Skip to content

chore: PQC GAPIC POC#13606

Draft
lqiu96 wants to merge 34 commits into
mainfrom
pqc-gapic-support-plan
Draft

chore: PQC GAPIC POC#13606
lqiu96 wants to merge 34 commits into
mainfrom
pqc-gapic-support-plan

Conversation

@lqiu96

@lqiu96 lqiu96 commented Jun 30, 2026

Copy link
Copy Markdown
Member

[DRAFT]

Branch that showcases the basic PQC support for GAPICs using gRPC and HttpJson. Adds a repro simply to showcase BigQuery using HttpJson with PQC support.

Added README and helper scripts to help with local testing.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces Post-Quantum Cryptography (PQC) support and verification tools, including a new integration test suite (ITPqc.java) for the GAPIC Showcase server and a standalone BigQuery tracing sample (BqPqcTest.java). Feedback on these changes highlights three critical issues: Conscrypt must be explicitly registered as a security provider in both ITPqc.java and BqPqcTest.java to prevent handshake failures and NoSuchProviderException errors, and the ManagedChannel initialization in ITPqc.java should be wrapped in a try-finally block to prevent resource leaks in case of setup failures.

Comment on lines +81 to +87
@BeforeAll
static void setUp() {
caCertPath = "target/showcase-ca.pem";
File certFile = new File(caCertPath);
assertThat(certFile.exists()).isTrue();
assertThat(certFile.isFile()).isTrue();
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Conscrypt must be registered as a security provider in order to negotiate the hybrid post-quantum key exchange (X25519MLKEM768). Without explicit registration, the tests will fall back to the default JDK provider (SunJSSE) and fail to negotiate the expected PQC group.

Suggested change
@BeforeAll
static void setUp() {
caCertPath = "target/showcase-ca.pem";
File certFile = new File(caCertPath);
assertThat(certFile.exists()).isTrue();
assertThat(certFile.isFile()).isTrue();
}
@BeforeAll
static void setUp() {
Security.insertProviderAt(Conscrypt.newProvider(), 1);
caCertPath = "target/showcase-ca.pem";
File certFile = new File(caCertPath);
assertThat(certFile.exists()).isTrue();
assertThat(certFile.isFile()).isTrue();
}

Comment on lines +45 to +53
public static void main(String[] args) throws Exception {
System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version"));
System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version"));
System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")");
try {
System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version());
} catch (Throwable t) {
System.out.println("[DEBUG] Failed to get Conscrypt version: " + t.getMessage());
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Conscrypt is not registered as a security provider in this standalone verification tool. This will cause SSLContext.getInstance("TLS", "Conscrypt") to throw a NoSuchProviderException when executed. Registering Conscrypt at the start of the main method ensures the provider is available and matches the expected output described in the README.

Suggested change
public static void main(String[] args) throws Exception {
System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version"));
System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version"));
System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")");
try {
System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version());
} catch (Throwable t) {
System.out.println("[DEBUG] Failed to get Conscrypt version: " + t.getMessage());
}
public static void main(String[] args) throws Exception {
System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version"));
System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version"));
System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")");
try {
System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version());
Security.insertProviderAt(Conscrypt.newProvider(), 1);
System.out.println("Registered Conscrypt provider at position 1.");
} catch (Throwable t) {
System.out.println("[DEBUG] Failed to register or get Conscrypt version: " + t.getMessage());
}

@lqiu96 lqiu96 force-pushed the pqc-gapic-support-plan branch 5 times, most recently from bd8f7e8 to 0ca9d98 Compare June 30, 2026 21:31
…ence, and reuse TestClientInitializer constants

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
@lqiu96 lqiu96 force-pushed the pqc-gapic-support-plan branch 4 times, most recently from 38db385 to fd647d8 Compare July 7, 2026 19:38
…lient options and programmatic properties

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
@lqiu96 lqiu96 force-pushed the pqc-gapic-support-plan branch 2 times, most recently from c38cdac to 77226d4 Compare July 7, 2026 21:09
…e and drop TLS version assertions

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
@lqiu96 lqiu96 force-pushed the pqc-gapic-support-plan branch from 77226d4 to 2d0fdf0 Compare July 8, 2026 01:04
lqiu96 added 4 commits July 9, 2026 20:48
TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…shot artifacts

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…o resolve gRPC snapshots

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
@lqiu96 lqiu96 force-pushed the pqc-gapic-support-plan branch from 4512bf7 to 38288d3 Compare July 9, 2026 21:11
lqiu96 added 7 commits July 9, 2026 21:23
… detect CA cert path in ITPqc

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…6 fallback for SunJSSE

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…d snapshot JARs and install google-http-java-client test branch

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…e by default

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…tions

This updates DefaultHttpTransportFactory to configure Conscrypt and set PQC groups automatically when Conscrypt is available on the classpath. It also cleans up BqPqcTest to use the default transport builder options.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…BqPqcTest

This updates BqPqcTest to use TracingSSLSocketFactory to intercept the TLS handshake and assert that the negotiated elliptic curve matches X25519MLKEM768.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…ncies

This moves Conscrypt dependency management to the central third-party-dependencies BOM and defines conscrypt.version centrally, fixing RequireUpperBoundDeps enforcer check failures in downstream modules.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed for 'gapic-generator-java-root'

Failed conditions
57.9% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed for 'gapic-generator-java-root'

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

lqiu96 added 11 commits July 15, 2026 02:18
Updates BqPqcTest to initialize and use Conscrypt's TrustManagerFactory, resolving SSLHandshakeException: Unknown authType: GENERIC during TLS 1.3 handshake verification.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
This ensures that the custom TracingHttpTransportFactory configured in BqPqcTest wraps the Conscrypt-looked up trust managers before passing them to the SSLContext, resolving the javax.net.ssl.SSLHandshakeException: Unknown authType: GENERIC error during test runs.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
Updates BqPqcTest to instantiate TrustManagerFactory and SSLContext using the new SslUtils provider-aware lookup helpers. Calls SslUtils.initSslContext which automatically wraps the resulting trust managers using the workaround delegate, avoiding the GENERIC authType mismatch exception.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
Removes fully qualified class references in BqPqcTest and deletes the namedGroups setter call on NetHttpTransport.Builder (which has been removed from the transport library).

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…ries

Removes .setNamedGroups() configuration calls when instantiating NetHttpTransport in HttpTransportOptions and InstantiatingHttpJsonChannelProvider, aligning with the removal of the namedGroups setting from the transport library.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
Introduces ConscryptPqcSSLSocketFactory in gax-httpjson to wrap Conscrypt SSLSocketFactories and enforce PQC named groups. GAX and Core HTTP clients use this socket factory by default when Conscrypt is present, providing out-of-the-box PQC support on JDK 8+.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…edGroupsSSLSocketFactory

Renames the wrapper to better describe its intent (configuring Conscrypt PQC named groups). Updates GAX and Core HTTP references.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…PQC test

Ensures that the custom TracingHttpTransportFactory chains ConscryptPqcNamedGroupsSSLSocketFactory, allowing programmatic curve negotiation checks to pass during verification runs.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…eflectively

Eliminates manual provider and context recreation in BqPqcTest. Instead, it extracts the default GAX socket factory (ConscryptPqcNamedGroupsSSLSocketFactory) using reflection and wraps it in TracingSSLSocketFactory, making the test cleaner and less fragile.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…json

Avoids version resolution errors when gax-httpjson is consumed outside the gax-java parent project (e.g. by google-cloud-bigquery/pqc-verification), ensuring transitive dependencies resolve correctly.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…SocketFactory

Updates the HTTP/JSON integration test for Showcase PQC verification to instantiate and wrap the Conscrypt factory with ConscryptPqcNamedGroupsSSLSocketFactory. This tests the actual production wrapper instead of the transport builder's JRE reflection method, ensuring compatibility across JDK 8+ environments during integration test runs.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant