 
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

Felix Schumacher
In reply to this post by ohaya@yahoo.com.INVALID
I think I have got the example working. I attached a jmx file and a cert
to this mail and maybe we are lucky and the mailing list doesn't strip
it from the mail.

In case it does:

Add the variable "certpath" to your testplan (either by a cvs datasource
for more than one cert, or via the test plan root element). It should
point to your x509 certificates path.

Add a HTTP Sampler with method POST, the "Body Data" tab selected and
filled with "${ocspReq}".

Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
with the following content:

import java.io.BufferedReader;
import java.io.FileReader;
import java.io.Reader;

import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

String fName = vars.get("certpath");
Reader fR = new BufferedReader(new FileReader(fName));
PEMParser pPar = new PEMParser(fR);
X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
DigestCalculatorProvider dCP = new
JcaDigestCalculatorProviderBuilder().build();
CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
obj, obj.getSerialNumber());
OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
byte[] asn1seq = oReq.getEncoded();
String sb = new String(asn1seq, "ISO-8859-1");
vars.put("ocspReq", sb);

Add a JSR223 Assertion to the sampler (set to groovy, again) containing:

import org.bouncycastle.cert.ocsp.OCSPResp;

def sR = ctx.getPreviousResult();
byte[] instream = sR.getResponseData();
OCSPResp oResp = new OCSPResp(instream);
assert oResp.getStatus() ==0

Add a Header Manager to the sampler with the following set:

Content-Type    application/ocsp-request
Accept    application/ocsp-response

It seemed to work for me (famous last words)

One important change was to use "ISO-8859-1" for the encoding of the string.

Felix

Am 01.07.19 um 22:42 schrieb [hidden email]:

>  Hi,
>
> This Java app:
>
> import java.io.*;
> import java.math.BigInteger;
> import java.security.Security;
> import java.util.*;
> import org.bouncycastle.cert.*;
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.asn1.*;
> import org.bouncycastle.openssl.*;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.util.io.pem.*;
> import org.bouncycastle.pkcs.*;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
>
> public class jmeterdebug1 {
>
>  public static void main(String[] args) {
>  // TODO Auto-generated method stub
>  
>  
>  String BC = "BC"; //"${securityProvider}";
>  String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>  try {
>  Reader fR = new BufferedReader(new FileReader(fName));
>  PEMParser pPar = new PEMParser(fR);
>
>  X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>
>  Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>
>  DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>
>  CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>
>  OCSPReqBuilder oRB = new OCSPReqBuilder();
>  oRB.addRequest(cId);
>  OCSPReq oReq = oRB.build();
>
>  byte[] asn1seq = oReq.getEncoded();
>  
>  String sb = new String(asn1seq);
>  
>  System.out.println("sb=[" + sb + "]");
>  
>  } catch (Exception e) {
>  System.out.println("*** ERROR ** [" + e + "]");
>  e.printStackTrace();
>  }
>  
>  //sampler.getArguments().getArgument(0).setValue(sb);
>  
>  
>
>  }
>
> }
>
>
> Outputs:
>
> sb=[0B0@0>0<0:0 +
>
>
> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>
>
> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>
> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>
>
>
> Thanks,
> Jim
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>      On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote:  
>  
>  
>
> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>> Hi,
>>
>> Hmm. It seems like the example test plan isn't as complete as I had
>> hoped :(....
>>
>> FYI, I think the reference to "the public key infrastructure" is to
>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
> Seems sensible.
>
>> FYI, I am going to try to get this working/debug this as a Java app
>> first, and then I can try to make a groovy version after that, once it
>> is clean. I'm hoping that that makes it easier for me, initially.
> Small steps is a good way to go.
>
>>
>> I will post back in a bit...
> Great
>  Felix
>
>> Jim
>>
>>
>>
>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>> <[hidden email]> wrote: 
>>
>>
>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>> Hi,
>>>
>>> I am trying to implement a Jmeter load test for an OCSP responder,
>> and I found this page, but haven't been able to get it working:
>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>
>>> - The first problem that I ran into is where it says "2. Download the
>> public key infrastructure and provider ".  The link for the "provider"
>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>> sure what the "the public key infrastructure" is supposed to download?
>> I think that the "public key infrastructure" means your certificates.
>> If
>> you download the bouncycastle provider, you probably should take the
>> newest version of it: https://bouncycastle.org/latest_releases.html
>>> - Also, for the HTTP Request element, it says "The URL of the
>> responder is defined in the variable section of the script.", but I am
>> not sure what it is referring to when it says "the variable section of
>> the script"?
>>
>> I guess that the "user defined variables" table on the test plan (root)
>> element is meant. But on the other hand, the text misses to add a
>> variable reference on the http sampler (my guess is, that it is hidden
>> in the http defaults element, that are not described further in the
>> text), so you are free to add your URL to the http sampler yourself.
>>
>> And now to a few things you haven't asked :)
>>
>> * Use groovy instead of beanshell whenever possible.
>>
>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>> vars.get("...") instead
>>
>> * Instead of
>>
>>     Failure = false;
>>     if (oResp.getStatus() != 0) {
>>         Failure = true;
>>
>>     }
>>
>>  you could use
>>
>>     Failure = oResp.getStatus() != 0;
>>
>> or if you feel groovy: Failure = oResp.status != 0
>>
>>
>>> Is anyone familiar with this test plan, and gotten it working?
>> Note, that I have no OCSP server and thus have not tried to get it
>> really working.
>>
>> Felix
>>
>>> Thanks,
>>> Jim
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>  
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>  


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

www_digicert_com.crt (4K) Download Attachment
ocsp.jmx (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
 Hi,

Wow! Thanks! I will give this a try a little later and post back.

Thanks,
Jim


     On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher <[hidden email]> wrote:  
 
 I think I have got the example working. I attached a jmx file and a cert
to this mail and maybe we are lucky and the mailing list doesn't strip
it from the mail.

In case it does:

Add the variable "certpath" to your testplan (either by a cvs datasource
for more than one cert, or via the test plan root element). It should
point to your x509 certificates path.

Add a HTTP Sampler with method POST, the "Body Data" tab selected and
filled with "${ocspReq}".

Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
with the following content:

import java.io.BufferedReader;
import java.io.FileReader;
import java.io.Reader;

import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

String fName = vars.get("certpath");
Reader fR = new BufferedReader(new FileReader(fName));
PEMParser pPar = new PEMParser(fR);
X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
DigestCalculatorProvider dCP = new
JcaDigestCalculatorProviderBuilder().build();
CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
obj, obj.getSerialNumber());
OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
byte[] asn1seq = oReq.getEncoded();
String sb = new String(asn1seq, "ISO-8859-1");
vars.put("ocspReq", sb);

Add a JSR223 Assertion to the sampler (set to groovy, again) containing:

import org.bouncycastle.cert.ocsp.OCSPResp;

def sR = ctx.getPreviousResult();
byte[] instream = sR.getResponseData();
OCSPResp oResp = new OCSPResp(instream);
assert oResp.getStatus() ==0

Add a Header Manager to the sampler with the following set:

Content-Type    application/ocsp-request
Accept    application/ocsp-response

It seemed to work for me (famous last words)

One important change was to use "ISO-8859-1" for the encoding of the string.

Felix

Am 01.07.19 um 22:42 schrieb [hidden email]:

>  Hi,
>
> This Java app:
>
> import java.io.*;
> import java.math.BigInteger;
> import java.security.Security;
> import java.util.*;
> import org.bouncycastle.cert.*;
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.asn1.*;
> import org.bouncycastle.openssl.*;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.util.io.pem.*;
> import org.bouncycastle.pkcs.*;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
>
> public class jmeterdebug1 {
>
>  public static void main(String[] args) {
>  // TODO Auto-generated method stub


>  String BC = "BC"; //"${securityProvider}";
>  String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>  try {
>  Reader fR = new BufferedReader(new FileReader(fName));
>  PEMParser pPar = new PEMParser(fR);
>
>  X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>
>  Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>
>  DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>
>  CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>
>  OCSPReqBuilder oRB = new OCSPReqBuilder();
>  oRB.addRequest(cId);
>  OCSPReq oReq = oRB.build();
>
>  byte[] asn1seq = oReq.getEncoded();

>  String sb = new String(asn1seq);

>  System.out.println("sb=[" + sb + "]");

>  } catch (Exception e) {
>  System.out.println("*** ERROR ** [" + e + "]");
>  e.printStackTrace();
>  }

>  //sampler.getArguments().getArgument(0).setValue(sb);


>
>  }
>
> }
>
>
> Outputs:
>
> sb=[0B0@0>0<0:0 +
>
>
> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>
>
> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>
> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>
>
>
> Thanks,
> Jim
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>      On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote: 


>
> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>> Hi,
>>
>> Hmm. It seems like the example test plan isn't as complete as I had
>> hoped :(....
>>
>> FYI, I think the reference to "the public key infrastructure" is to
>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
> Seems sensible.
>
>> FYI, I am going to try to get this working/debug this as a Java app
>> first, and then I can try to make a groovy version after that, once it
>> is clean. I'm hoping that that makes it easier for me, initially.
> Small steps is a good way to go.
>
>>
>> I will post back in a bit...
> Great
>  Felix
>
>> Jim
>>
>>
>>
>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>> <[hidden email]> wrote: 
>>
>>
>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>> Hi,
>>>
>>> I am trying to implement a Jmeter load test for an OCSP responder,
>> and I found this page, but haven't been able to get it working:
>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>
>>> - The first problem that I ran into is where it says "2. Download the
>> public key infrastructure and provider ".  The link for the "provider"
>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>> sure what the "the public key infrastructure" is supposed to download?
>> I think that the "public key infrastructure" means your certificates.
>> If
>> you download the bouncycastle provider, you probably should take the
>> newest version of it: https://bouncycastle.org/latest_releases.html
>>> - Also, for the HTTP Request element, it says "The URL of the
>> responder is defined in the variable section of the script.", but I am
>> not sure what it is referring to when it says "the variable section of
>> the script"?
>>
>> I guess that the "user defined variables" table on the test plan (root)
>> element is meant. But on the other hand, the text misses to add a
>> variable reference on the http sampler (my guess is, that it is hidden
>> in the http defaults element, that are not described further in the
>> text), so you are free to add your URL to the http sampler yourself.
>>
>> And now to a few things you haven't asked :)
>>
>> * Use groovy instead of beanshell whenever possible.
>>
>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>> vars.get("...") instead
>>
>> * Instead of
>>
>>     Failure = false;
>>     if (oResp.getStatus() != 0) {
>>         Failure = true;
>>
>>     }
>>
>>  you could use
>>
>>     Failure = oResp.getStatus() != 0;
>>
>> or if you feel groovy: Failure = oResp.status != 0
>>
>>
>>> Is anyone familiar with this test plan, and gotten it working?
>> Note, that I have no OCSP server and thus have not tried to get it
>> really working.
>>
>> Felix
>>
>>> Thanks,
>>> Jim
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>  
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]  
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
 Hi Felix,

Sorry for the delay.  I am working with several different OCSP Responders and was busy trying to get one of them working.

Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!

Also, the Assertion succeeded, but I need to get the Assertion code to look into the response more.  The current Assertion code checks that the response was "OK", but for this load test, I need to check to see if the response actually says "revoked", because the OCSP responder will respond "OK" even if it doesn't find a match for the cert I am checking.  Then, I have to look for "revoked" or "Revocation" to confirm that I got a "positive" revocation from the CRL.

Right now, it looks like I can get the response data/text, but it is *maybe* DER encoded or something.  I added the following to the Assertion code you posted:

// ADDED TO TRY TO GET RESPONSE INFORMATION...
String responseStream = new String(instream, "ISO-8859-1");
log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" + responseStream + "]");
and in the Jmeter.log I am getting something that looks like DER-encoded information??
I've uploaded a screenshot of the Jmeter logging:
New photo by O haya

|
|
|
|  |  |

 |

 |
|
|  |
New photo by O haya


 |

 |

 |



Can I convert that encoded string in the Assertion code, to something that the code can then check for the word/string like "revoked" or "Revocation"?
Thanks!Jim










    On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[hidden email]> wrote:  
 
  Hi,

Wow! Thanks! I will give this a try a little later and post back.

Thanks,
Jim


    On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher <[hidden email]> wrote: 
 
 I think I have got the example working. I attached a jmx file and a cert
to this mail and maybe we are lucky and the mailing list doesn't strip
it from the mail.

In case it does:

Add the variable "certpath" to your testplan (either by a cvs datasource
for more than one cert, or via the test plan root element). It should
point to your x509 certificates path.

Add a HTTP Sampler with method POST, the "Body Data" tab selected and
filled with "${ocspReq}".

Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
with the following content:

import java.io.BufferedReader;
import java.io.FileReader;
import java.io.Reader;

import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

String fName = vars.get("certpath");
Reader fR = new BufferedReader(new FileReader(fName));
PEMParser pPar = new PEMParser(fR);
X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
DigestCalculatorProvider dCP = new
JcaDigestCalculatorProviderBuilder().build();
CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
obj, obj.getSerialNumber());
OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
byte[] asn1seq = oReq.getEncoded();
String sb = new String(asn1seq, "ISO-8859-1");
vars.put("ocspReq", sb);

Add a JSR223 Assertion to the sampler (set to groovy, again) containing:

import org.bouncycastle.cert.ocsp.OCSPResp;

def sR = ctx.getPreviousResult();
byte[] instream = sR.getResponseData();
OCSPResp oResp = new OCSPResp(instream);
assert oResp.getStatus() ==0

Add a Header Manager to the sampler with the following set:

Content-Type    application/ocsp-request
Accept    application/ocsp-response

It seemed to work for me (famous last words)

One important change was to use "ISO-8859-1" for the encoding of the string.

Felix

Am 01.07.19 um 22:42 schrieb [hidden email]:

>  Hi,
>
> This Java app:
>
> import java.io.*;
> import java.math.BigInteger;
> import java.security.Security;
> import java.util.*;
> import org.bouncycastle.cert.*;
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.asn1.*;
> import org.bouncycastle.openssl.*;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.util.io.pem.*;
> import org.bouncycastle.pkcs.*;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
>
> public class jmeterdebug1 {
>
>  public static void main(String[] args) {
>  // TODO Auto-generated method stub


>  String BC = "BC"; //"${securityProvider}";
>  String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>  try {
>  Reader fR = new BufferedReader(new FileReader(fName));
>  PEMParser pPar = new PEMParser(fR);
>
>  X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>
>  Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>
>  DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>
>  CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>
>  OCSPReqBuilder oRB = new OCSPReqBuilder();
>  oRB.addRequest(cId);
>  OCSPReq oReq = oRB.build();
>
>  byte[] asn1seq = oReq.getEncoded();

>  String sb = new String(asn1seq);

>  System.out.println("sb=[" + sb + "]");

>  } catch (Exception e) {
>  System.out.println("*** ERROR ** [" + e + "]");
>  e.printStackTrace();
>  }

>  //sampler.getArguments().getArgument(0).setValue(sb);


>
>  }
>
> }
>
>
> Outputs:
>
> sb=[0B0@0>0<0:0 +
>
>
> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>
>
> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>
> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>
>
>
> Thanks,
> Jim
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>      On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote: 


>
> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>> Hi,
>>
>> Hmm. It seems like the example test plan isn't as complete as I had
>> hoped :(....
>>
>> FYI, I think the reference to "the public key infrastructure" is to
>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
> Seems sensible.
>
>> FYI, I am going to try to get this working/debug this as a Java app
>> first, and then I can try to make a groovy version after that, once it
>> is clean. I'm hoping that that makes it easier for me, initially.
> Small steps is a good way to go.
>
>>
>> I will post back in a bit...
> Great
>  Felix
>
>> Jim
>>
>>
>>
>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>> <[hidden email]> wrote: 
>>
>>
>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>> Hi,
>>>
>>> I am trying to implement a Jmeter load test for an OCSP responder,
>> and I found this page, but haven't been able to get it working:
>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>
>>> - The first problem that I ran into is where it says "2. Download the
>> public key infrastructure and provider ".  The link for the "provider"
>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>> sure what the "the public key infrastructure" is supposed to download?
>> I think that the "public key infrastructure" means your certificates.
>> If
>> you download the bouncycastle provider, you probably should take the
>> newest version of it: https://bouncycastle.org/latest_releases.html
>>> - Also, for the HTTP Request element, it says "The URL of the
>> responder is defined in the variable section of the script.", but I am
>> not sure what it is referring to when it says "the variable section of
>> the script"?
>>
>> I guess that the "user defined variables" table on the test plan (root)
>> element is meant. But on the other hand, the text misses to add a
>> variable reference on the http sampler (my guess is, that it is hidden
>> in the http defaults element, that are not described further in the
>> text), so you are free to add your URL to the http sampler yourself.
>>
>> And now to a few things you haven't asked :)
>>
>> * Use groovy instead of beanshell whenever possible.
>>
>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>> vars.get("...") instead
>>
>> * Instead of
>>
>>     Failure = false;
>>     if (oResp.getStatus() != 0) {
>>         Failure = true;
>>
>>     }
>>
>>  you could use
>>
>>     Failure = oResp.getStatus() != 0;
>>
>> or if you feel groovy: Failure = oResp.status != 0
>>
>>
>>> Is anyone familiar with this test plan, and gotten it working?
>> Note, that I have no OCSP server and thus have not tried to get it
>> really working.
>>
>> Felix
>>
>>> Thanks,
>>> Jim
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>  
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]   
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
 Hi Felix,
Also, here is the code you posted, but slightly modified so that it uses a certificate serial number in Hex when it builds the cId (this code so far only tests the conversion of the hex-ascii serial number to integer, and uses that integer serial number to call).
I am testing this because, eventually, the test plan I need will take in a CSV with a bunch of cert serial numbers and send OCSP requests for those.
import java.io.BufferedReader;import java.io.FileReader;import java.io.Reader;
import org.bouncycastle.cert.ocsp.CertificateID;import org.bouncycastle.cert.ocsp.OCSPReq;import org.bouncycastle.cert.ocsp.OCSPReqBuilder;import org.bouncycastle.cert.X509CertificateHolder;import org.bouncycastle.openssl.PEMParser;import org.bouncycastle.operator.DigestCalculatorProvider;import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
String fName = vars.get("certpath");Reader fR = new BufferedReader(new FileReader(fName));PEMParser pPar = new PEMParser(fR);X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();DigestCalculatorProvider dCP = newJcaDigestCalculatorProviderBuilder().build();
String certSerialNumber = obj.getSerialNumber();log.info("++++++++++++++++++++ certSerialNumber=[" + certSerialNumber + "]");
// Test Converting a HEX-STRING to int/biginteger, and then passing that into the dCP.get()...// This is a precursor to using a CSV file with Hex cert serial numbersint numericSerialNumber = Integer.valueOf( "35C1", 16);log.info("++++++++++++++++++++++ numericSerialNumber=[" + numericSerialNumber + "]");
//CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, numericSerialNumber);
OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();byte[] asn1seq = oReq.getEncoded();String sb = new String(asn1seq, "ISO-8859-1");vars.put("ocspReq", sb);







    On Wednesday, July 3, 2019, 11:49:51 AM UTC, [hidden email] <[hidden email]> wrote:  
 
  Hi Felix,

Sorry for the delay.  I am working with several different OCSP Responders and was busy trying to get one of them working.

Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!

Also, the Assertion succeeded, but I need to get the Assertion code to look into the response more.  The current Assertion code checks that the response was "OK", but for this load test, I need to check to see if the response actually says "revoked", because the OCSP responder will respond "OK" even if it doesn't find a match for the cert I am checking.  Then, I have to look for "revoked" or "Revocation" to confirm that I got a "positive" revocation from the CRL.

Right now, it looks like I can get the response data/text, but it is *maybe* DER encoded or something.  I added the following to the Assertion code you posted:

// ADDED TO TRY TO GET RESPONSE INFORMATION...
String responseStream = new String(instream, "ISO-8859-1");
log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" + responseStream + "]");
and in the Jmeter.log I am getting something that looks like DER-encoded information??
I've uploaded a screenshot of the Jmeter logging:
New photo by O haya

|
|
|
|  |  |

 |

 |
|
|  |
New photo by O haya


 |

 |

 |



Can I convert that encoded string in the Assertion code, to something that the code can then check for the word/string like "revoked" or "Revocation"?
Thanks!Jim










    On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[hidden email]> wrote: 
 
  Hi,

Wow! Thanks! I will give this a try a little later and post back.

Thanks,
Jim


    On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher <[hidden email]> wrote: 
 
 I think I have got the example working. I attached a jmx file and a cert
to this mail and maybe we are lucky and the mailing list doesn't strip
it from the mail.

In case it does:

Add the variable "certpath" to your testplan (either by a cvs datasource
for more than one cert, or via the test plan root element). It should
point to your x509 certificates path.

Add a HTTP Sampler with method POST, the "Body Data" tab selected and
filled with "${ocspReq}".

Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
with the following content:

import java.io.BufferedReader;
import java.io.FileReader;
import java.io.Reader;

import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

String fName = vars.get("certpath");
Reader fR = new BufferedReader(new FileReader(fName));
PEMParser pPar = new PEMParser(fR);
X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
DigestCalculatorProvider dCP = new
JcaDigestCalculatorProviderBuilder().build();
CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
obj, obj.getSerialNumber());
OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
byte[] asn1seq = oReq.getEncoded();
String sb = new String(asn1seq, "ISO-8859-1");
vars.put("ocspReq", sb);

Add a JSR223 Assertion to the sampler (set to groovy, again) containing:

import org.bouncycastle.cert.ocsp.OCSPResp;

def sR = ctx.getPreviousResult();
byte[] instream = sR.getResponseData();
OCSPResp oResp = new OCSPResp(instream);
assert oResp.getStatus() ==0

Add a Header Manager to the sampler with the following set:

Content-Type    application/ocsp-request
Accept    application/ocsp-response

It seemed to work for me (famous last words)

One important change was to use "ISO-8859-1" for the encoding of the string.

Felix

Am 01.07.19 um 22:42 schrieb [hidden email]:

>  Hi,
>
> This Java app:
>
> import java.io.*;
> import java.math.BigInteger;
> import java.security.Security;
> import java.util.*;
> import org.bouncycastle.cert.*;
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.asn1.*;
> import org.bouncycastle.openssl.*;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.util.io.pem.*;
> import org.bouncycastle.pkcs.*;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
>
> public class jmeterdebug1 {
>
>  public static void main(String[] args) {
>  // TODO Auto-generated method stub


>  String BC = "BC"; //"${securityProvider}";
>  String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>  try {
>  Reader fR = new BufferedReader(new FileReader(fName));
>  PEMParser pPar = new PEMParser(fR);
>
>  X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>
>  Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>
>  DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>
>  CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>
>  OCSPReqBuilder oRB = new OCSPReqBuilder();
>  oRB.addRequest(cId);
>  OCSPReq oReq = oRB.build();
>
>  byte[] asn1seq = oReq.getEncoded();

>  String sb = new String(asn1seq);

>  System.out.println("sb=[" + sb + "]");

>  } catch (Exception e) {
>  System.out.println("*** ERROR ** [" + e + "]");
>  e.printStackTrace();
>  }

>  //sampler.getArguments().getArgument(0).setValue(sb);


>
>  }
>
> }
>
>
> Outputs:
>
> sb=[0B0@0>0<0:0 +
>
>
> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>
>
> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>
> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>
>
>
> Thanks,
> Jim
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>      On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote: 


>
> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>> Hi,
>>
>> Hmm. It seems like the example test plan isn't as complete as I had
>> hoped :(....
>>
>> FYI, I think the reference to "the public key infrastructure" is to
>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
> Seems sensible.
>
>> FYI, I am going to try to get this working/debug this as a Java app
>> first, and then I can try to make a groovy version after that, once it
>> is clean. I'm hoping that that makes it easier for me, initially.
> Small steps is a good way to go.
>
>>
>> I will post back in a bit...
> Great
>  Felix
>
>> Jim
>>
>>
>>
>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>> <[hidden email]> wrote: 
>>
>>
>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>> Hi,
>>>
>>> I am trying to implement a Jmeter load test for an OCSP responder,
>> and I found this page, but haven't been able to get it working:
>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>
>>> - The first problem that I ran into is where it says "2. Download the
>> public key infrastructure and provider ".  The link for the "provider"
>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>> sure what the "the public key infrastructure" is supposed to download?
>> I think that the "public key infrastructure" means your certificates.
>> If
>> you download the bouncycastle provider, you probably should take the
>> newest version of it: https://bouncycastle.org/latest_releases.html
>>> - Also, for the HTTP Request element, it says "The URL of the
>> responder is defined in the variable section of the script.", but I am
>> not sure what it is referring to when it says "the variable section of
>> the script"?
>>
>> I guess that the "user defined variables" table on the test plan (root)
>> element is meant. But on the other hand, the text misses to add a
>> variable reference on the http sampler (my guess is, that it is hidden
>> in the http defaults element, that are not described further in the
>> text), so you are free to add your URL to the http sampler yourself.
>>
>> And now to a few things you haven't asked :)
>>
>> * Use groovy instead of beanshell whenever possible.
>>
>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>> vars.get("...") instead
>>
>> * Instead of
>>
>>     Failure = false;
>>     if (oResp.getStatus() != 0) {
>>         Failure = true;
>>
>>     }
>>
>>  you could use
>>
>>     Failure = oResp.getStatus() != 0;
>>
>> or if you feel groovy: Failure = oResp.status != 0
>>
>>
>>> Is anyone familiar with this test plan, and gotten it working?
>> Note, that I have no OCSP server and thus have not tried to get it
>> really working.
>>
>> Felix
>>
>>> Thanks,
>>> Jim
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>  
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]    
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

Felix Schumacher
In reply to this post by ohaya@yahoo.com.INVALID

Am 03.07.19 um 13:49 schrieb [hidden email]:

>  Hi Felix,
>
> Sorry for the delay.  I am working with several different OCSP Responders and was busy trying to get one of them working.
>
> Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!
>
> Also, the Assertion succeeded, but I need to get the Assertion code to look into the response more.  The current Assertion code checks that the response was "OK", but for this load test, I need to check to see if the response actually says "revoked", because the OCSP responder will respond "OK" even if it doesn't find a match for the cert I am checking.  Then, I have to look for "revoked" or "Revocation" to confirm that I got a "positive" revocation from the CRL.
>
> Right now, it looks like I can get the response data/text, but it is *maybe* DER encoded or something.  I added the following to the Assertion code you posted:
>
> // ADDED TO TRY TO GET RESPONSE INFORMATION...
> String responseStream = new String(instream, "ISO-8859-1");
> log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" + responseStream + "]");
> and in the Jmeter.log I am getting something that looks like DER-encoded information??
> I've uploaded a screenshot of the Jmeter logging:

Why did you try to add a screenshot? Why not copy the text here? Images
are almost always stripped by the mailing list manager, as in this case.

Have you tried to get the responseObject from the OCSPResp with
rResp.getResponseObject() and looked at that for more information? In my
case it resulted in a BasicOCSPResp Object, which had more methods,
which could be useful to explore.


> New photo by O haya
>
> |
> |
> |
> |  |  |
>
>  |
>
>  |
> |
> |  |
> New photo by O haya
>
>
>  |
>
>  |
>
>  |
>
>
>
> Can I convert that encoded string in the Assertion code, to something that the code can then check for the word/string like "revoked" or "Revocation"?

A simple way would be to use a regex match in the groovy assertion like
'assert responseStream =~ /revoked|Revocation/'

But even better would be to work the API for the real method to get that
information. Otherwise you might report all certificates for a cert with
revoked in its name as revoked.

Felix

> Thanks!Jim
>
>
>
>
>
>
>
>
>
>
>     On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[hidden email]> wrote:  
>  
>   Hi,
>
> Wow! Thanks! I will give this a try a little later and post back.
>
> Thanks,
> Jim
>
>
>     On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>  
>  I think I have got the example working. I attached a jmx file and a cert
> to this mail and maybe we are lucky and the mailing list doesn't strip
> it from the mail.
>
> In case it does:
>
> Add the variable "certpath" to your testplan (either by a cvs datasource
> for more than one cert, or via the test plan root element). It should
> point to your x509 certificates path.
>
> Add a HTTP Sampler with method POST, the "Body Data" tab selected and
> filled with "${ocspReq}".
>
> Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
> with the following content:
>
> import java.io.BufferedReader;
> import java.io.FileReader;
> import java.io.Reader;
>
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.cert.X509CertificateHolder;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
> String fName = vars.get("certpath");
> Reader fR = new BufferedReader(new FileReader(fName));
> PEMParser pPar = new PEMParser(fR);
> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
> DigestCalculatorProvider dCP = new
> JcaDigestCalculatorProviderBuilder().build();
> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
> obj, obj.getSerialNumber());
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
> byte[] asn1seq = oReq.getEncoded();
> String sb = new String(asn1seq, "ISO-8859-1");
> vars.put("ocspReq", sb);
>
> Add a JSR223 Assertion to the sampler (set to groovy, again) containing:
>
> import org.bouncycastle.cert.ocsp.OCSPResp;
>
> def sR = ctx.getPreviousResult();
> byte[] instream = sR.getResponseData();
> OCSPResp oResp = new OCSPResp(instream);
> assert oResp.getStatus() ==0
>
> Add a Header Manager to the sampler with the following set:
>
> Content-Type    application/ocsp-request
> Accept    application/ocsp-response
>
> It seemed to work for me (famous last words)
>
> One important change was to use "ISO-8859-1" for the encoding of the string.
>
> Felix
>
> Am 01.07.19 um 22:42 schrieb [hidden email]:
>>   Hi,
>>
>> This Java app:
>>
>> import java.io.*;
>> import java.math.BigInteger;
>> import java.security.Security;
>> import java.util.*;
>> import org.bouncycastle.cert.*;
>> import org.bouncycastle.cert.ocsp.CertificateID;
>> import org.bouncycastle.cert.ocsp.OCSPReq;
>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>> import org.bouncycastle.asn1.*;
>> import org.bouncycastle.openssl.*;
>> import org.bouncycastle.openssl.PEMParser;
>> import org.bouncycastle.util.io.pem.*;
>> import org.bouncycastle.pkcs.*;
>> import org.bouncycastle.operator.DigestCalculatorProvider;
>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>
>>
>> public class jmeterdebug1 {
>>
>>   public static void main(String[] args) {
>>   // TODO Auto-generated method stub
>>  
>>  
>>   String BC = "BC"; //"${securityProvider}";
>>   String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>>   try {
>>   Reader fR = new BufferedReader(new FileReader(fName));
>>   PEMParser pPar = new PEMParser(fR);
>>
>>   X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>>
>>   Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>>
>>   DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>>
>>   CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>>
>>   OCSPReqBuilder oRB = new OCSPReqBuilder();
>>   oRB.addRequest(cId);
>>   OCSPReq oReq = oRB.build();
>>
>>   byte[] asn1seq = oReq.getEncoded();
>>  
>>   String sb = new String(asn1seq);
>>  
>>   System.out.println("sb=[" + sb + "]");
>>  
>>   } catch (Exception e) {
>>   System.out.println("*** ERROR ** [" + e + "]");
>>   e.printStackTrace();
>>   }
>>  
>>   //sampler.getArguments().getArgument(0).setValue(sb);
>>  
>>  
>>
>>   }
>>
>> }
>>
>>
>> Outputs:
>>
>> sb=[0B0@0>0<0:0 +
>>
>>
>> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>>
>>
>> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>>
>> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>>
>>
>>
>> Thanks,
>> Jim
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>       On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>>  
>>  
>>
>> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>>> Hi,
>>>
>>> Hmm. It seems like the example test plan isn't as complete as I had
>>> hoped :(....
>>>
>>> FYI, I think the reference to "the public key infrastructure" is to
>>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
>> Seems sensible.
>>
>>> FYI, I am going to try to get this working/debug this as a Java app
>>> first, and then I can try to make a groovy version after that, once it
>>> is clean. I'm hoping that that makes it easier for me, initially.
>> Small steps is a good way to go.
>>
>>> I will post back in a bit...
>> Great
>>   Felix
>>
>>> Jim
>>>
>>>
>>>
>>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>>> <[hidden email]> wrote: 
>>>
>>>
>>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>>> Hi,
>>>>
>>>> I am trying to implement a Jmeter load test for an OCSP responder,
>>> and I found this page, but haven't been able to get it working:
>>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>>
>>>> - The first problem that I ran into is where it says "2. Download the
>>> public key infrastructure and provider ".  The link for the "provider"
>>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>>> sure what the "the public key infrastructure" is supposed to download?
>>> I think that the "public key infrastructure" means your certificates.
>>> If
>>> you download the bouncycastle provider, you probably should take the
>>> newest version of it: https://bouncycastle.org/latest_releases.html
>>>> - Also, for the HTTP Request element, it says "The URL of the
>>> responder is defined in the variable section of the script.", but I am
>>> not sure what it is referring to when it says "the variable section of
>>> the script"?
>>>
>>> I guess that the "user defined variables" table on the test plan (root)
>>> element is meant. But on the other hand, the text misses to add a
>>> variable reference on the http sampler (my guess is, that it is hidden
>>> in the http defaults element, that are not described further in the
>>> text), so you are free to add your URL to the http sampler yourself.
>>>
>>> And now to a few things you haven't asked :)
>>>
>>> * Use groovy instead of beanshell whenever possible.
>>>
>>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>>> vars.get("...") instead
>>>
>>> * Instead of
>>>
>>>     Failure = false;
>>>     if (oResp.getStatus() != 0) {
>>>         Failure = true;
>>>
>>>     }
>>>
>>>  you could use
>>>
>>>     Failure = oResp.getStatus() != 0;
>>>
>>> or if you feel groovy: Failure = oResp.status != 0
>>>
>>>
>>>> Is anyone familiar with this test plan, and gotten it working?
>>> Note, that I have no OCSP server and thus have not tried to get it
>>> really working.
>>>
>>> Felix
>>>
>>>> Thanks,
>>>> Jim
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>  
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>  
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]   

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

Felix Schumacher
In reply to this post by ohaya@yahoo.com.INVALID

Am 03.07.19 um 14:12 schrieb o haya:

>  Hi Felix,
> Also, here is the code you posted, but slightly modified so that it uses a certificate serial number in Hex when it builds the cId (this code so far only tests the conversion of the hex-ascii serial number to integer, and uses that integer serial number to call).
> I am testing this because, eventually, the test plan I need will take in a CSV with a bunch of cert serial numbers and send OCSP requests for those.
> import java.io.BufferedReader;import java.io.FileReader;import java.io.Reader;
> import org.bouncycastle.cert.ocsp.CertificateID;import org.bouncycastle.cert.ocsp.OCSPReq;import org.bouncycastle.cert.ocsp.OCSPReqBuilder;import org.bouncycastle.cert.X509CertificateHolder;import org.bouncycastle.openssl.PEMParser;import org.bouncycastle.operator.DigestCalculatorProvider;import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
> String fName = vars.get("certpath");Reader fR = new BufferedReader(new FileReader(fName));PEMParser pPar = new PEMParser(fR);X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();DigestCalculatorProvider dCP = newJcaDigestCalculatorProviderBuilder().build();
> String certSerialNumber = obj.getSerialNumber();log.info("++++++++++++++++++++ certSerialNumber=[" + certSerialNumber + "]");
> // Test Converting a HEX-STRING to int/biginteger, and then passing that into the dCP.get()...// This is a precursor to using a CSV file with Hex cert serial numbersint numericSerialNumber = Integer.valueOf( "35C1", 16);log.info("++++++++++++++++++++++ numericSerialNumber=[" + numericSerialNumber + "]");
> //CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, numericSerialNumber);
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();byte[] asn1seq = oReq.getEncoded();String sb = new String(asn1seq, "ISO-8859-1");vars.put("ocspReq", sb);

The above code is not really readable :)

If you don't use code in your samplers, remove it. Otherwise it is
probably OK to use the cert IDs directly instead of reading them from
the  certs.

Felix

>
>
>
>
>
>
>
>     On Wednesday, July 3, 2019, 11:49:51 AM UTC, [hidden email] <[hidden email]> wrote:  
>  
>   Hi Felix,
>
> Sorry for the delay.  I am working with several different OCSP Responders and was busy trying to get one of them working.
>
> Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!
>
> Also, the Assertion succeeded, but I need to get the Assertion code to look into the response more.  The current Assertion code checks that the response was "OK", but for this load test, I need to check to see if the response actually says "revoked", because the OCSP responder will respond "OK" even if it doesn't find a match for the cert I am checking.  Then, I have to look for "revoked" or "Revocation" to confirm that I got a "positive" revocation from the CRL.
>
> Right now, it looks like I can get the response data/text, but it is *maybe* DER encoded or something.  I added the following to the Assertion code you posted:
>
> // ADDED TO TRY TO GET RESPONSE INFORMATION...
> String responseStream = new String(instream, "ISO-8859-1");
> log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" + responseStream + "]");
> and in the Jmeter.log I am getting something that looks like DER-encoded information??
> I've uploaded a screenshot of the Jmeter logging:
> New photo by O haya
>
> |
> |
> |
> |  |  |
>
>  |
>
>  |
> |
> |  |
> New photo by O haya
>
>
>  |
>
>  |
>
>  |
>
>
>
> Can I convert that encoded string in the Assertion code, to something that the code can then check for the word/string like "revoked" or "Revocation"?
> Thanks!Jim
>
>
>
>
>
>
>
>
>
>
>     On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[hidden email]> wrote: 
>  
>   Hi,
>
> Wow! Thanks! I will give this a try a little later and post back.
>
> Thanks,
> Jim
>
>
>     On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>  
>  I think I have got the example working. I attached a jmx file and a cert
> to this mail and maybe we are lucky and the mailing list doesn't strip
> it from the mail.
>
> In case it does:
>
> Add the variable "certpath" to your testplan (either by a cvs datasource
> for more than one cert, or via the test plan root element). It should
> point to your x509 certificates path.
>
> Add a HTTP Sampler with method POST, the "Body Data" tab selected and
> filled with "${ocspReq}".
>
> Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
> with the following content:
>
> import java.io.BufferedReader;
> import java.io.FileReader;
> import java.io.Reader;
>
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.cert.X509CertificateHolder;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
> String fName = vars.get("certpath");
> Reader fR = new BufferedReader(new FileReader(fName));
> PEMParser pPar = new PEMParser(fR);
> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
> DigestCalculatorProvider dCP = new
> JcaDigestCalculatorProviderBuilder().build();
> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
> obj, obj.getSerialNumber());
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
> byte[] asn1seq = oReq.getEncoded();
> String sb = new String(asn1seq, "ISO-8859-1");
> vars.put("ocspReq", sb);
>
> Add a JSR223 Assertion to the sampler (set to groovy, again) containing:
>
> import org.bouncycastle.cert.ocsp.OCSPResp;
>
> def sR = ctx.getPreviousResult();
> byte[] instream = sR.getResponseData();
> OCSPResp oResp = new OCSPResp(instream);
> assert oResp.getStatus() ==0
>
> Add a Header Manager to the sampler with the following set:
>
> Content-Type    application/ocsp-request
> Accept    application/ocsp-response
>
> It seemed to work for me (famous last words)
>
> One important change was to use "ISO-8859-1" for the encoding of the string.
>
> Felix
>
> Am 01.07.19 um 22:42 schrieb [hidden email]:
>>   Hi,
>>
>> This Java app:
>>
>> import java.io.*;
>> import java.math.BigInteger;
>> import java.security.Security;
>> import java.util.*;
>> import org.bouncycastle.cert.*;
>> import org.bouncycastle.cert.ocsp.CertificateID;
>> import org.bouncycastle.cert.ocsp.OCSPReq;
>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>> import org.bouncycastle.asn1.*;
>> import org.bouncycastle.openssl.*;
>> import org.bouncycastle.openssl.PEMParser;
>> import org.bouncycastle.util.io.pem.*;
>> import org.bouncycastle.pkcs.*;
>> import org.bouncycastle.operator.DigestCalculatorProvider;
>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>
>>
>> public class jmeterdebug1 {
>>
>>   public static void main(String[] args) {
>>   // TODO Auto-generated method stub
>>  
>>  
>>   String BC = "BC"; //"${securityProvider}";
>>   String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>>   try {
>>   Reader fR = new BufferedReader(new FileReader(fName));
>>   PEMParser pPar = new PEMParser(fR);
>>
>>   X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>>
>>   Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>>
>>   DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>>
>>   CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>>
>>   OCSPReqBuilder oRB = new OCSPReqBuilder();
>>   oRB.addRequest(cId);
>>   OCSPReq oReq = oRB.build();
>>
>>   byte[] asn1seq = oReq.getEncoded();
>>  
>>   String sb = new String(asn1seq);
>>  
>>   System.out.println("sb=[" + sb + "]");
>>  
>>   } catch (Exception e) {
>>   System.out.println("*** ERROR ** [" + e + "]");
>>   e.printStackTrace();
>>   }
>>  
>>   //sampler.getArguments().getArgument(0).setValue(sb);
>>  
>>  
>>
>>   }
>>
>> }
>>
>>
>> Outputs:
>>
>> sb=[0B0@0>0<0:0 +
>>
>>
>> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>>
>>
>> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>>
>> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>>
>>
>>
>> Thanks,
>> Jim
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>       On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>>  
>>  
>>
>> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>>> Hi,
>>>
>>> Hmm. It seems like the example test plan isn't as complete as I had
>>> hoped :(....
>>>
>>> FYI, I think the reference to "the public key infrastructure" is to
>>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
>> Seems sensible.
>>
>>> FYI, I am going to try to get this working/debug this as a Java app
>>> first, and then I can try to make a groovy version after that, once it
>>> is clean. I'm hoping that that makes it easier for me, initially.
>> Small steps is a good way to go.
>>
>>> I will post back in a bit...
>> Great
>>   Felix
>>
>>> Jim
>>>
>>>
>>>
>>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>>> <[hidden email]> wrote: 
>>>
>>>
>>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>>> Hi,
>>>>
>>>> I am trying to implement a Jmeter load test for an OCSP responder,
>>> and I found this page, but haven't been able to get it working:
>>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>>
>>>> - The first problem that I ran into is where it says "2. Download the
>>> public key infrastructure and provider ".  The link for the "provider"
>>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>>> sure what the "the public key infrastructure" is supposed to download?
>>> I think that the "public key infrastructure" means your certificates.
>>> If
>>> you download the bouncycastle provider, you probably should take the
>>> newest version of it: https://bouncycastle.org/latest_releases.html
>>>> - Also, for the HTTP Request element, it says "The URL of the
>>> responder is defined in the variable section of the script.", but I am
>>> not sure what it is referring to when it says "the variable section of
>>> the script"?
>>>
>>> I guess that the "user defined variables" table on the test plan (root)
>>> element is meant. But on the other hand, the text misses to add a
>>> variable reference on the http sampler (my guess is, that it is hidden
>>> in the http defaults element, that are not described further in the
>>> text), so you are free to add your URL to the http sampler yourself.
>>>
>>> And now to a few things you haven't asked :)
>>>
>>> * Use groovy instead of beanshell whenever possible.
>>>
>>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>>> vars.get("...") instead
>>>
>>> * Instead of
>>>
>>>     Failure = false;
>>>     if (oResp.getStatus() != 0) {
>>>         Failure = true;
>>>
>>>     }
>>>
>>>  you could use
>>>
>>>     Failure = oResp.getStatus() != 0;
>>>
>>> or if you feel groovy: Failure = oResp.status != 0
>>>
>>>
>>>> Is anyone familiar with this test plan, and gotten it working?
>>> Note, that I have no OCSP server and thus have not tried to get it
>>> really working.
>>>
>>> Felix
>>>
>>>> Thanks,
>>>> Jim
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>  
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>  
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]    

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
 Hi,
Sorry about the code formatting :(...  Yahoo email did that I think....

FYI, I use the CRL to extract/generate a file that contains the serial numbers of all the certificates in the CRL (via "openssl crl...").
I then prepend the path to the issuer cert (plus a comma) to each line.
I want to use the resulting CSV file as into to my Jmeter test plan, e.g., so, eventually, I can do load testing where it is sending OCSP requests for multiple issuing certs.
So I modified the code you posted (for the Sampler) to do that, and that is working now.


Re. the JSR233 Assertion processing: 

I haven't gotten that completely working yet.
The Assertion code you provided just checks the response, which is typically just "OK", regardless of whether the <issuer,serial number> is in the CRL or not, but for my load test, I want to check that the response actually says "revoked".
Here's the Assertion code that I have so far, but it is not working yet :(....


//Add a JSR223 Assertion to the sampler (set to groovy,again) containing:

 import org.bouncycastle.cert.ocsp.OCSPResp;
 def sR = ctx.getPreviousResult();
byte[] instream = sR.getResponseData();

 


InputStream is = new ByteArrayInputStream(instream);

BufferedReader in1 = new BufferedReader(newInputStreamReader(is, "ISO-8859-1"));

 

StringBuilder logCommandOutput = new StringBuilder();

String line;

while( (line = in1.readLine()) != null) {

 logCommandOutput.append(line);

}

in1.close();

log.info("RESPONSE: " +logCommandOutput.toString());

 

String passToAssertion = logCommandOutput.toString();
String passedResponse = passToAssertion ;
if (passedResponse.contains("Revocation")) {

               log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN ASSERTION: FOUND Revocation in Response, soPASSED!!");

} else {

               log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN ASSERTION: DID NOT FIND Revocation in Response, soFAILED!!");

               AssertionResult.setFailure(false);

               AssertionResult.setFailureMessage("JSR223Assertion did not find 'Revocation'");

}

The problems that I am having:
1) It is not finding the string "Revocation" in the response, i.e., the "if (passedResponse.contains("Revocation"))" is failing.

I think the reason this is failing is that I am still not converting the response into text (FYI, code, similar to above worked, in another test plan I am working on, using "openssl ocsp" and BeanShell  Sampler/Assertion), so then the ".contains()" fails.

2) The code at the end, which is supposed to tell Jmeter whether or not the Assertion failed or succeeded is not working.  In particular, it is not informing Jmeter that the Assertion failed when the Assertion fails.

Jim














    On Wednesday, July 3, 2019, 12:40:20 PM UTC, Felix Schumacher <[hidden email]> wrote:  
 
 
Am 03.07.19 um 14:12 schrieb o haya:

>  Hi Felix,
> Also, here is the code you posted, but slightly modified so that it uses a certificate serial number in Hex when it builds the cId (this code so far only tests the conversion of the hex-ascii serial number to integer, and uses that integer serial number to call).
> I am testing this because, eventually, the test plan I need will take in a CSV with a bunch of cert serial numbers and send OCSP requests for those.
> import java.io.BufferedReader;import java.io.FileReader;import java.io.Reader;
> import org.bouncycastle.cert.ocsp.CertificateID;import org.bouncycastle.cert.ocsp.OCSPReq;import org.bouncycastle.cert.ocsp.OCSPReqBuilder;import org.bouncycastle.cert.X509CertificateHolder;import org.bouncycastle.openssl.PEMParser;import org.bouncycastle.operator.DigestCalculatorProvider;import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
> String fName = vars.get("certpath");Reader fR = new BufferedReader(new FileReader(fName));PEMParser pPar = new PEMParser(fR);X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();DigestCalculatorProvider dCP = newJcaDigestCalculatorProviderBuilder().build();
> String certSerialNumber = obj.getSerialNumber();log.info("++++++++++++++++++++ certSerialNumber=[" + certSerialNumber + "]");
> // Test Converting a HEX-STRING to int/biginteger, and then passing that into the dCP.get()...// This is a precursor to using a CSV file with Hex cert serial numbersint numericSerialNumber = Integer.valueOf( "35C1", 16);log.info("++++++++++++++++++++++ numericSerialNumber=[" + numericSerialNumber + "]");
> //CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, numericSerialNumber);
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();byte[] asn1seq = oReq.getEncoded();String sb = new String(asn1seq, "ISO-8859-1");vars.put("ocspReq", sb);

The above code is not really readable :)

If you don't use code in your samplers, remove it. Otherwise it is
probably OK to use the cert IDs directly instead of reading them from
the  certs.

Felix

>
>
>
>
>
>
>
>    On Wednesday, July 3, 2019, 11:49:51 AM UTC, [hidden email] <[hidden email]> wrote: 

>  Hi Felix,
>
> Sorry for the delay.  I am working with several different OCSP Responders and was busy trying to get one of them working.
>
> Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!
>
> Also, the Assertion succeeded, but I need to get the Assertion code to look into the response more.  The current Assertion code checks that the response was "OK", but for this load test, I need to check to see if the response actually says "revoked", because the OCSP responder will respond "OK" even if it doesn't find a match for the cert I am checking.  Then, I have to look for "revoked" or "Revocation" to confirm that I got a "positive" revocation from the CRL.
>
> Right now, it looks like I can get the response data/text, but it is *maybe* DER encoded or something.  I added the following to the Assertion code you posted:
>
> // ADDED TO TRY TO GET RESPONSE INFORMATION...
> String responseStream = new String(instream, "ISO-8859-1");
> log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" + responseStream + "]");
> and in the Jmeter.log I am getting something that looks like DER-encoded information??
> I've uploaded a screenshot of the Jmeter logging:
> New photo by O haya
>
> |
> |
> |
> |  |  |
>
>  |
>
>  |
> |
> |  |
> New photo by O haya
>
>
>  |
>
>  |
>
>  |
>
>
>
> Can I convert that encoded string in the Assertion code, to something that the code can then check for the word/string like "revoked" or "Revocation"?
> Thanks!Jim
>
>
>
>
>
>
>
>
>
>
>     On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[hidden email]> wrote: 

>   Hi,
>
> Wow! Thanks! I will give this a try a little later and post back.
>
> Thanks,
> Jim
>
>
>     On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher <[hidden email]> wrote: 

>  I think I have got the example working. I attached a jmx file and a cert
> to this mail and maybe we are lucky and the mailing list doesn't strip
> it from the mail.
>
> In case it does:
>
> Add the variable "certpath" to your testplan (either by a cvs datasource
> for more than one cert, or via the test plan root element). It should
> point to your x509 certificates path.
>
> Add a HTTP Sampler with method POST, the "Body Data" tab selected and
> filled with "${ocspReq}".
>
> Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
> with the following content:
>
> import java.io.BufferedReader;
> import java.io.FileReader;
> import java.io.Reader;
>
> import org.bouncycastle.cert.ocsp.CertificateID;
> import org.bouncycastle.cert.ocsp.OCSPReq;
> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
> import org.bouncycastle.cert.X509CertificateHolder;
> import org.bouncycastle.openssl.PEMParser;
> import org.bouncycastle.operator.DigestCalculatorProvider;
> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>
> String fName = vars.get("certpath");
> Reader fR = new BufferedReader(new FileReader(fName));
> PEMParser pPar = new PEMParser(fR);
> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
> DigestCalculatorProvider dCP = new
> JcaDigestCalculatorProviderBuilder().build();
> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
> obj, obj.getSerialNumber());
> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
> byte[] asn1seq = oReq.getEncoded();
> String sb = new String(asn1seq, "ISO-8859-1");
> vars.put("ocspReq", sb);
>
> Add a JSR223 Assertion to the sampler (set to groovy, again) containing:
>
> import org.bouncycastle.cert.ocsp.OCSPResp;
>
> def sR = ctx.getPreviousResult();
> byte[] instream = sR.getResponseData();
> OCSPResp oResp = new OCSPResp(instream);
> assert oResp.getStatus() ==0
>
> Add a Header Manager to the sampler with the following set:
>
> Content-Type    application/ocsp-request
> Accept    application/ocsp-response
>
> It seemed to work for me (famous last words)
>
> One important change was to use "ISO-8859-1" for the encoding of the string.
>
> Felix
>
> Am 01.07.19 um 22:42 schrieb [hidden email]:
>>   Hi,
>>
>> This Java app:
>>
>> import java.io.*;
>> import java.math.BigInteger;
>> import java.security.Security;
>> import java.util.*;
>> import org.bouncycastle.cert.*;
>> import org.bouncycastle.cert.ocsp.CertificateID;
>> import org.bouncycastle.cert.ocsp.OCSPReq;
>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>> import org.bouncycastle.asn1.*;
>> import org.bouncycastle.openssl.*;
>> import org.bouncycastle.openssl.PEMParser;
>> import org.bouncycastle.util.io.pem.*;
>> import org.bouncycastle.pkcs.*;
>> import org.bouncycastle.operator.DigestCalculatorProvider;
>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>
>>
>> public class jmeterdebug1 {
>>
>>   public static void main(String[] args) {
>>   // TODO Auto-generated method stub
>>  
>>  
>>   String BC = "BC"; //"${securityProvider}";
>>   String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>>   try {
>>   Reader fR = new BufferedReader(new FileReader(fName));
>>   PEMParser pPar = new PEMParser(fR);
>>
>>   X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>>
>>   Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>>
>>   DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>>
>>   CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>>
>>   OCSPReqBuilder oRB = new OCSPReqBuilder();
>>   oRB.addRequest(cId);
>>   OCSPReq oReq = oRB.build();
>>
>>   byte[] asn1seq = oReq.getEncoded();
>>  
>>   String sb = new String(asn1seq);
>>  
>>   System.out.println("sb=[" + sb + "]");
>>  
>>   } catch (Exception e) {
>>   System.out.println("*** ERROR ** [" + e + "]");
>>   e.printStackTrace();
>>   }
>>  
>>   //sampler.getArguments().getArgument(0).setValue(sb);
>>  
>>  
>>
>>   }
>>
>> }
>>
>>
>> Outputs:
>>
>> sb=[0B0@0>0<0:0 +
>>
>>
>> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>>
>>
>> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>>
>> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>>
>>
>>
>> Thanks,
>> Jim
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>       On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>>  
>>  
>>
>> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>>> Hi,
>>>
>>> Hmm. It seems like the example test plan isn't as complete as I had
>>> hoped :(....
>>>
>>> FYI, I think the reference to "the public key infrastructure" is to
>>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
>> Seems sensible.
>>
>>> FYI, I am going to try to get this working/debug this as a Java app
>>> first, and then I can try to make a groovy version after that, once it
>>> is clean. I'm hoping that that makes it easier for me, initially.
>> Small steps is a good way to go.
>>
>>> I will post back in a bit...
>> Great
>>   Felix
>>
>>> Jim
>>>
>>>
>>>
>>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>>> <[hidden email]> wrote: 
>>>
>>>
>>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>>> Hi,
>>>>
>>>> I am trying to implement a Jmeter load test for an OCSP responder,
>>> and I found this page, but haven't been able to get it working:
>>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>>
>>>> - The first problem that I ran into is where it says "2. Download the
>>> public key infrastructure and provider ".  The link for the "provider"
>>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>>> sure what the "the public key infrastructure" is supposed to download?
>>> I think that the "public key infrastructure" means your certificates.
>>> If
>>> you download the bouncycastle provider, you probably should take the
>>> newest version of it: https://bouncycastle.org/latest_releases.html
>>>> - Also, for the HTTP Request element, it says "The URL of the
>>> responder is defined in the variable section of the script.", but I am
>>> not sure what it is referring to when it says "the variable section of
>>> the script"?
>>>
>>> I guess that the "user defined variables" table on the test plan (root)
>>> element is meant. But on the other hand, the text misses to add a
>>> variable reference on the http sampler (my guess is, that it is hidden
>>> in the http defaults element, that are not described further in the
>>> text), so you are free to add your URL to the http sampler yourself.
>>>
>>> And now to a few things you haven't asked :)
>>>
>>> * Use groovy instead of beanshell whenever possible.
>>>
>>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>>> vars.get("...") instead
>>>
>>> * Instead of
>>>
>>>     Failure = false;
>>>     if (oResp.getStatus() != 0) {
>>>         Failure = true;
>>>
>>>     }
>>>
>>>  you could use
>>>
>>>     Failure = oResp.getStatus() != 0;
>>>
>>> or if you feel groovy: Failure = oResp.status != 0
>>>
>>>
>>>> Is anyone familiar with this test plan, and gotten it working?
>>> Note, that I have no OCSP server and thus have not tried to get it
>>> really working.
>>>
>>> Felix
>>>
>>>> Thanks,
>>>> Jim
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>  
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>  
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]   

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

 
Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

Felix Schumacher

Am 03.07.19 um 17:44 schrieb [hidden email]:

>  Hi,
> Sorry about the code formatting :(...  Yahoo email did that I think....
>
> FYI, I use the CRL to extract/generate a file that contains the serial numbers of all the certificates in the CRL (via "openssl crl...").
> I then prepend the path to the issuer cert (plus a comma) to each line.
> I want to use the resulting CSV file as into to my Jmeter test plan, e.g., so, eventually, I can do load testing where it is sending OCSP requests for multiple issuing certs.
> So I modified the code you posted (for the Sampler) to do that, and that is working now.
>
>
> Re. the JSR233 Assertion processing: 
>
> I haven't gotten that completely working yet.
> The Assertion code you provided just checks the response, which is typically just "OK", regardless of whether the <issuer,serial number> is in the CRL or not, but for my load test, I want to check that the response actually says "revoked".
> Here's the Assertion code that I have so far, but it is not working yet :(....

Do you have a test sample (cert id and ocsp provider) that gives a
response that is "revoked"? And have you tried to look at the
responseObject as I asked in my previous mail?

Felix

>
>
> //Add a JSR223 Assertion to the sampler (set to groovy,again) containing:
>
>  import org.bouncycastle.cert.ocsp.OCSPResp;
>  def sR = ctx.getPreviousResult();
> byte[] instream = sR.getResponseData();
>
>  
>
>
> InputStream is = new ByteArrayInputStream(instream);
>
> BufferedReader in1 = new BufferedReader(newInputStreamReader(is, "ISO-8859-1"));
>
>  
>
> StringBuilder logCommandOutput = new StringBuilder();
>
> String line;
>
> while( (line = in1.readLine()) != null) {
>
>  logCommandOutput.append(line);
>
> }
>
> in1.close();
>
> log.info("RESPONSE: " +logCommandOutput.toString());
>
>  
>
> String passToAssertion = logCommandOutput.toString();
> String passedResponse = passToAssertion ;
> if (passedResponse.contains("Revocation")) {
>
>                log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN ASSERTION: FOUND Revocation in Response, soPASSED!!");
>
> } else {
>
>                log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN ASSERTION: DID NOT FIND Revocation in Response, soFAILED!!");
>
>                AssertionResult.setFailure(false);
>
>                AssertionResult.setFailureMessage("JSR223Assertion did not find 'Revocation'");
>
> }
>
> The problems that I am having:
> 1) It is not finding the string "Revocation" in the response, i.e., the "if (passedResponse.contains("Revocation"))" is failing.
>
> I think the reason this is failing is that I am still not converting the response into text (FYI, code, similar to above worked, in another test plan I am working on, using "openssl ocsp" and BeanShell  Sampler/Assertion), so then the ".contains()" fails.
>
> 2) The code at the end, which is supposed to tell Jmeter whether or not the Assertion failed or succeeded is not working.  In particular, it is not informing Jmeter that the Assertion failed when the Assertion fails.
>
> Jim
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>     On Wednesday, July 3, 2019, 12:40:20 PM UTC, Felix Schumacher <[hidden email]> wrote:  
>  
>  
> Am 03.07.19 um 14:12 schrieb o haya:
>>   Hi Felix,
>> Also, here is the code you posted, but slightly modified so that it uses a certificate serial number in Hex when it builds the cId (this code so far only tests the conversion of the hex-ascii serial number to integer, and uses that integer serial number to call).
>> I am testing this because, eventually, the test plan I need will take in a CSV with a bunch of cert serial numbers and send OCSP requests for those.
>> import java.io.BufferedReader;import java.io.FileReader;import java.io.Reader;
>> import org.bouncycastle.cert.ocsp.CertificateID;import org.bouncycastle.cert.ocsp.OCSPReq;import org.bouncycastle.cert.ocsp.OCSPReqBuilder;import org.bouncycastle.cert.X509CertificateHolder;import org.bouncycastle.openssl.PEMParser;import org.bouncycastle.operator.DigestCalculatorProvider;import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>> String fName = vars.get("certpath");Reader fR = new BufferedReader(new FileReader(fName));PEMParser pPar = new PEMParser(fR);X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();DigestCalculatorProvider dCP = newJcaDigestCalculatorProviderBuilder().build();
>> String certSerialNumber = obj.getSerialNumber();log.info("++++++++++++++++++++ certSerialNumber=[" + certSerialNumber + "]");
>> // Test Converting a HEX-STRING to int/biginteger, and then passing that into the dCP.get()...// This is a precursor to using a CSV file with Hex cert serial numbersint numericSerialNumber = Integer.valueOf( "35C1", 16);log.info("++++++++++++++++++++++ numericSerialNumber=[" + numericSerialNumber + "]");
>> //CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, numericSerialNumber);
>> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();byte[] asn1seq = oReq.getEncoded();String sb = new String(asn1seq, "ISO-8859-1");vars.put("ocspReq", sb);
> The above code is not really readable :)
>
> If you don't use code in your samplers, remove it. Otherwise it is
> probably OK to use the cert IDs directly instead of reading them from
> the  certs.
>
> Felix
>
>>
>>
>>
>>
>>
>>
>>     On Wednesday, July 3, 2019, 11:49:51 AM UTC, [hidden email] <[hidden email]> wrote: 
>>  
>>   Hi Felix,
>>
>> Sorry for the delay.  I am working with several different OCSP Responders and was busy trying to get one of them working.
>>
>> Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!
>>
>> Also, the Assertion succeeded, but I need to get the Assertion code to look into the response more.  The current Assertion code checks that the response was "OK", but for this load test, I need to check to see if the response actually says "revoked", because the OCSP responder will respond "OK" even if it doesn't find a match for the cert I am checking.  Then, I have to look for "revoked" or "Revocation" to confirm that I got a "positive" revocation from the CRL.
>>
>> Right now, it looks like I can get the response data/text, but it is *maybe* DER encoded or something.  I added the following to the Assertion code you posted:
>>
>> // ADDED TO TRY TO GET RESPONSE INFORMATION...
>> String responseStream = new String(instream, "ISO-8859-1");
>> log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" + responseStream + "]");
>> and in the Jmeter.log I am getting something that looks like DER-encoded information??
>> I've uploaded a screenshot of the Jmeter logging:
>> New photo by O haya
>>
>> |
>> |
>> |
>> |  |  |
>>
>>   |
>>
>>   |
>> |
>> |  |
>> New photo by O haya
>>
>>
>>   |
>>
>>   |
>>
>>   |
>>
>>
>>
>> Can I convert that encoded string in the Assertion code, to something that the code can then check for the word/string like "revoked" or "Revocation"?
>> Thanks!Jim
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>     On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[hidden email]> wrote: 
>>  
>>   Hi,
>>
>> Wow! Thanks! I will give this a try a little later and post back.
>>
>> Thanks,
>> Jim
>>
>>
>>     On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>>  
>>   I think I have got the example working. I attached a jmx file and a cert
>> to this mail and maybe we are lucky and the mailing list doesn't strip
>> it from the mail.
>>
>> In case it does:
>>
>> Add the variable "certpath" to your testplan (either by a cvs datasource
>> for more than one cert, or via the test plan root element). It should
>> point to your x509 certificates path.
>>
>> Add a HTTP Sampler with method POST, the "Body Data" tab selected and
>> filled with "${ocspReq}".
>>
>> Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
>> with the following content:
>>
>> import java.io.BufferedReader;
>> import java.io.FileReader;
>> import java.io.Reader;
>>
>> import org.bouncycastle.cert.ocsp.CertificateID;
>> import org.bouncycastle.cert.ocsp.OCSPReq;
>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>> import org.bouncycastle.cert.X509CertificateHolder;
>> import org.bouncycastle.openssl.PEMParser;
>> import org.bouncycastle.operator.DigestCalculatorProvider;
>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>
>> String fName = vars.get("certpath");
>> Reader fR = new BufferedReader(new FileReader(fName));
>> PEMParser pPar = new PEMParser(fR);
>> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>> DigestCalculatorProvider dCP = new
>> JcaDigestCalculatorProviderBuilder().build();
>> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
>> obj, obj.getSerialNumber());
>> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
>> byte[] asn1seq = oReq.getEncoded();
>> String sb = new String(asn1seq, "ISO-8859-1");
>> vars.put("ocspReq", sb);
>>
>> Add a JSR223 Assertion to the sampler (set to groovy, again) containing:
>>
>> import org.bouncycastle.cert.ocsp.OCSPResp;
>>
>> def sR = ctx.getPreviousResult();
>> byte[] instream = sR.getResponseData();
>> OCSPResp oResp = new OCSPResp(instream);
>> assert oResp.getStatus() ==0
>>
>> Add a Header Manager to the sampler with the following set:
>>
>> Content-Type    application/ocsp-request
>> Accept    application/ocsp-response
>>
>> It seemed to work for me (famous last words)
>>
>> One important change was to use "ISO-8859-1" for the encoding of the string.
>>
>> Felix
>>
>> Am 01.07.19 um 22:42 schrieb [hidden email]:
>>>   Hi,
>>>
>>> This Java app:
>>>
>>> import java.io.*;
>>> import java.math.BigInteger;
>>> import java.security.Security;
>>> import java.util.*;
>>> import org.bouncycastle.cert.*;
>>> import org.bouncycastle.cert.ocsp.CertificateID;
>>> import org.bouncycastle.cert.ocsp.OCSPReq;
>>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>>> import org.bouncycastle.asn1.*;
>>> import org.bouncycastle.openssl.*;
>>> import org.bouncycastle.openssl.PEMParser;
>>> import org.bouncycastle.util.io.pem.*;
>>> import org.bouncycastle.pkcs.*;
>>> import org.bouncycastle.operator.DigestCalculatorProvider;
>>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>>
>>>
>>> public class jmeterdebug1 {
>>>
>>>   public static void main(String[] args) {
>>>   // TODO Auto-generated method stub
>>>  
>>>  
>>>   String BC = "BC"; //"${securityProvider}";
>>>   String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>>>   try {
>>>   Reader fR = new BufferedReader(new FileReader(fName));
>>>   PEMParser pPar = new PEMParser(fR);
>>>
>>>   X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>>>
>>>   Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>>>
>>>   DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>>>
>>>   CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>>>
>>>   OCSPReqBuilder oRB = new OCSPReqBuilder();
>>>   oRB.addRequest(cId);
>>>   OCSPReq oReq = oRB.build();
>>>
>>>   byte[] asn1seq = oReq.getEncoded();
>>>  
>>>   String sb = new String(asn1seq);
>>>  
>>>   System.out.println("sb=[" + sb + "]");
>>>  
>>>   } catch (Exception e) {
>>>   System.out.println("*** ERROR ** [" + e + "]");
>>>   e.printStackTrace();
>>>   }
>>>  
>>>   //sampler.getArguments().getArgument(0).setValue(sb);
>>>  
>>>  
>>>
>>>   }
>>>
>>> }
>>>
>>>
>>> Outputs:
>>>
>>> sb=[0B0@0>0<0:0 +
>>>
>>>
>>> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>>>
>>>
>>> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>>>
>>> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>>>
>>>
>>>
>>> Thanks,
>>> Jim
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>       On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>>>  
>>>  
>>>
>>> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>>>> Hi,
>>>>
>>>> Hmm. It seems like the example test plan isn't as complete as I had
>>>> hoped :(....
>>>>
>>>> FYI, I think the reference to "the public key infrastructure" is to
>>>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
>>> Seems sensible.
>>>
>>>> FYI, I am going to try to get this working/debug this as a Java app
>>>> first, and then I can try to make a groovy version after that, once it
>>>> is clean. I'm hoping that that makes it easier for me, initially.
>>> Small steps is a good way to go.
>>>
>>>> I will post back in a bit...
>>> Great
>>>   Felix
>>>
>>>> Jim
>>>>
>>>>
>>>>
>>>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>>>> <[hidden email]> wrote: 
>>>>
>>>>
>>>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>>>> Hi,
>>>>>
>>>>> I am trying to implement a Jmeter load test for an OCSP responder,
>>>> and I found this page, but haven't been able to get it working:
>>>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>>>
>>>>> - The first problem that I ran into is where it says "2. Download the
>>>> public key infrastructure and provider ".  The link for the "provider"
>>>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>>>> sure what the "the public key infrastructure" is supposed to download?
>>>> I think that the "public key infrastructure" means your certificates.
>>>> If
>>>> you download the bouncycastle provider, you probably should take the
>>>> newest version of it: https://bouncycastle.org/latest_releases.html
>>>>> - Also, for the HTTP Request element, it says "The URL of the
>>>> responder is defined in the variable section of the script.", but I am
>>>> not sure what it is referring to when it says "the variable section of
>>>> the script"?
>>>>
>>>> I guess that the "user defined variables" table on the test plan (root)
>>>> element is meant. But on the other hand, the text misses to add a
>>>> variable reference on the http sampler (my guess is, that it is hidden
>>>> in the http defaults element, that are not described further in the
>>>> text), so you are free to add your URL to the http sampler yourself.
>>>>
>>>> And now to a few things you haven't asked :)
>>>>
>>>> * Use groovy instead of beanshell whenever possible.
>>>>
>>>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>>>> vars.get("...") instead
>>>>
>>>> * Instead of
>>>>
>>>>     Failure = false;
>>>>     if (oResp.getStatus() != 0) {
>>>>         Failure = true;
>>>>
>>>>     }
>>>>
>>>>  you could use
>>>>
>>>>     Failure = oResp.getStatus() != 0;
>>>>
>>>> or if you feel groovy: Failure = oResp.status != 0
>>>>
>>>>
>>>>> Is anyone familiar with this test plan, and gotten it working?
>>>> Note, that I have no OCSP server and thus have not tried to get it
>>>> really working.
>>>>
>>>> Felix
>>>>
>>>>> Thanks,
>>>>> Jim
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [hidden email]
>>>>> For additional commands, e-mail: [hidden email]
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>>  
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>  
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]   
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>  

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help get OCSP responder load test working?

ohaya@yahoo.com.INVALID
 Hi Felix,
Sorry.  I actually got the assertion working where it is able to determine the detailed response, but then yesterday was a holiday, so we got busy with family stuff.
So anyway, here is the Assertion code that I have that works now (and sorry still have some debug code that depends on having a variable named "debugFlag" which is set to "true" or "false".
Also, I had to download and put the following files into the Jmeter "lib" directory:
- bcpkix-jdk15on-162.jar- bcprov-jdk15on-162.jar
Also, FYI, this Assertion will FAIL if it DOESN'T find a detailed result.  I am just mentioning this because this may not be the behavior that is desired, but it is the requirement that I have for my work, so adjust as required.


//
// ORIGINAL REFERENCE/EXAMPLE HOWTO PARSE OCSP RESPONSE: https://stackoverflow.com/questions/15083181/ocsp-response-does-not-give-certificate-status
//
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.cert.ocsp.CertificateStatus;

log.info("++++++++++++++++++++++++++++++++++++++++++ JSR233 Assertion - V4.00");
boolean debugOut = true;
if (vars.get("debugFlag") == "true") {
    log.info("++++++++++++++++++++++++++++++++++++++++++++++++++++++ IN ASSERTION: debugFlag is true - DEBUG IS ENABLED!!");
    debugOut = true;
} else {
    log.info("++++++++++++++++++++++++++++++++++++++++++++++++++++++ IN ASSERTION: debugFlag is false - DEBUG IS DISABLED!!");
    debugOut = false;
}


def sR = ctx.getPreviousResult();
byte[] instream = sR.getResponseData();
OCSPResp oResp = new OCSPResp(instream);

BasicOCSPResp basicResponse = (BasicOCSPResp) oResp.getResponseObject();
SingleResp[] responses = (basicResponse==null) ? null : basicResponse.getResponses();

boolean foundStatus = false;

if (responses!=null && responses.length == 1) {
    SingleResp resp = responses[0];
     Object status = resp.getCertStatus();
     if(status!=null) {
         if (status == CertificateStatus.GOOD) {
             if (debugOut) log.info("++++++++++++++++++++++++++++++++++++++++++++++++ IN ASSERTION: OCSP Status is good!");
            if (debugOut) log.info(Thread.currentThread().getName()+": ++++++++++++++++++++++ IN ASSERTION: DID NOT FIND Revocation in Response, so FAILED!!");
            AssertionResult.setFailure(true);
            AssertionResult.setFailureMessage("JSR223 Assertion did not find 'Revocation'");
            foundStatus = true;
          } else if (status instanceof org.bouncycastle.cert.ocsp.RevokedStatus) {
              if (debugOut) log.info("++++++++++++++++++++++++++++++++++++++++++++++++ IN ASSERTION: OCSP Status is revoked!");
                  if (debugOut) log.info(Thread.currentThread().getName()+": ++++++++++++++++++++++ IN ASSERTION: FOUND Revocation in Response, so SUCCEEDED!!");
            AssertionResult.setFailure(false);
            AssertionResult.setFailureMessage("JSR223 Assertion FOUND 'Revocation'");
            foundStatus = true;
               }  else if (status instanceof org.bouncycastle.cert.ocsp.UnknownStatus) {
                   if (debugOut) log.info("++++++++++++++++++++++++++++++++++++++++++++ IN ASSERTION: OCSP Status is unknown!");
                   if (debugOut) log.info(Thread.currentThread().getName()+": ++++++++++++++++++++++ IN ASSERTION: DID NOT FIND Revocation in Response, so FAILED!!");
                AssertionResult.setFailure(true);
                AssertionResult.setFailureMessage("JSR223 Assertion did not find 'Revocation'");
                foundStatus = true;
                    }
                }
            }

if (!foundStatus) {
    if (debugOut) log.info("++++++++++++++++++++++++++++++++++++ IN ASSERTION: NO Status was found/matched, so Assertion is FAILED!");
    AssertionResult.setFailure(true);
    AssertionResult.sedtFailureMessage("JSR233 Assertion did not find/match any status - SO THE ASSERTION WILL FAIL!!");
}



Thank you VERY MUCH for your help with this.... it has been invaluable!


Jim




    On Friday, July 5, 2019, 12:12:06 PM UTC, Felix Schumacher <[hidden email]> wrote:  
 
 
Am 03.07.19 um 17:44 schrieb [hidden email]:

>  Hi,
> Sorry about the code formatting :(...  Yahoo email did that I think....
>
> FYI, I use the CRL to extract/generate a file that contains the serial numbers of all the certificates in the CRL (via "openssl crl...").
> I then prepend the path to the issuer cert (plus a comma) to each line.
> I want to use the resulting CSV file as into to my Jmeter test plan, e.g., so, eventually, I can do load testing where it is sending OCSP requests for multiple issuing certs.
> So I modified the code you posted (for the Sampler) to do that, and that is working now.
>
>
> Re. the JSR233 Assertion processing: 
>
> I haven't gotten that completely working yet.
> The Assertion code you provided just checks the response, which is typically just "OK", regardless of whether the <issuer,serial number> is in the CRL or not, but for my load test, I want to check that the response actually says "revoked".
> Here's the Assertion code that I have so far, but it is not working yet :(....

Do you have a test sample (cert id and ocsp provider) that gives a
response that is "revoked"? And have you tried to look at the
responseObject as I asked in my previous mail?

Felix

>
>
> //Add a JSR223 Assertion to the sampler (set to groovy,again) containing:
>
>  import org.bouncycastle.cert.ocsp.OCSPResp;
>  def sR = ctx.getPreviousResult();
> byte[] instream = sR.getResponseData();
>
>  
>
>
> InputStream is = new ByteArrayInputStream(instream);
>
> BufferedReader in1 = new BufferedReader(newInputStreamReader(is, "ISO-8859-1"));
>
>  
>
> StringBuilder logCommandOutput = new StringBuilder();
>
> String line;
>
> while( (line = in1.readLine()) != null) {
>
>  logCommandOutput.append(line);
>
> }
>
> in1.close();
>
> log.info("RESPONSE: " +logCommandOutput.toString());
>
>  
>
> String passToAssertion = logCommandOutput.toString();
> String passedResponse = passToAssertion ;
> if (passedResponse.contains("Revocation")) {
>
>                log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN ASSERTION: FOUND Revocation in Response, soPASSED!!");
>
> } else {
>
>                log.info(Thread.currentThread().getName()+":++++++++++++++++++++++ IN ASSERTION: DID NOT FIND Revocation in Response, soFAILED!!");
>
>                AssertionResult.setFailure(false);
>
>                AssertionResult.setFailureMessage("JSR223Assertion did not find 'Revocation'");
>
> }
>
> The problems that I am having:
> 1) It is not finding the string "Revocation" in the response, i.e., the "if (passedResponse.contains("Revocation"))" is failing.
>
> I think the reason this is failing is that I am still not converting the response into text (FYI, code, similar to above worked, in another test plan I am working on, using "openssl ocsp" and BeanShell  Sampler/Assertion), so then the ".contains()" fails.
>
> 2) The code at the end, which is supposed to tell Jmeter whether or not the Assertion failed or succeeded is not working.  In particular, it is not informing Jmeter that the Assertion failed when the Assertion fails.
>
> Jim
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>    On Wednesday, July 3, 2019, 12:40:20 PM UTC, Felix Schumacher <[hidden email]> wrote: 


> Am 03.07.19 um 14:12 schrieb o haya:
>>   Hi Felix,
>> Also, here is the code you posted, but slightly modified so that it uses a certificate serial number in Hex when it builds the cId (this code so far only tests the conversion of the hex-ascii serial number to integer, and uses that integer serial number to call).
>> I am testing this because, eventually, the test plan I need will take in a CSV with a bunch of cert serial numbers and send OCSP requests for those.
>> import java.io.BufferedReader;import java.io.FileReader;import java.io.Reader;
>> import org.bouncycastle.cert.ocsp.CertificateID;import org.bouncycastle.cert.ocsp.OCSPReq;import org.bouncycastle.cert.ocsp.OCSPReqBuilder;import org.bouncycastle.cert.X509CertificateHolder;import org.bouncycastle.openssl.PEMParser;import org.bouncycastle.operator.DigestCalculatorProvider;import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>> String fName = vars.get("certpath");Reader fR = new BufferedReader(new FileReader(fName));PEMParser pPar = new PEMParser(fR);X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();DigestCalculatorProvider dCP = newJcaDigestCalculatorProviderBuilder().build();
>> String certSerialNumber = obj.getSerialNumber();log.info("++++++++++++++++++++ certSerialNumber=[" + certSerialNumber + "]");
>> // Test Converting a HEX-STRING to int/biginteger, and then passing that into the dCP.get()...// This is a precursor to using a CSV file with Hex cert serial numbersint numericSerialNumber = Integer.valueOf( "35C1", 16);log.info("++++++++++++++++++++++ numericSerialNumber=[" + numericSerialNumber + "]");
>> //CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, numericSerialNumber);
>> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();byte[] asn1seq = oReq.getEncoded();String sb = new String(asn1seq, "ISO-8859-1");vars.put("ocspReq", sb);
> The above code is not really readable :)
>
> If you don't use code in your samplers, remove it. Otherwise it is
> probably OK to use the cert IDs directly instead of reading them from
> the  certs.
>
> Felix
>
>>
>>
>>
>>
>>
>>
>>     On Wednesday, July 3, 2019, 11:49:51 AM UTC, [hidden email] <[hidden email]> wrote: 
>>  
>>   Hi Felix,
>>
>> Sorry for the delay.  I am working with several different OCSP Responders and was busy trying to get one of them working.
>>
>> Anyway, I tested what you posted, in a new Jmeter test plan, and it worked!!
>>
>> Also, the Assertion succeeded, but I need to get the Assertion code to look into the response more.  The current Assertion code checks that the response was "OK", but for this load test, I need to check to see if the response actually says "revoked", because the OCSP responder will respond "OK" even if it doesn't find a match for the cert I am checking.  Then, I have to look for "revoked" or "Revocation" to confirm that I got a "positive" revocation from the CRL.
>>
>> Right now, it looks like I can get the response data/text, but it is *maybe* DER encoded or something.  I added the following to the Assertion code you posted:
>>
>> // ADDED TO TRY TO GET RESPONSE INFORMATION...
>> String responseStream = new String(instream, "ISO-8859-1");
>> log.info("+++++++++++++++++ FROM ASSERTION: responseStream=[" + responseStream + "]");
>> and in the Jmeter.log I am getting something that looks like DER-encoded information??
>> I've uploaded a screenshot of the Jmeter logging:
>> New photo by O haya
>>
>> |
>> |
>> |
>> |  |  |
>>
>>   |
>>
>>   |
>> |
>> |  |
>> New photo by O haya
>>
>>
>>   |
>>
>>   |
>>
>>   |
>>
>>
>>
>> Can I convert that encoded string in the Assertion code, to something that the code can then check for the word/string like "revoked" or "Revocation"?
>> Thanks!Jim
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>     On Tuesday, July 2, 2019, 8:06:35 PM UTC, <[hidden email]> wrote: 
>>  
>>   Hi,
>>
>> Wow! Thanks! I will give this a try a little later and post back.
>>
>> Thanks,
>> Jim
>>
>>
>>     On Tuesday, July 2, 2019, 2:55:17 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>>  
>>   I think I have got the example working. I attached a jmx file and a cert
>> to this mail and maybe we are lucky and the mailing list doesn't strip
>> it from the mail.
>>
>> In case it does:
>>
>> Add the variable "certpath" to your testplan (either by a cvs datasource
>> for more than one cert, or via the test plan root element). It should
>> point to your x509 certificates path.
>>
>> Add a HTTP Sampler with method POST, the "Body Data" tab selected and
>> filled with "${ocspReq}".
>>
>> Add a JSR223 PreProcessor to the sampler (set to groovy -- the default)
>> with the following content:
>>
>> import java.io.BufferedReader;
>> import java.io.FileReader;
>> import java.io.Reader;
>>
>> import org.bouncycastle.cert.ocsp.CertificateID;
>> import org.bouncycastle.cert.ocsp.OCSPReq;
>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>> import org.bouncycastle.cert.X509CertificateHolder;
>> import org.bouncycastle.openssl.PEMParser;
>> import org.bouncycastle.operator.DigestCalculatorProvider;
>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>
>> String fName = vars.get("certpath");
>> Reader fR = new BufferedReader(new FileReader(fName));
>> PEMParser pPar = new PEMParser(fR);
>> X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>> DigestCalculatorProvider dCP = new
>> JcaDigestCalculatorProviderBuilder().build();
>> CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1),
>> obj, obj.getSerialNumber());
>> OCSPReq oReq = new OCSPReqBuilder().addRequest(cId).build();
>> byte[] asn1seq = oReq.getEncoded();
>> String sb = new String(asn1seq, "ISO-8859-1");
>> vars.put("ocspReq", sb);
>>
>> Add a JSR223 Assertion to the sampler (set to groovy, again) containing:
>>
>> import org.bouncycastle.cert.ocsp.OCSPResp;
>>
>> def sR = ctx.getPreviousResult();
>> byte[] instream = sR.getResponseData();
>> OCSPResp oResp = new OCSPResp(instream);
>> assert oResp.getStatus() ==0
>>
>> Add a Header Manager to the sampler with the following set:
>>
>> Content-Type    application/ocsp-request
>> Accept    application/ocsp-response
>>
>> It seemed to work for me (famous last words)
>>
>> One important change was to use "ISO-8859-1" for the encoding of the string.
>>
>> Felix
>>
>> Am 01.07.19 um 22:42 schrieb [hidden email]:
>>>   Hi,
>>>
>>> This Java app:
>>>
>>> import java.io.*;
>>> import java.math.BigInteger;
>>> import java.security.Security;
>>> import java.util.*;
>>> import org.bouncycastle.cert.*;
>>> import org.bouncycastle.cert.ocsp.CertificateID;
>>> import org.bouncycastle.cert.ocsp.OCSPReq;
>>> import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
>>> import org.bouncycastle.asn1.*;
>>> import org.bouncycastle.openssl.*;
>>> import org.bouncycastle.openssl.PEMParser;
>>> import org.bouncycastle.util.io.pem.*;
>>> import org.bouncycastle.pkcs.*;
>>> import org.bouncycastle.operator.DigestCalculatorProvider;
>>> import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
>>>
>>>
>>> public class jmeterdebug1 {
>>>
>>>   public static void main(String[] args) {
>>>   // TODO Auto-generated method stub
>>>  
>>>  
>>>   String BC = "BC"; //"${securityProvider}";
>>>   String fName = "E:\\Ziptemp\\CRL-DOWNLOADER\\certs\\orc_eca_sw_5.pem"; //"${certpath}
>>>   try {
>>>   Reader fR = new BufferedReader(new FileReader(fName));
>>>   PEMParser pPar = new PEMParser(fR);
>>>
>>>   X509CertificateHolder obj = (X509CertificateHolder)pPar.readObject();
>>>
>>>   Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>>>
>>>   DigestCalculatorProvider dCP = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
>>>
>>>   CertificateID cId = new CertificateID(dCP.get(CertificateID.HASH_SHA1), obj, obj.getSerialNumber());
>>>
>>>   OCSPReqBuilder oRB = new OCSPReqBuilder();
>>>   oRB.addRequest(cId);
>>>   OCSPReq oReq = oRB.build();
>>>
>>>   byte[] asn1seq = oReq.getEncoded();
>>>  
>>>   String sb = new String(asn1seq);
>>>  
>>>   System.out.println("sb=[" + sb + "]");
>>>  
>>>   } catch (Exception e) {
>>>   System.out.println("*** ERROR ** [" + e + "]");
>>>   e.printStackTrace();
>>>   }
>>>  
>>>   //sampler.getArguments().getArgument(0).setValue(sb);
>>>  
>>>  
>>>
>>>   }
>>>
>>> }
>>>
>>>
>>> Outputs:
>>>
>>> sb=[0B0@0>0<0:0 +
>>>
>>>
>>> So I am guessing that the 'sb' is supposed to be used to populate the POST body via the line that I have commented out above ("sampler.getArguments().getArgument(0).setValue(sb);")??
>>>
>>>
>>> So if I just uncomment that line in the equivalent code in the Jmeter Beanshell Preprocessor code, is there something additional that I need to do to get the HTTP request to use that for the BODY?
>>>
>>> Also, FYI, I added several Debug listeners, but I don't see any variable named "sb" in their output? What do I need to do so that I can see the contents of that var in the Debug?
>>>
>>>
>>>
>>> Thanks,
>>> Jim
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>       On Monday, July 1, 2019, 4:01:41 PM EDT, Felix Schumacher <[hidden email]> wrote: 
>>>  
>>>  
>>>
>>> Am 1. Juli 2019 21:49:37 MESZ schrieb [hidden email]:
>>>> Hi,
>>>>
>>>> Hmm. It seems like the example test plan isn't as complete as I had
>>>> hoped :(....
>>>>
>>>> FYI, I think the reference to "the public key infrastructure" is to
>>>> another bouncycastle package, "bcpkix-jdk15on-162.jar".
>>> Seems sensible.
>>>
>>>> FYI, I am going to try to get this working/debug this as a Java app
>>>> first, and then I can try to make a groovy version after that, once it
>>>> is clean. I'm hoping that that makes it easier for me, initially.
>>> Small steps is a good way to go.
>>>
>>>> I will post back in a bit...
>>> Great
>>>   Felix
>>>
>>>> Jim
>>>>
>>>>
>>>>
>>>> On Monday, July 1, 2019, 2:46:59 PM EDT, Felix Schumacher
>>>> <[hidden email]> wrote: 
>>>>
>>>>
>>>> Am 01.07.19 um 19:16 schrieb [hidden email]:
>>>>> Hi,
>>>>>
>>>>> I am trying to implement a Jmeter load test for an OCSP responder,
>>>> and I found this page, but haven't been able to get it working:
>>>>> https://www.blazemeter.com/blog/how-load-test-ocsp-jmeter/
>>>>>
>>>>> - The first problem that I ran into is where it says "2. Download the
>>>> public key infrastructure and provider ".  The link for the "provider"
>>>> works and allows me to download "bcprov-jdk15on-156.jar", but I am not
>>>> sure what the "the public key infrastructure" is supposed to download?
>>>> I think that the "public key infrastructure" means your certificates.
>>>> If
>>>> you download the bouncycastle provider, you probably should take the
>>>> newest version of it: https://bouncycastle.org/latest_releases.html
>>>>> - Also, for the HTTP Request element, it says "The URL of the
>>>> responder is defined in the variable section of the script.", but I am
>>>> not sure what it is referring to when it says "the variable section of
>>>> the script"?
>>>>
>>>> I guess that the "user defined variables" table on the test plan (root)
>>>> element is meant. But on the other hand, the text misses to add a
>>>> variable reference on the http sampler (my guess is, that it is hidden
>>>> in the http defaults element, that are not described further in the
>>>> text), so you are free to add your URL to the http sampler yourself.
>>>>
>>>> And now to a few things you haven't asked :)
>>>>
>>>> * Use groovy instead of beanshell whenever possible.
>>>>
>>>> * Don't use ${...} inside JSR223 or other Shell Samplers. Use
>>>> vars.get("...") instead
>>>>
>>>> * Instead of
>>>>
>>>>     Failure = false;
>>>>     if (oResp.getStatus() != 0) {
>>>>         Failure = true;
>>>>
>>>>     }
>>>>
>>>>  you could use
>>>>
>>>>     Failure = oResp.getStatus() != 0;
>>>>
>>>> or if you feel groovy: Failure = oResp.status != 0
>>>>
>>>>
>>>>> Is anyone familiar with this test plan, and gotten it working?
>>>> Note, that I have no OCSP server and thus have not tried to get it
>>>> really working.
>>>>
>>>> Felix
>>>>
>>>>> Thanks,
>>>>> Jim
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [hidden email]
>>>>> For additional commands, e-mail: [hidden email]
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>>  
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>  
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]   
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]