How to extract Wireshark keylog from a Java JSSE TLSv1.3 Session

Question

Is it possible to extract the Wireshark keylog information directly from the TLSv1.3 handshake in a Java app? If so, how do I map the fields, or is additional material not shared in the handshake required?

From the following links, I believe I need

NSS Key Log Format for TLSv1.3 connections https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format

Such that I can enable wireshark traffic sniffing https://ask.wireshark.org/question/2691/decrypting-tls-traffic-using-rsa-pre-master-secret/

CLIENT_EARLY_TRAFFIC_SECRET is the encryption key for 0-RTT data;
SERVER_HANDSHAKE_TRAFFIC_SECRET is the key used by the server to encrypt the handshake message;
SERVER_TRAFFIC_SECRET_0 is the key for encrypting application data on the server side;
CLIENT_HANDSHAKE_TRAFFIC_SECRET is the key used by the client to encrypt the handshake message;
CLIENT_TRAFFIC_SECRET_0 is the key for encrypting application data on the client side.

No session to resume.
Produced ClientHello handshake message
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "C6 D4 B5 79 08 D9 1D D1 55 94 73 06 09 E0 6B BC C6 BD 71 C2 4F 9C 76 3D C8 46 01 B5 31 6A 93 F9",
  "session id"          : "34 48 28 7C 64 B3 03 37 86 2A 6B EB 7E 51 62 DC 74 80 1E 57 77 01 B7 C5 D5 0D 5C 94 34 B5 70 96",
  "cipher suites"       : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=www.facebook.com
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "session_ticket (35)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "key_share (51)": {
      "client_shares": [  
        {
          "named group": x25519
          "key_exchange": {
            0000: BC 73 6E 4F 12 5E 8E 42   90 32 56 F6 5C 4F 1A 07  .snO.^.B.2V.\O..
...
          }
        },
      ]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
Consuming ServerHello handshake message
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "EB 32 A7 CA 33 A8 57 E5 DE F2 0D 0F 39 C2 AA 95 0A BF A6 26 48 A0 0B 7E 89 90 0B 4C 39 48 D3 C8",
  "session id"          : "34 48 28 7C 64 B3 03 37 86 2A 6B EB 7E 51 62 DC 74 80 1E 57 77 01 B7 C5 D5 0D 5C 94 34 B5 70 96",
  "cipher suite"        : "TLS_AES_128_GCM_SHA256(0x1301)",
  "compression methods" : "00",
  "extensions"          : [
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
    },
    "key_share (51)": {
      "server_share": {
        "named group": x25519
        "key_exchange": {
          0000: 68 42 BE 6F 3B 35 44 8F   9F 0F D3 86 47 8C AB 97  hB.o;5D.....G...
...
        }
      },
    }
  ]
}
Negotiated protocol version: TLSv1.3
Mar 10, 2021 8:45:05 AM sun.security.ssl.SSLLogger log
WARNING: Ignore impact of unsupported extension: supported_versions
Mar 10, 2021 8:45:05 AM sun.security.ssl.SSLLogger log
WARNING: Ignore impact of unsupported extension: key_share
Consuming ChangeCipherSpec message
Consuming EncryptedExtensions handshake message
"EncryptedExtensions": [
  "application_layer_protocol_negotiation (16)": {
    [h2]
  }
]
Mar 10, 2021 8:45:05 AM sun.security.ssl.SSLLogger log
WARNING: Ignore impact of unsupported extension: application_layer_protocol_negotiation
Consuming server Certificate handshake message
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "03 77 ED DC FA F8 BE 34 BA 23 3C 7C 2B 9A 31 7F",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
      "not before"         : "2021-02-10 24:00:00.000 GMT",
      "not  after"         : "2021-05-11 24:59:59.000 BST",
      "subject"            : "CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US",
      "subject public key" : "EC",
      "extensions"         : [
        {
          ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
        },
        {
          ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
          AuthorityInfoAccess [
            [
             accessMethod: ocsp
             accessLocation: URIName: http://ocsp.digicert.com
          , 
             accessMethod: caIssuers
             accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
          ]
          ]
        },
        {
          ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
          0000: 51 68 FF 90 AF 02 07 75   3C CC D9 65 64 62 A2 12  Qh.....u<..edb..
          0010: B8 59 72 3B                                        .Yr;
          ]
          ]
        },
        {
          ObjectId: 2.5.29.19 Criticality=true
          BasicConstraints:[
            CA:false
            PathLen: undefined
          ]
        },
        {
          ObjectId: 2.5.29.31 Criticality=false
          CRLDistributionPoints [
            [DistributionPoint:
               [URIName: http://crl3.digicert.com/sha2-ha-server-g6.crl]
          , DistributionPoint:
               [URIName: http://crl4.digicert.com/sha2-ha-server-g6.crl]
          ]]
        },
        {
          ObjectId: 2.5.29.32 Criticality=false
          CertificatePolicies [
            [CertificatePolicyId: [2.23.140.1.2.2]
          [PolicyQualifierInfo: [
            qualifierID: 1.3.6.1.5.5.7.2.1
            qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 77 77 77 2E 64 69 67  ..http://www.dig
          0010: 69 63 65 72 74 2E 63 6F   6D 2F 43 50 53           icert.com/CPS
          
          ]]  ]
          ]
        },
        {
          ObjectId: 2.5.29.37 Criticality=false
          ExtendedKeyUsages [
            serverAuth
            clientAuth
          ]
        },
        {
          ObjectId: 2.5.29.15 Criticality=true
          KeyUsage [
            DigitalSignature
          ]
        },
        {
          ObjectId: 2.5.29.17 Criticality=false
          SubjectAlternativeName [
            DNSName: *.facebook.com
            DNSName: *.facebook.net
            DNSName: *.fbcdn.net
            DNSName: *.fbsbx.com
            DNSName: *.m.facebook.com
            DNSName: *.messenger.com
            DNSName: *.xx.fbcdn.net
            DNSName: *.xy.fbcdn.net
            DNSName: *.xz.fbcdn.net
            DNSName: facebook.com
            DNSName: messenger.com
          ]
        },
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: A1 DE 5B 01 7E 24 95 35   8A 6B D8 F1 A2 D8 DE 6C  ..[..$.5.k.....l
          0010: F2 7F D0 72                                        ...r
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "04 E1 E7 A4 DC 5C F2 F3 6D C0 2B 42 B8 5D 15 9F",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
      "not before"         : "2013-10-22 13:00:00.000 BST",
      "not  after"         : "2028-10-22 13:00:00.000 BST",
      "subject"            : "CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
          AuthorityInfoAccess [
            [
             accessMethod: ocsp
             accessLocation: URIName: http://ocsp.digicert.com
          ]
          ]
        },
        {
          ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
          0000: B1 3E C3 69 03 F8 BF 47   01 D4 98 26 1A 08 02 EF  .>.i...G...&....
          0010: 63 64 2B C3                                        cd+.
          ]
          ]
        },
        {
          ObjectId: 2.5.29.19 Criticality=true
          BasicConstraints:[
            CA:true
            PathLen:0
          ]
        },
        {
          ObjectId: 2.5.29.31 Criticality=false
          CRLDistributionPoints [
            [DistributionPoint:
               [URIName: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl]
          ]]
        },
        {
          ObjectId: 2.5.29.32 Criticality=false
          CertificatePolicies [
            [CertificatePolicyId: [2.5.29.32.0]
          [PolicyQualifierInfo: [
            qualifierID: 1.3.6.1.5.5.7.2.1
            qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
          0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS
          
          ]]  ]
          ]
        },
        {
          ObjectId: 2.5.29.37 Criticality=false
          ExtendedKeyUsages [
            serverAuth
            clientAuth
          ]
        },
        {
          ObjectId: 2.5.29.15 Criticality=true
          KeyUsage [
            DigitalSignature
            Key_CertSign
            Crl_Sign
          ]
        },
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: 51 68 FF 90 AF 02 07 75   3C CC D9 65 64 62 A2 12  Qh.....u<..edb..
          0010: B8 59 72 3B                                        .Yr;
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
]
}
Consuming CertificateVerify handshake message
"CertificateVerify": {
  "signature algorithm": ecdsa_secp256r1_sha256
  "signature": {
    0000: 30 44 02 20 54 1B D0 4E   1F 4A 1D 81 14 5D 09 13  0D. T..N.J...]..
...
    0040: 80 3D 18 55 09 76                                  .=.U.v
  }
}
Consuming server Finished handshake message
"Finished": {
  "verify data": {
    0000: 82 87 22 9A 5B 35 71 7C   C3 6C F7 09 12 47 76 28  ..".[5q..l...Gv(
...
  }'}
Produced client Finished handshake message
"Finished": {
  "verify data": {
    0000: AC EF AD 9B 52 3C 8A 2B   B2 EB 9A 4B 11 90 C1 4D  ....R<.+...K...M
...
  }'}
Consuming NewSessionTicket message
"NewSessionTicket": {
  "ticket_lifetime"      : "172,800",
  "ticket_age_add"       : "<omitted>",
  "ticket_nonce"         : "",
  "ticket"               : {
    0000: 6E 93 6F BF 75 B2 6B EE   99 2C C6 F0 7B 13 EE 10  n.o.u.k..,......
...
    0080: D4 13 1C BB 
  }  "extensions"           : [
    <no extension>
  ]
}

Session resumed via session tickets

Found resumable session. Preparing PSK message.
Produced ClientHello handshake message
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "DD 34 BC EB 28 54 19 09 5F C5 CA F1 83 7E 67 7D FE 3D BB 76 CE 53 59 AB 80 F7 C3 E5 4F 40 4A 53",
  "session id"          : "",
  "cipher suites"       : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=www.facebook.com
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "session_ticket (35)": {
        "ticket" : {
          0000: 6E 93 6F BF 75 B2 6B EE   99 2C C6 F0 7B 13 EE 10  n.o.u.k..,......
...
          0080: D4 13 1C BB 
        }
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "key_share (51)": {
      "client_shares": [  
        {
          "named group": x25519
          "key_exchange": {
            0000: DB 61 AF 14 CF BB 63 42   C4 70 2A 71 4C A3 EB 79  .a....cB.p*qL..y
...
          }
        },
      ]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    },
    "pre_shared_key (41)": {
      "PreSharedKey": {
        "identities": {
          {
            0000: 6E 93 6F BF 75 B2 6B EE   99 2C C6 F0 7B 13 EE 10  n.o.u.k..,......
...
            0080: D4 13 1C BB 
          }
        }  "binders": "  {B2 2A 3E 8C 5B 81 22 F2 E7 A4 2A BA F8 41 E9 63 A3 AF 43 84 C7 A0 B9 4C E3 24 BE 76 6D E3 3F 80}",
      }
    }
  ]
}
Consuming ServerHello handshake message
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "8E 9D 63 CE 52 76 5C 6F 36 42 64 BF 6E 4E 7A C6 E5 EA E7 FC 1A 4B 38 7E 6D 3F 42 32 0C 1B 73 8E",
  "session id"          : "",
  "cipher suite"        : "TLS_AES_128_GCM_SHA256(0x1301)",
  "compression methods" : "00",
  "extensions"          : [
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
    },
    "key_share (51)": {
      "server_share": {
        "named group": x25519
        "key_exchange": {
          0000: C8 11 0B E3 07 D8 63 DB   1A FF 27 01 8C 9F 72 3F  ......c...'...r?
...
        }
      },
    },
    "pre_shared_key (41)": {
      "PreSharedKey": {
        "selected_identity"      : "0x0000",
      }
    }
  ]
}
Negotiated protocol version: TLSv1.3
Resuming session: 
Session(1615365905292|TLS_AES_128_GCM_SHA256)
Using PSK to derive early secret
Consuming EncryptedExtensions handshake message
"EncryptedExtensions": [
  "application_layer_protocol_negotiation (16)": {
    [h2]
  }
]
Consuming server Finished handshake message
"Finished": {
  "verify data": {
    0000: A4 FE 97 15 DA 48 EE 7D   7A CC D8 B3 82 98 53 89  .....H..z.....S.
...
  }'}
Mar 10, 2021 8:45:05 AM sun.security.ssl.SSLLogger log
WARNING: Ignore impact of unsupported extension: supported_versions
Mar 10, 2021 8:45:05 AM sun.security.ssl.SSLLogger log
WARNING: Ignore impact of unsupported extension: key_share
Mar 10, 2021 8:45:05 AM sun.security.ssl.SSLLogger log
WARNING: Ignore impact of unsupported extension: pre_shared_key
Mar 10, 2021 8:45:05 AM sun.security.ssl.SSLLogger log
WARNING: Ignore impact of unsupported extension: application_layer_protocol_negotiation
Produced client Finished handshake message
"Finished": {
  "verify data": {
    0000: 4D 4C 7E 7E 1A 85 BB 84   8C 34 B6 8A DC EC 72 03  ML.......4....r.
    0010: 1D 7C C9 61 7E F8 D3 BA   60 72 CB BD 24 30 2B EF  ...a....`r..$0+.
  }'}
Consuming NewSessionTicket message
"NewSessionTicket": {
  "ticket_lifetime"      : "172,800",
  "ticket_age_add"       : "<omitted>",
  "ticket_nonce"         : "",
  "ticket"               : {
    0000: 19 65 E4 36 08 5B 93 1F   BA 42 86 2B 75 5A 6A 0B  .e.6.[...B.+uZj.
...
    0070: BD 46 CC A0 6E A9 45 61   03 39 9A 2E 0C 5D CA 3B  .F..n.Ea.9...].;
    0080: 1A 30 20 AE 
  }  "extensions"           : [
    <no extension>
  ]
}