Skip to content

Add HTTP PQC Example for Java 21#504

Closed
JiriOndrusek wants to merge 2 commits into
apache:mainfrom
JiriOndrusek:pqc-j21
Closed

Add HTTP PQC Example for Java 21#504
JiriOndrusek wants to merge 2 commits into
apache:mainfrom
JiriOndrusek:pqc-j21

Conversation

@JiriOndrusek
Copy link
Copy Markdown
Contributor

@JiriOndrusek JiriOndrusek commented May 12, 2026

Fixes apache/camel-quarkus#8648

Adds a new Camel Quarkus example demonstrating native Post-Quantum Cryptography (PQC) support in TLS on Java 21 using BouncyCastle JSSE provider.

Summary

This example demonstrates the recommended approach for PQC on Java 21+, which is significantly simpler than the Java 17 workaround (http-pqc-j17).

Key Features

  • TLS 1.3 with X25519MLKEM768 hybrid cipher suite combining classical X25519 with quantum-resistant ML-KEM-768
  • BouncyCastle JSSE provider (bctls-jdk18on) for native PQC support
  • Standard Quarkus SSL configuration - no custom trust managers or manual signature validation needed
  • Auto-generated self-signed certificates for development and testing
  • Comprehensive documentation comparing Java 17 vs Java 21 approaches

Comparison with Java 17 Example

Aspect Java 17 (http-pqc-j17) Java 21 (http-pqc-j21)
PQC Location Application-level validation via custom X509TrustManager Native TLS 1.3 protocol support
Certificate Type Hybrid Chimera certificates (RSA + ML-DSA-65) Standard X.509 certificates
Cipher Suite Standard TLS, PQC validated separately TLS_X25519MLKEM768 hybrid key exchange
Complexity High - custom certificate generation, manual signature validation (2314 lines) Low - standard Quarkus SSL configuration (622 lines)
Production Ready Workaround for Java 17 limitations Recommended approach for Java 21+

Implementation Details

  1. Security Provider: Registers BouncyCastle JSSE as primary provider on startup
  2. Certificate Generation: Auto-generates RSA-2048 keypairs and self-signed certificates
  3. TLS Configuration: Standard Quarkus SSL properties with mTLS enabled
  4. Hybrid Key Exchange: X25519 + ML-KEM-768 provides both classical and quantum resistance

Test Plan

  • ✅ Unit tests verify certificate generation and PQC endpoints
  • ✅ Integration test (HttpPqcIT) runs in native mode
  • ✅ All tests passing in JVM and native modes

Documentation

The example includes:

  • Comprehensive README with architecture diagrams
  • Comparison table showing differences from Java 17 approach
  • Migration guide from Java 17 to Java 21
  • References to NIST standards and IETF drafts

🤖 Generated with Claude Code

jamesnetherton and others added 2 commits May 1, 2026 09:17
@jamesnetherton
Next is 3.36.0
1273116
@JiriOndrusek @claude
Add HTTP PQC Example for Java 21
1a873b7 
Adds a new Camel Quarkus example demonstrating native Post-Quantum Cryptography
(PQC) support in TLS on Java 21 using BouncyCastle JSSE provider.

Key features:
- TLS 1.3 with X25519MLKEM768 hybrid cipher suite
- Native PQC support via BouncyCastle JSSE provider (bctls-jdk18on)
- Standard Quarkus SSL configuration - no custom trust managers needed
- Auto-generated self-signed certificates
- Comprehensive documentation comparing Java 17 vs Java 21 approaches

This example demonstrates the recommended approach for PQC on Java 21+,
which is significantly simpler than the Java 17 workaround (http-pqc-j17)
that requires custom X509TrustManager and manual signature validation.

Fixes #8648

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Example: create an example PQC wfith http extension using java 21

2 participants

@JiriOndrusek @jamesnetherton