chore: PQC GAPIC POC#13606
Conversation
TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…ttpTransport integration. Upgraded Conscrypt to 2.6-alpha5 to run tests. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…os and run tests TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
…ttpJson PQC and use doNotValidateCertificate TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
There was a problem hiding this comment.
Code Review
This pull request introduces Post-Quantum Cryptography (PQC) support and verification tools, including a new integration test suite (ITPqc.java) for the GAPIC Showcase server and a standalone BigQuery tracing sample (BqPqcTest.java). Feedback on these changes highlights three critical issues: Conscrypt must be explicitly registered as a security provider in both ITPqc.java and BqPqcTest.java to prevent handshake failures and NoSuchProviderException errors, and the ManagedChannel initialization in ITPqc.java should be wrapped in a try-finally block to prevent resource leaks in case of setup failures.
| @BeforeAll | ||
| static void setUp() { | ||
| caCertPath = "target/showcase-ca.pem"; | ||
| File certFile = new File(caCertPath); | ||
| assertThat(certFile.exists()).isTrue(); | ||
| assertThat(certFile.isFile()).isTrue(); | ||
| } |
There was a problem hiding this comment.
Conscrypt must be registered as a security provider in order to negotiate the hybrid post-quantum key exchange (X25519MLKEM768). Without explicit registration, the tests will fall back to the default JDK provider (SunJSSE) and fail to negotiate the expected PQC group.
| @BeforeAll | |
| static void setUp() { | |
| caCertPath = "target/showcase-ca.pem"; | |
| File certFile = new File(caCertPath); | |
| assertThat(certFile.exists()).isTrue(); | |
| assertThat(certFile.isFile()).isTrue(); | |
| } | |
| @BeforeAll | |
| static void setUp() { | |
| Security.insertProviderAt(Conscrypt.newProvider(), 1); | |
| caCertPath = "target/showcase-ca.pem"; | |
| File certFile = new File(caCertPath); | |
| assertThat(certFile.exists()).isTrue(); | |
| assertThat(certFile.isFile()).isTrue(); | |
| } |
| public static void main(String[] args) throws Exception { | ||
| System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version")); | ||
| System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version")); | ||
| System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")"); | ||
| try { | ||
| System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version()); | ||
| } catch (Throwable t) { | ||
| System.out.println("[DEBUG] Failed to get Conscrypt version: " + t.getMessage()); | ||
| } |
There was a problem hiding this comment.
Conscrypt is not registered as a security provider in this standalone verification tool. This will cause SSLContext.getInstance("TLS", "Conscrypt") to throw a NoSuchProviderException when executed. Registering Conscrypt at the start of the main method ensures the provider is available and matches the expected output described in the README.
| public static void main(String[] args) throws Exception { | |
| System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version")); | |
| System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version")); | |
| System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")"); | |
| try { | |
| System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version()); | |
| } catch (Throwable t) { | |
| System.out.println("[DEBUG] Failed to get Conscrypt version: " + t.getMessage()); | |
| } | |
| public static void main(String[] args) throws Exception { | |
| System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version")); | |
| System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version")); | |
| System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")"); | |
| try { | |
| System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version()); | |
| Security.insertProviderAt(Conscrypt.newProvider(), 1); | |
| System.out.println("Registered Conscrypt provider at position 1."); | |
| } catch (Throwable t) { | |
| System.out.println("[DEBUG] Failed to register or get Conscrypt version: " + t.getMessage()); | |
| } |
bd8f7e8 to
0ca9d98
Compare
…ence, and reuse TestClientInitializer constants TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
0ca9d98 to
164044a
Compare
[DRAFT]
Branch that showcases the basic PQC support for GAPICs using gRPC and HttpJson. Adds a repro simply to showcase BigQuery using HttpJson with PQC support.
Added README and helper scripts to help with local testing.