Adding BurpSuite CA To The Java Keystore

Just a quick tech note for my own reference in the future.
While testing a Java based thick client, I discovered the developers had left an option to set a proxy right inside the app (handy!). That meant I could throw all the app traffic through BurpSuite, and manipulate it as I wished.

The problem I ran into was that Java didn’t trust the Burp CA. To get around that, I needed to add the CA to the default Java keystore. That turned out to be simple enough, the main thing to know was where the Java keystore is stored:    $JAVA_HOME/jre/lib/security/cacerts
and what the password is:    changeit

Once I had those, importing was painless:

$ keytool -import -trustcacerts -file ~/burp.cer -alias BURPSUITE -keystore $JAVA_HOME/jre/lib/security/cacerts

Enter keystore password: changeit

Owner: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger 
Issuer: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger 
Serial number: 563a4f3e 
Valid from: Wed Nov 04 13:32:30 EST 2015 until: Tue Oct 30 14:32:30 EDT 2035 
Certificate fingerprints: 
        MD5:  AF:5E:1C:E9:D5:18:4B:EC:7D:E3:6C:C7:91:BE:11:F0 
        SHA1: D5:5E:D4:2B:BC:4D:D0:0F:A2:04:97:AC:B8:1E:EB:DA:95:94:60:DB 
        SHA256: 73:F6:FF:6B:63:9C:E6:80:86:A3:63:C6:C5:08:77:F1:69:DA:71:34:4A:E5:7E:1B:33:5A:4B:F4:FD:1F:E1:6
B 
        Signature algorithm name: SHA256withRSA 
        Version: 3 

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=true 
BasicConstraints:[ 
 CA:true 
 PathLen:0 
] 

#2: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 20 1C 1C 67 C2 21 B5 73   21 88 E2 77 6C 1D 2E 80   ..g.!.s!..wl... 
0010: 97 8E B2 D7                                        .... 
] 
] 

Trust this certificate? [no]:  yes 
Certificate was added to keystore

Getting Keytool to Work With BouncyCastle in Ubuntu

This isn’t going to be an earth shattering post of supreme l33t-ness, just a quick note so I don’t forget how to do this:

If you want to get the Bouncy Castle provider working in Ubuntu – so you can do things like, say, update the cacerts.bks on an Android device with the PortSwiggerCA.crt to MiTM SSL traffic from a mobile device – you need to do the following things:

  1. Download the Bouncy Castle Provider of your choice. As of this post, the version I’m using is here.
  2. Put the .jar file in the following directory:
    /usr/lib/jvm/java-6-sun/jre/lib/ext
  3. Add the following to /usr/lib/jvm/java-6-sun/jre/lsecurity/java.security:
    security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
  4. Run the following command:
    keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias PortSwiggerCA -file PortSwiggerCA.crt
For completeness, the cacerts.bks file can be pulled off the Android device using:
adb pull /system/etc/security/cacerts.bks
You’ll need to remount the /system file system as read-write to push the modified one back, you can do that using the following command (from the adb shell):
# mount -o rw,remount /dev/block/system /system
A side note: it seems that IE9 and Chromium browser have decided to disallow the export of untrusted CA certificates (Older Firefox still allows it, but newer ones may not – I didn’t check). As a result, you may have difficulty getting a copy of the PortSwiggerCA.crt file. If you find yourself in that situation, you’re mostly screwed – unless you have the pro version of Burp, which has an export option.