Skip to content

chore: PQC GAPIC POC#13606

Draft
lqiu96 wants to merge 10 commits into
mainfrom
pqc-gapic-support-plan
Draft

chore: PQC GAPIC POC#13606
lqiu96 wants to merge 10 commits into
mainfrom
pqc-gapic-support-plan

Conversation

@lqiu96

@lqiu96 lqiu96 commented Jun 30, 2026

Copy link
Copy Markdown
Member

[DRAFT]

Branch that showcases the basic PQC support for GAPICs using gRPC and HttpJson. Adds a repro simply to showcase BigQuery using HttpJson with PQC support.

Added README and helper scripts to help with local testing.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces Post-Quantum Cryptography (PQC) support and verification tools, including a new integration test suite (ITPqc.java) for the GAPIC Showcase server and a standalone BigQuery tracing sample (BqPqcTest.java). Feedback on these changes highlights three critical issues: Conscrypt must be explicitly registered as a security provider in both ITPqc.java and BqPqcTest.java to prevent handshake failures and NoSuchProviderException errors, and the ManagedChannel initialization in ITPqc.java should be wrapped in a try-finally block to prevent resource leaks in case of setup failures.

Comment on lines +81 to +87
@BeforeAll
static void setUp() {
caCertPath = "target/showcase-ca.pem";
File certFile = new File(caCertPath);
assertThat(certFile.exists()).isTrue();
assertThat(certFile.isFile()).isTrue();
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Conscrypt must be registered as a security provider in order to negotiate the hybrid post-quantum key exchange (X25519MLKEM768). Without explicit registration, the tests will fall back to the default JDK provider (SunJSSE) and fail to negotiate the expected PQC group.

Suggested change
@BeforeAll
static void setUp() {
caCertPath = "target/showcase-ca.pem";
File certFile = new File(caCertPath);
assertThat(certFile.exists()).isTrue();
assertThat(certFile.isFile()).isTrue();
}
@BeforeAll
static void setUp() {
Security.insertProviderAt(Conscrypt.newProvider(), 1);
caCertPath = "target/showcase-ca.pem";
File certFile = new File(caCertPath);
assertThat(certFile.exists()).isTrue();
assertThat(certFile.isFile()).isTrue();
}

Comment on lines +45 to +53
public static void main(String[] args) throws Exception {
System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version"));
System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version"));
System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")");
try {
System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version());
} catch (Throwable t) {
System.out.println("[DEBUG] Failed to get Conscrypt version: " + t.getMessage());
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Conscrypt is not registered as a security provider in this standalone verification tool. This will cause SSLContext.getInstance("TLS", "Conscrypt") to throw a NoSuchProviderException when executed. Registering Conscrypt at the start of the main method ensures the provider is available and matches the expected output described in the README.

Suggested change
public static void main(String[] args) throws Exception {
System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version"));
System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version"));
System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")");
try {
System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version());
} catch (Throwable t) {
System.out.println("[DEBUG] Failed to get Conscrypt version: " + t.getMessage());
}
public static void main(String[] args) throws Exception {
System.out.println("[DEBUG] Java Version: " + System.getProperty("java.version"));
System.out.println("[DEBUG] Java Runtime: " + System.getProperty("java.runtime.version"));
System.out.println("[DEBUG] Java VM : " + System.getProperty("java.vm.name") + " (" + System.getProperty("java.vm.version") + ")");
try {
System.out.println("[DEBUG] Conscrypt Version: " + Conscrypt.version());
Security.insertProviderAt(Conscrypt.newProvider(), 1);
System.out.println("Registered Conscrypt provider at position 1.");
} catch (Throwable t) {
System.out.println("[DEBUG] Failed to register or get Conscrypt version: " + t.getMessage());
}

@lqiu96 lqiu96 force-pushed the pqc-gapic-support-plan branch 5 times, most recently from bd8f7e8 to 0ca9d98 Compare June 30, 2026 21:31
…ence, and reuse TestClientInitializer constants

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
@lqiu96 lqiu96 force-pushed the pqc-gapic-support-plan branch from 0ca9d98 to 164044a Compare June 30, 2026 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant