chore: PQC GAPIC POC#13606
Conversation
TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…ttpTransport integration. Upgraded Conscrypt to 2.6-alpha5 to run tests. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…os and run tests TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…ttpJson PQC and use doNotValidateCertificate TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
There was a problem hiding this comment.
Code Review
This pull request introduces Post-Quantum Cryptography (PQC) support and verification tools, including a new integration test suite (ITPqc.java) for the GAPIC Showcase server and a standalone BigQuery tracing sample (BqPqcTest.java). Feedback on these changes highlights three critical issues: Conscrypt must be explicitly registered as a security provider in both ITPqc.java and BqPqcTest.java to prevent handshake failures and NoSuchProviderException errors, and the ManagedChannel initialization in ITPqc.java should be wrapped in a try-finally block to prevent resource leaks in case of setup failures.
| @BeforeAll | ||
| static void setUp() { | ||
| caCertPath = "target/showcase-ca.pem"; | ||
| File certFile = new File(caCertPath); | ||
| assertThat(certFile.exists()).isTrue(); | ||
| assertThat(certFile.isFile()).isTrue(); | ||
| } |
There was a problem hiding this comment.
Conscrypt must be registered as a security provider in order to negotiate the hybrid post-quantum key exchange (X25519MLKEM768). Without explicit registration, the tests will fall back to the default JDK provider (SunJSSE) and fail to negotiate the expected PQC group.
| @BeforeAll | |
| static void setUp() { | |
| caCertPath = "target/showcase-ca.pem"; | |
| File certFile = new File(caCertPath); | |
| assertThat(certFile.exists()).isTrue(); | |
| assertThat(certFile.isFile()).isTrue(); | |
| } | |
| @BeforeAll | |
| static void setUp() { | |
| Security.insertProviderAt(Conscrypt.newProvider(), 1); | |
| caCertPath = "target/showcase-ca.pem"; | |
| File certFile = new File(caCertPath); | |
| assertThat(certFile.exists()).isTrue(); | |
| assertThat(certFile.isFile()).isTrue(); | |
| } |
| public static void main(String[] args) throws Exception { | ||
| System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version")); | ||
| System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version")); | ||
| System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")"); | ||
| try { | ||
| System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version()); | ||
| } catch (Throwable t) { | ||
| System.out.println("[DEBUG] Failed to get Conscrypt version: " + t.getMessage()); | ||
| } |
There was a problem hiding this comment.
Conscrypt is not registered as a security provider in this standalone verification tool. This will cause SSLContext.getInstance("TLS", "Conscrypt") to throw a NoSuchProviderException when executed. Registering Conscrypt at the start of the main method ensures the provider is available and matches the expected output described in the README.
| public static void main(String[] args) throws Exception { | |
| System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version")); | |
| System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version")); | |
| System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")"); | |
| try { | |
| System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version()); | |
| } catch (Throwable t) { | |
| System.out.println("[DEBUG] Failed to get Conscrypt version: " + t.getMessage()); | |
| } | |
| public static void main(String[] args) throws Exception { | |
| System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version")); | |
| System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version")); | |
| System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")"); | |
| try { | |
| System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version()); | |
| Security.insertProviderAt(Conscrypt.newProvider(), 1); | |
| System.out.println("Registered Conscrypt provider at position 1."); | |
| } catch (Throwable t) { | |
| System.out.println("[DEBUG] Failed to register or get Conscrypt version: " + t.getMessage()); | |
| } |
bd8f7e8 to
0ca9d98
Compare
…ence, and reuse TestClientInitializer constants TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
38db385 to
fd647d8
Compare
…lient options and programmatic properties TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
c38cdac to
77226d4
Compare
…e and drop TLS version assertions TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
77226d4 to
2d0fdf0
Compare
TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…shot artifacts TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…o resolve gRPC snapshots TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
4512bf7 to
38288d3
Compare
… detect CA cert path in ITPqc TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…6 fallback for SunJSSE TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…d snapshot JARs and install google-http-java-client test branch TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…e by default TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…tions This updates DefaultHttpTransportFactory to configure Conscrypt and set PQC groups automatically when Conscrypt is available on the classpath. It also cleans up BqPqcTest to use the default transport builder options. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…BqPqcTest This updates BqPqcTest to use TracingSSLSocketFactory to intercept the TLS handshake and assert that the negotiated elliptic curve matches X25519MLKEM768. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…ncies This moves Conscrypt dependency management to the central third-party-dependencies BOM and defines conscrypt.version centrally, fixing RequireUpperBoundDeps enforcer check failures in downstream modules. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
|
|
Updates BqPqcTest to initialize and use Conscrypt's TrustManagerFactory, resolving SSLHandshakeException: Unknown authType: GENERIC during TLS 1.3 handshake verification. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
This ensures that the custom TracingHttpTransportFactory configured in BqPqcTest wraps the Conscrypt-looked up trust managers before passing them to the SSLContext, resolving the javax.net.ssl.SSLHandshakeException: Unknown authType: GENERIC error during test runs. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
Updates BqPqcTest to instantiate TrustManagerFactory and SSLContext using the new SslUtils provider-aware lookup helpers. Calls SslUtils.initSslContext which automatically wraps the resulting trust managers using the workaround delegate, avoiding the GENERIC authType mismatch exception. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
Removes fully qualified class references in BqPqcTest and deletes the namedGroups setter call on NetHttpTransport.Builder (which has been removed from the transport library). TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…ries Removes .setNamedGroups() configuration calls when instantiating NetHttpTransport in HttpTransportOptions and InstantiatingHttpJsonChannelProvider, aligning with the removal of the namedGroups setting from the transport library. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
Introduces ConscryptPqcSSLSocketFactory in gax-httpjson to wrap Conscrypt SSLSocketFactories and enforce PQC named groups. GAX and Core HTTP clients use this socket factory by default when Conscrypt is present, providing out-of-the-box PQC support on JDK 8+. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…edGroupsSSLSocketFactory Renames the wrapper to better describe its intent (configuring Conscrypt PQC named groups). Updates GAX and Core HTTP references. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…PQC test Ensures that the custom TracingHttpTransportFactory chains ConscryptPqcNamedGroupsSSLSocketFactory, allowing programmatic curve negotiation checks to pass during verification runs. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…eflectively Eliminates manual provider and context recreation in BqPqcTest. Instead, it extracts the default GAX socket factory (ConscryptPqcNamedGroupsSSLSocketFactory) using reflection and wraps it in TracingSSLSocketFactory, making the test cleaner and less fragile. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…json Avoids version resolution errors when gax-httpjson is consumed outside the gax-java parent project (e.g. by google-cloud-bigquery/pqc-verification), ensuring transitive dependencies resolve correctly. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…SocketFactory Updates the HTTP/JSON integration test for Showcase PQC verification to instantiate and wrap the Conscrypt factory with ConscryptPqcNamedGroupsSSLSocketFactory. This tests the actual production wrapper instead of the transport builder's JRE reflection method, ensuring compatibility across JDK 8+ environments during integration test runs. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61


[DRAFT]
Branch that showcases the basic PQC support for GAPICs using gRPC and HttpJson. Adds a repro simply to showcase BigQuery using HttpJson with PQC support.
Added README and helper scripts to help with local testing.