Inspecting Tomcat HTTPS Connection With Wireshark

Wireshark allows you to inspect SSL connection as long as you have the corresponding private key of the server side. You can read the details here. But if you are using java and tomcat you’ll probably have the certificate and private key stored in a JKS keystore so how can you extract the key in the right format for WireShark?

First of all, keytool doesn’t allow you to extract the private key from a keystore. So you need external help. I use the DumpPrivateKey.java which is a modified version on the DumpPrivateKey found in this forum post.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

<span class='line'>import java.io.FileInputStream;
</span><span class='line'>import java.security.Key;
</span><span class='line'>import java.security.KeyStore;
</span><span class='line'>
</span><span class='line'>import sun.misc.BASE64Encoder;
</span><span class='line'>
</span><span class='line'>/**
</span><span class='line'> * This is an utility program that reads the keystore file specified in the
</span><span class='line'> * parameter and dumps to the standard output the private key encoded in Base64
</span><span class='line'> * 
</span><span class='line'> */
</span><span class='line'>public class DumpPrivateKey {
</span><span class='line'>  /**
</span><span class='line'>   * Main method. Invoked from command line. This method open the jks file
</span><span class='line'>   * specified in the parameter to get the private key, transforms it in
</span><span class='line'>   * Base64 format and write it to the standard output. @Usage@:
</span><span class='line'>   * java DumpPrivateKey keystore.jks alias storepassword keypassword
</span><span class='line'>   * 
</span><span class='line'>   * @param args
</span><span class='line'>   *            List of strings containing the input parameters.
</span><span class='line'>   */
</span><span class='line'>  static public void main(String[] args) {
</span><span class='line'>    try {
</span><span class='line'>      if (args.length != 4) {
</span><span class='line'>        System.err
</span><span class='line'>            .println("Usage java DumpPrivateKey keystore.jks alias storepassword keypassword");
</span><span class='line'>        System.exit(1);
</span><span class='line'>      }
</span><span class='line'>      KeyStore ks = KeyStore.getInstance("jks");
</span><span class='line'>      String keystore = args[0];
</span><span class='line'>      String alias = args[1];
</span><span class='line'>      String storepass = args[2];
</span><span class='line'>      String keypass = args[3];
</span><span class='line'>
</span><span class='line'>      ks.load(new FileInputStream(keystore), storepass.toCharArray());
</span><span class='line'>      Key key = ks.getKey(alias, keypass.toCharArray());
</span><span class='line'>      if (key == null) {
</span><span class='line'>        System.err.println("No key found for alias:" + alias
</span><span class='line'>            + " and keypass:" + keypass);
</span><span class='line'>        System.exit(1);
</span><span class='line'>      }
</span><span class='line'>
</span><span class='line'>      BASE64Encoder myB64 = new BASE64Encoder();
</span><span class='line'>      String b64 = myB64.encode(key.getEncoded());
</span><span class='line'>
</span><span class='line'>      System.out.println("-----BEGIN PRIVATE KEY-----");
</span><span class='line'>      System.out.println(b64);
</span><span class='line'>      System.out.println("-----END PRIVATE KEY-----");
</span><span class='line'>    } catch (Exception e) {
</span><span class='line'>      e.printStackTrace();
</span><span class='line'>    }
</span><span class='line'>  }
</span><span class='line'>}</span>

The code is also available as a gist
Issuing the command
The command java -cp . DumpPrivateKey wwwserver.jks tomcat changeit changeit >server.key will export the private key to server.key but you need to convert this key format to the format supported by wireshark. You can do that with openssl pkcs8 -inform PEM -nocrypt -in server.key -out server.rsa.key
Then you can use the server.rsa.key in WireShark →Edit →Preferences→Protocol→SSL →rsa key file list → 192.168.0.4,443,http,c:\server.rsa.key.
Hope it works for you!


  
    
      
  

Posted by Ruben Laguna

      




Jun 29th, 2007 12:00 am
      


  
    ethereal, https, inspect, java, jks, key, rsa, sniffer, sniffing, ssl, tomcat, wireshark
  



    
    
      
  
  Tweet
  
  
  
    
  


    
    
      
        « Eclipse Preference Page Extension Wizard troubleshooting 
      
      
        Merging two TikiWiki’s  »
      
    
  


  
    Comments
    

  




  
    
  Recent Posts
  
    
      
        POSIX / System v Shared Memory vs Threads Shared Memory
      
    
      
        Review of Learning Game AI Programming With Lua
      
    
      
        Compute AES CMAC Using OpenSSL/libcrypto
      
    
      
        Comparing Hypervisors, LXC and Docker
      
    
      
        SSH Port Forwarding Through Multiple Hops [.ssh/config]
      
    
  



  GitHub Repos
  
    Status updating…
  
  
  @ecerulm on GitHub
  
  
  




  On Delicious
  
  
  My Delicious Bookmarks »



  My Pinboard
  Fetching linkroll…
  My Pinboard Bookmarks »






  



    
  
  
  Copyright © 2015 - Ruben Laguna -
  Powered by Octopress