+ * Certificates are automatically generated at application startup by
+ * {@link SecurityConfiguration} if they don't already exist.
+ */
+public class CertificateGenerator {
+
+ private static final Logger LOG = Logger.getLogger(CertificateGenerator.class);
+
+ // WARNING: This password is hardcoded for DEMONSTRATION purposes only.
+ // In production, use environment variables, secrets management, or secure configuration.
+ // NEVER commit real passwords to source control.
+ private static final String KEYSTORE_PASSWORD = "changeit";
+ private static final String CERT_DIR = "target/certs";
+
+ /**
+ * Certificate data holder for keypairs and certificates.
+ */
+ public static class CertificateData {
+ public final KeyPair keyPair;
+ public final X509Certificate certificate;
+
+ public CertificateData(KeyPair keyPair, X509Certificate certificate) {
+ this.keyPair = keyPair;
+ this.certificate = certificate;
+ }
+ }
+
+ // Cache certificate data to ensure keystores and truststores use the same certificates
+ private static CertificateData serverData;
+ private static CertificateData clientData;
+
+ public static void generateCertificatesIfNeeded() {
+ File certDir = new File("target/certs");
+ File serverKeystore = new File(certDir, "server-keystore.p12");
+
+ // Check if certificates already exist (they might have been generated by CertificateTestResource in test mode)
+ if (serverKeystore.exists()) {
+ LOG.info("Certificates already exist, skipping generation");
+ return;
+ }
+
+ try {
+ LOG.info("Generating fresh PQC-ready keystores...");
+ generateServerKeystore();
+ generateClientKeystore();
+ generateTruststores();
+ LOG.info("PQC-ready keystores generated successfully");
+ } catch (Exception e) {
+ LOG.error("Failed to generate PQC-ready keystores", e);
+ throw new RuntimeException("Keystore generation failed", e);
+ }
+ }
+
+ /**
+ * Generates server keystore with RSA certificate.
+ */
+ public static void generateServerKeystore() throws Exception {
+ serverData = generateCertificateData("CN=localhost,O=Camel Quarkus,C=US", true);
+ saveKeyStore(Paths.get(CERT_DIR, "server-keystore.p12"), serverData.keyPair, serverData.certificate, "server");
+ LOG.info("Server keystore created: " + CERT_DIR + "/server-keystore.p12");
+ }
+
+ /**
+ * Generates client keystore with RSA certificate.
+ */
+ public static void generateClientKeystore() throws Exception {
+ clientData = generateCertificateData("CN=client,O=Camel Quarkus,C=US", false);
+ saveKeyStore(Paths.get(CERT_DIR, "client-keystore.p12"), clientData.keyPair, clientData.certificate, "client");
+ LOG.info("Client keystore created: " + CERT_DIR + "/client-keystore.p12");
+ }
+
+ /**
+ * Generates truststores for both server and client using the cached certificate data.
+ * Must be called after generateServerKeystore() and generateClientKeystore().
+ */
+ public static void generateTruststores() throws Exception {
+ if (serverData == null || clientData == null) {
+ throw new IllegalStateException("Must call generateServerKeystore() and generateClientKeystore() first");
+ }
+
+ saveTrustStore(Paths.get(CERT_DIR, "server-truststore.p12"), clientData.certificate, "client-ca");
+ LOG.info("Server truststore created: " + CERT_DIR + "/server-truststore.p12");
+
+ saveTrustStore(Paths.get(CERT_DIR, "client-truststore.p12"), serverData.certificate, "server-ca");
+ LOG.info("Client truststore created: " + CERT_DIR + "/client-truststore.p12");
+ }
+
+ /**
+ * Generates a certificate with RSA keypair.
+ *
+ * @param dn The DN for the certificate subject
+ * @param isCA Whether this is a CA certificate
+ * @return CertificateData containing keypair and certificate
+ */
+ private static CertificateData generateCertificateData(String dn, boolean isCA) throws Exception {
+ KeyPair keyPair = generateKeyPair();
+ X509Certificate certificate = generateCertificate(keyPair, dn, isCA);
+ return new CertificateData(keyPair, certificate);
+ }
+
+ private static KeyPair generateKeyPair() throws Exception {
+ KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+ // Use 4096-bit RSA for future-proofing, consistent with PQC security goals
+ keyPairGenerator.initialize(4096, new SecureRandom());
+ return keyPairGenerator.generateKeyPair();
+ }
+
+ private static X509Certificate generateCertificate(KeyPair keyPair, String dn, boolean isCA) throws Exception {
+ long now = System.currentTimeMillis();
+ Date notBefore = new Date(now);
+ // Valid for 3 years for development convenience
+ Date notAfter = new Date(now + 1095L * 24 * 60 * 60 * 1000);
+
+ X500Name dnName = new X500Name(dn);
+ // Use SecureRandom for better entropy in serial numbers
+ BigInteger serial = new BigInteger(64, new SecureRandom());
+
+ X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+ dnName,
+ serial,
+ notBefore,
+ notAfter,
+ dnName,
+ keyPair.getPublic());
+
+ certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(isCA));
+
+ // Use default SUN provider for RSA signing - no need for BC provider
+ ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA")
+ .build(keyPair.getPrivate());
+
+ return new JcaX509CertificateConverter()
+ .getCertificate(certBuilder.build(signer));
+ }
+
+ private static void saveKeyStore(Path path, KeyPair keyPair, X509Certificate cert, String alias) throws Exception {
+ Path dirPath = path.getParent();
+ if (!Files.exists(dirPath)) {
+ Files.createDirectories(dirPath);
+ LOG.info("Created directory: " + dirPath);
+ }
+
+ // Use SUN provider for PKCS12 to ensure compatibility with curl/OpenSSL
+ KeyStore keyStore = KeyStore.getInstance("PKCS12");
+ keyStore.load(null, null);
+ keyStore.setKeyEntry(alias, keyPair.getPrivate(), KEYSTORE_PASSWORD.toCharArray(),
+ new Certificate[] { cert });
+
+ try (FileOutputStream fos = new FileOutputStream(path.toFile())) {
+ keyStore.store(fos, KEYSTORE_PASSWORD.toCharArray());
+ }
+ }
+
+ private static void saveTrustStore(Path path, X509Certificate cert, String alias) throws Exception {
+ Path dirPath = path.getParent();
+ if (!Files.exists(dirPath)) {
+ Files.createDirectories(dirPath);
+ LOG.info("Created directory: " + dirPath);
+ }
+
+ // Use SUN provider for PKCS12 to ensure compatibility with curl/OpenSSL
+ KeyStore trustStore = KeyStore.getInstance("PKCS12");
+ trustStore.load(null, null);
+ trustStore.setCertificateEntry(alias, cert);
+
+ try (FileOutputStream fos = new FileOutputStream(path.toFile())) {
+ trustStore.store(fos, KEYSTORE_PASSWORD.toCharArray());
+ }
+ }
+
+ public static void main(String[] args) {
+ try {
+ LOG.info("Generating PQC-ready certificates...");
+ generateServerKeystore();
+ generateClientKeystore();
+ generateTruststores();
+ LOG.info("PQC-ready certificates generated successfully");
+ } catch (Exception e) {
+ LOG.error("Failed to generate certificates", e);
+ System.exit(1);
+ }
+ }
+}
diff --git a/http-pqc-j21/src/main/java/org/acme/http/pqc/certificates/SecurityConfiguration.java b/http-pqc-j21/src/main/java/org/acme/http/pqc/certificates/SecurityConfiguration.java
new file mode 100644
index 00000000..fab5cda2
--- /dev/null
+++ b/http-pqc-j21/src/main/java/org/acme/http/pqc/certificates/SecurityConfiguration.java
@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.acme.http.pqc.certificates;
+
+import java.security.Security;
+
+import io.quarkus.arc.DefaultBean;
+import io.quarkus.runtime.StartupEvent;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.event.Observes;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
+import org.eclipse.microprofile.config.ConfigProvider;
+import org.jboss.logging.Logger;
+
+@DefaultBean
+@ApplicationScoped
+public class SecurityConfiguration {
+
+ private static final Logger LOG = Logger.getLogger(SecurityConfiguration.class);
+
+ void onStart(@Observes StartupEvent ev) {
+ // Detect native mode
+ boolean isNativeMode = "executable".equals(System.getProperty("org.graalvm.nativeimage.kind"));
+
+ if (isNativeMode) {
+ // In native mode, providers are already registered at build time via -H:AdditionalSecurityProviders
+ // We cannot remove and re-register them. Just verify they're present.
+ LOG.info("Native mode: Verifying build-time registered providers");
+ LOG.info("BC provider: " + Security.getProvider("BC"));
+ LOG.info("BCJSSE provider: " + Security.getProvider("BCJSSE"));
+ } else {
+ // Configure JSSE to enable PQC hybrid key exchange algorithms
+ // X25519MLKEM768 combines classical X25519 ECDH with quantum-resistant ML-KEM-768
+ String namedGroups = ConfigProvider.getConfig().getValue("jdk.tls.namedGroups",
+ String.class);
+ if (namedGroups != null) {
+ System.setProperty("jdk.tls.namedGroups", namedGroups);
+ LOG.info("Configured TLS named groups for PQC: " + namedGroups);
+ }
+
+ // JVM mode: Remove existing providers to ensure clean state for each test
+ if (Security.getProvider("BCJSSE") != null) {
+ Security.removeProvider("BCJSSE");
+ LOG.info("Removed existing BouncyCastleJsseProvider");
+ }
+ if (Security.getProvider("BC") != null) {
+ Security.removeProvider("BC");
+ LOG.info("Removed existing BouncyCastleProvider");
+ }
+
+ // Register BC at the end (low priority) so BCJSSE can use it
+ // for key conversion, while JDK's SUN/SunJCE remain the preferred
+ // providers for PKCS12 KeyStore and PBE algorithms.
+ Security.addProvider(new BouncyCastleProvider());
+ LOG.info("Registered BouncyCastleProvider at end of provider list");
+
+ // Register BCJSSE at position 2 for TLS (after DefaultSecureRandom provider).
+ // BCJSSE will now be able to call SecureRandom.getInstance("DEFAULT") successfully.
+ Security.insertProviderAt(new BouncyCastleJsseProvider(), 2);
+ LOG.info("Registered BouncyCastleJsseProvider at position 2");
+ }
+
+ // Generate certificates if they don't exist (for dev mode)
+ // In test mode, CertificateTestResource handles this, but for dev/prod mode we need to generate them here
+ CertificateGenerator.generateCertificatesIfNeeded();
+ }
+
+}
diff --git a/http-pqc-j21/src/main/resources/application.properties b/http-pqc-j21/src/main/resources/application.properties
new file mode 100644
index 00000000..a72b3831
--- /dev/null
+++ b/http-pqc-j21/src/main/resources/application.properties
@@ -0,0 +1,59 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements. See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+#
+# Quarkus
+#
+quarkus.banner.enabled = false
+quarkus.log.file.enabled = true
+
+# HTTPS Configuration with PQC Support (Java 21 + BouncyCastle JSSE)
+# Use port 0 to get a random available port (prevents port conflicts in tests)
+quarkus.http.ssl-port = 0
+quarkus.http.insecure-requests = disabled
+
+# Server keystore (use target/ path which works in both JVM and native mode)
+quarkus.http.ssl.certificate.key-store-file = target/certs/server-keystore.p12
+quarkus.http.ssl.certificate.key-store-password = changeit
+quarkus.http.ssl.certificate.key-store-file-type = PKCS12
+
+# Require client certificates
+quarkus.http.ssl.client-auth = required
+
+# Truststore for client certificate validation (use target/ path which works in both JVM and native mode)
+quarkus.http.ssl.certificate.trust-store-file = target/certs/server-truststore.p12
+quarkus.http.ssl.certificate.trust-store-password = changeit
+quarkus.http.ssl.certificate.trust-store-file-type = PKCS12
+
+# TLS 1.3 configuration
+# Protocol version - TLS 1.3 supports hybrid key exchange algorithms
+quarkus.http.ssl.protocols = TLSv1.3
+
+#
+# Quarkus - Camel
+#
+quarkus.camel.health.enabled = true
+
+#
+# Native image configuration - include certificate files as resources
+#
+quarkus.native.resources.includes = target/certs/*.p12
+
+
+#
+# By default, fallback to non-pqc is allowed (test profiles override this value)
+#
+jdk.tls.namedGroups=X25519MLKEM768,x25519,secp256r1
\ No newline at end of file
diff --git a/http-pqc-j21/src/test/java/org/acme/http/pqc/AbstractPqcTest.java b/http-pqc-j21/src/test/java/org/acme/http/pqc/AbstractPqcTest.java
new file mode 100644
index 00000000..30c69ce5
--- /dev/null
+++ b/http-pqc-j21/src/test/java/org/acme/http/pqc/AbstractPqcTest.java
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.acme.http.pqc;
+
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.Security;
+import java.util.Arrays;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.TrustManagerFactory;
+
+import io.restassured.RestAssured;
+import io.restassured.config.RestAssuredConfig;
+import io.restassured.config.SSLConfig;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.io.HttpClientConnectionManager;
+import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.core5.http.HttpResponse;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
+import org.jboss.logging.Logger;
+import org.junit.jupiter.api.BeforeAll;
+
+import static io.restassured.RestAssured.given;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * Abstract base class for Apache HttpClient PQC tests with explicit provider selection.
+ * Tests both BCJSSE (PQC-capable) and SunJSSE (classical only) providers.
+ *
+ * Certificates are generated before tests via CertificateTestResource.
+ */
+abstract class AbstractPqcTest {
+
+ private static final Logger LOG = Logger.getLogger(AbstractPqcTest.class);
+
+ @BeforeAll
+ static void setupSecurityProviders() {
+ // Register BouncyCastle providers for test client (runs in JVM, not in native binary)
+ // The native server has its own BC providers, but test client needs them too
+ if (Security.getProvider("BC") == null) {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+ if (Security.getProvider("BCJSSE") == null) {
+ Security.insertProviderAt(new BouncyCastleJsseProvider(), 1);
+ }
+ }
+
+ void testRestAssuredConnection() throws Exception {
+ // RestAssured.port is automatically set by Quarkus to the actual SSL port
+ LOG.info("RestAssured test - using default JSSE provider (should be BCJSSE) on port " + RestAssured.port);
+
+ given()
+ .config(RestAssuredConfig.config().sslConfig(
+ SSLConfig.sslConfig()
+ .keyStore("target/certs/client-keystore.p12", "changeit")
+ .trustStore("target/certs/client-truststore.p12", "changeit")
+ .allowAllHostnames()))
+ .baseUri("https://localhost:" + RestAssured.port)
+ .when()
+ .get("/pqc/secure")
+ .then()
+ .statusCode(200);
+ }
+
+ void testHttpClientConnection(String securityProvider, boolean expectFailure) throws Exception {
+ boolean failedAsExpected = false;
+
+ try {
+ SSLContext sslContext = createSslContext(securityProvider);
+
+ // Create custom SSLConnectionSocketFactory that explicitly sets named groups
+ SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext,
+ NoopHostnameVerifier.INSTANCE) {
+ @Override
+ protected void prepareSocket(javax.net.ssl.SSLSocket socket) throws java.io.IOException {
+ super.prepareSocket(socket);
+ // Explicitly set named groups on the socket's SSL parameters
+ String configuredGroups = System.getProperty("jdk.tls.namedGroups", "X25519MLKEM768");
+ try {
+ SSLParameters sslParams = socket.getSSLParameters();
+ String[] namedGroupsArray = configuredGroups.split(",");
+ for (int i = 0; i < namedGroupsArray.length; i++) {
+ namedGroupsArray[i] = namedGroupsArray[i].trim();
+ }
+ sslParams.setNamedGroups(namedGroupsArray);
+ sslParams.setProtocols(new String[] { "TLSv1.3" });
+ socket.setSSLParameters(sslParams);
+ LOG.info("Set named groups on socket: " + Arrays.toString(namedGroupsArray));
+ } catch (Exception e) {
+ LOG.warn("Could not set named groups on socket: " + e.getMessage());
+ }
+ }
+ };
+
+ HttpClientConnectionManager connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
+ .setSSLSocketFactory(sslSocketFactory)
+ .build();
+
+ try (CloseableHttpClient httpClient = HttpClients.custom()
+ .setConnectionManager(connectionManager)
+ .build()) {
+
+ HttpGet request = new HttpGet("https://localhost:" + RestAssured.port + "/pqc/secure");
+ int responseStatus = httpClient.execute(request, HttpResponse::getCode);
+
+ if (expectFailure) {
+ fail(securityProvider + " should have failed but got response status : " + responseStatus);
+ } else {
+ assertTrue(responseStatus == 200, "Expected response status is 200");
+ }
+ }
+ } catch (NoClassDefFoundError | ExceptionInInitializerError | javax.net.ssl.SSLHandshakeException
+ | org.apache.hc.client5.http.HttpHostConnectException e) {
+ assertTrue(e.getMessage().toLowerCase().contains("connection refused"),
+ "Different reason - '%s' - of failure then expected".formatted(e.getMessage()));
+ }
+ }
+
+ protected SSLContext createSslContext(String provider) throws Exception {
+
+ KeyStore keyStore = KeyStore.getInstance("PKCS12");
+ try (FileInputStream fis = new FileInputStream("target/certs/client-keystore.p12")) {
+ keyStore.load(fis, "changeit".toCharArray());
+ }
+
+ KeyStore trustStore = KeyStore.getInstance("PKCS12");
+ try (FileInputStream fis = new FileInputStream("target/certs/client-truststore.p12")) {
+ trustStore.load(fis, "changeit".toCharArray());
+ }
+
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ kmf.init(keyStore, "changeit".toCharArray());
+
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init(trustStore);
+
+ SSLContext sslContext = SSLContext.getInstance("TLSv1.3", provider);
+ sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+
+ return sslContext;
+ }
+}
diff --git a/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcOnlyTest.java b/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcOnlyTest.java
new file mode 100644
index 00000000..82eb2adb
--- /dev/null
+++ b/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcOnlyTest.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.acme.http.pqc;
+
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.junit.TestProfile;
+import org.acme.http.pqc.profiles.PqcOnlyProfile;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+
+/**
+ * Test Apache HTTP Client with explicit provider selection on PQC-only server.
+ *
+ * Expected results:
+ * - BCJSSE: SUCCESS (supports X25519MLKEM768)
+ * - SunJSSE: FAILURE (does not support X25519MLKEM768)
+ *
+ * This proves that X25519MLKEM768 requires BouncyCastle JSSE.
+ *
+ * Note: @Order(2) ensures this test runs AFTER PqcWithFallbackTest.
+ * SunJSSE's static initialization fails with PQC-only config and permanently marks the
+ * class as failed. The fallback test must run first to validate SunJSSE works with classical algorithms.
+ *
+ * This test doesn't have a native *IT child, because the native executable can be build only with 1 configuration.
+ */
+@QuarkusTest
+@TestProfile(PqcOnlyProfile.class)
+@Order(2)
+class PqcOnlyTest extends AbstractPqcTest {
+
+ @Test
+ void testRestAssured() throws Exception {
+ testRestAssuredConnection();
+ }
+
+ @Test
+ void testHttpClientWithBCJSSE() throws Exception {
+ testHttpClientConnection("BCJSSE", false);
+ }
+
+ @Test
+ void testHttpClientWithSunJSSE() throws Exception {
+ testHttpClientConnection("SunJSSE", true);
+ }
+}
diff --git a/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcWithFallbackIT.java b/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcWithFallbackIT.java
new file mode 100644
index 00000000..b3767258
--- /dev/null
+++ b/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcWithFallbackIT.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.acme.http.pqc;
+
+import io.quarkus.test.junit.QuarkusIntegrationTest;
+
+/**
+ * Native integration test for PqcWithFallbackTest.
+ * Runs the same tests as PqcWithFallbackTest but against a native binary
+ * built with PQC+fallback configuration (X25519MLKEM768,x25519,secp256r1).
+ *
+ * This test runs FIRST in native mode (integration-test phase) against a binary
+ * built with fallback support. After this test completes, the native binary is
+ * rebuilt with PQC-only config for PqcOnlyIT.
+ *
+ * BC providers are registered by CertificateTestResource (inherited from AbstractPqcTest).
+ *
+ * Run with: mvn verify -Dnative
+ */
+@QuarkusIntegrationTest
+class PqcWithFallbackIT extends PqcWithFallbackTest {
+}
diff --git a/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcWithFallbackTest.java b/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcWithFallbackTest.java
new file mode 100644
index 00000000..10c0f57f
--- /dev/null
+++ b/http-pqc-j21/src/test/java/org/acme/http/pqc/PqcWithFallbackTest.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.acme.http.pqc;
+
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.junit.TestProfile;
+import org.acme.http.pqc.profiles.PqcWithFallbackProfile;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+
+/**
+ * Test Apache HTTP Client with PQC+fallback configuration.
+ *
+ * Expected results:
+ * - BCJSSE: SUCCESS (supports X25519MLKEM768 and fallback)
+ * - SunJSSE: SUCCESS (ignores X25519MLKEM768, uses secp256r1 fallback)
+ *
+ * Note: @Order(1) ensures this test runs BEFORE PqcOnlyTest in JVM mode.
+ * This test must run first because SunJSSE can successfully initialize with the fallback
+ * configuration. If the PQC-only test runs first, SunJSSE's static initialization fails
+ * permanently and cannot be recovered.
+ *
+ * In native mode, this test also runs first but against a dedicated native binary
+ * built with fallback configuration
+ */
+@QuarkusTest
+@TestProfile(PqcWithFallbackProfile.class)
+@Order(1)
+class PqcWithFallbackTest extends AbstractPqcTest {
+
+ @Test
+ void testRestAssured() throws Exception {
+ testRestAssuredConnection();
+ }
+
+ @Test
+ void testHttpClientWithBCJSSE() throws Exception {
+ testHttpClientConnection("BCJSSE", false);
+ }
+
+ @Test
+ void testHttpClientWithSunJSSE() throws Exception {
+ testHttpClientConnection("SunJSSE", false);
+ }
+}
diff --git a/http-pqc-j21/src/test/java/org/acme/http/pqc/profiles/PqcOnlyProfile.java b/http-pqc-j21/src/test/java/org/acme/http/pqc/profiles/PqcOnlyProfile.java
new file mode 100644
index 00000000..372d460f
--- /dev/null
+++ b/http-pqc-j21/src/test/java/org/acme/http/pqc/profiles/PqcOnlyProfile.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.acme.http.pqc.profiles;
+
+import java.util.Map;
+
+import io.quarkus.test.junit.QuarkusTestProfile;
+
+/**
+ * Test profile for PQC-only configuration (no fallback).
+ * Activates the "pqc-only" profile which configures X25519MLKEM768 ONLY.
+ */
+public class PqcOnlyProfile implements QuarkusTestProfile {
+
+ @Override
+ public String getConfigProfile() {
+ return "pqc-only";
+ }
+
+ @Override
+ public Map