Skip to content

chore: [wip] PQC POC 2 #13203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
diegomarquezp wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

chore: [wip] PQC POC 2 #13203

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
64be800
chore: [wip] PQC POC 2
diegomarquezp May 14, 2026
7c915c7
chore: update CI workflow to use googleapis/google-http-java-client b…
diegomarquezp May 14, 2026
f0478ae
chore: fix CI workflow setup order and step numbers
diegomarquezp May 14, 2026
408496f
chore: address Gemini review comments for PQC POC
diegomarquezp May 19, 2026
ae47748
Merge branch 'main' into chore/pqc-poc-2
diegomarquezp May 19, 2026
a61bd9d
test(bigquery): include bigquery for testing
diegomarquezp May 20, 2026
6b8816b
Merge remote-tracking branch 'origin/main' into chore/pqc-poc-2
diegomarquezp May 20, 2026
5be6b97
Merge branch 'chore/pqc-poc-2' of https://github.com/googleapis/googl…
diegomarquezp May 20, 2026
4d9e72c
refactor: zero-config programmatic PQC auto-upgrades using http-clien…
diegomarquezp May 20, 2026
6bbb7fc
test: Resolve Java 17 SSLParameters namedGroups compatibility with Bo…
diegomarquezp May 20, 2026
a472a87
fix(gax-grpc): use out of the box behavior for PQC
diegomarquezp May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions .github/workflows/pqc-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
name: PQC Connectivity Integration Tests

on:
push:
branches: [ main ]
pull_request:
branches: [ main ]

jobs:
pqc-tests:
runs-on: ubuntu-latest

steps:
# 1. Checkout sibling HTTP Client repository
- name: Checkout google-http-java-client
uses: actions/checkout@v4
with:
repository: googleapis/google-http-java-client
ref: chore/pqc-poc-2
path: google-http-java-client

# 2. Checkout this monorepo
- name: Checkout google-cloud-java-pqc
uses: actions/checkout@v4
with:
path: google-cloud-java-pqc

# 3. Set up JDK 17
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
cache: 'maven'
cache-dependency-path: 'google-cloud-java-pqc/pom.xml'

# 4. Build and install modified google-http-client SNAPSHOT locally
- name: Build and Install google-http-java-client
run: |
cd google-http-java-client
mvn clean install -DskipTests=true -Dcheckstyle.skip -Dclirr.skip -Denforcer.skip -Dfmt.skip

# 5. Build the entire monorepo core components required by the tests
- name: Build and Install Core Dependency Reactor
run: |
cd google-cloud-java-pqc
mvn clean install -pl sdk-platform-java/pqc-test/pqc-test-snapshot,sdk-platform-java/pqc-test/pqc-test-release -am -T 1.5C -Dcheckstyle.skip -Dclirr.skip -Denforcer.skip -Dfmt.skip -DskipTests=true

# 6. Run Snapshot PQC Tests (EXPECT PASS)
- name: Run Snapshot PQC Connectivity Tests (Expect PASS)
run: |
cd google-cloud-java-pqc/sdk-platform-java/pqc-test/pqc-test-snapshot
mvn install -Dcheckstyle.skip -Dclirr.skip -Denforcer.skip -Dfmt.skip -Dtest=RunPqcTest

# 7. Run Release PQC Tests (EXPECT FAIL)
- name: Run Release PQC Connectivity Tests (Expect FAIL)
# We expect this step to fail. If it passes, it means release libraries are negotiating PQC (which is incorrect).
# Thus we run it and assert that the maven command fails (exit code != 0).
run: |
cd google-cloud-java-pqc/sdk-platform-java/pqc-test/pqc-test-release
if mvn install -Dcheckstyle.skip -Dclirr.skip -Denforcer.skip -Dfmt.skip -Dtest=RunPqcTest; then
echo "Error: Release tests passed but they were expected to fail!"
exit 1
else
echo "Success: Release tests failed-fast as expected."
exit 0
fi
20 changes: 19 additions & 1 deletion google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@

package com.google.auth.oauth2;

import com.google.api.client.util.SslUtils;
import java.security.GeneralSecurityException;
import java.util.logging.Level;
import java.util.logging.Logger;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
Expand Down Expand Up @@ -104,7 +108,21 @@ enum Pkcs8Algorithm {
public static final String CLOUD_PLATFORM_SCOPE =
"https://www.googleapis.com/auth/cloud-platform";

static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
private static final Logger logger = Logger.getLogger(OAuth2Utils.class.getName());

static final HttpTransport HTTP_TRANSPORT;
static {
HttpTransport transport;
try {
transport = new NetHttpTransport.Builder()
.setSslSocketFactory(SslUtils.getTlsSslContext().getSocketFactory())
.build();
} catch (GeneralSecurityException e) {
logger.log(Level.WARNING, "Failed to initialize PQC-hardened HTTP transport, falling back to default", e);
transport = new NetHttpTransport();
}
HTTP_TRANSPORT = transport;
}

public static final HttpTransportFactory HTTP_TRANSPORT_FACTORY =
new DefaultHttpTransportFactory();
Expand Down
3 changes: 2 additions & 1 deletion sdk-platform-java/gapic-generator-java-pom-parent/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
</parent>

<properties>
<bouncycastle.version>1.80</bouncycastle.version>
<skipUnitTests>false</skipUnitTests>
<checkstyle.header.file>java.header</checkstyle.header.file>
<maven.compiler.release>8</maven.compiler.release>
Expand All @@ -27,7 +28,7 @@
consistent across modules in this repository -->
<javax.annotation-api.version>1.3.2</javax.annotation-api.version>
<grpc.version>1.81.0</grpc.version>
<google.http-client.version>2.1.0</google.http-client.version>
<google.http-client.version>2.1.1-SNAPSHOT</google.http-client.version>
Comment thread
diegomarquezp marked this conversation as resolved.
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Updating google.http-client.version to a -SNAPSHOT version in a parent POM is generally discouraged for release-track projects. This can lead to unstable builds and dependency resolution issues in environments without access to the specific snapshot repository. If this is necessary for the POC, please ensure it is reverted or replaced with a stable version before merging.

<gson.version>2.13.2</gson.version>
<guava.version>33.5.0-jre</guava.version>
<protobuf.version>4.33.2</protobuf.version>
Expand Down
11 changes: 11 additions & 0 deletions sdk-platform-java/gax-java/gax-grpc/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,17 @@
<optional>true</optional>
</dependency>

<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bctls-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>

<!-- test dependencies -->
<dependency>
<groupId>io.grpc</groupId>
Expand Down
2 changes: 2 additions & 0 deletions ...java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -812,13 +812,15 @@ public ManagedChannelBuilder<?> createDecoratedChannelBuilder() throws IOExcepti
if (interceptorProvider != null) {
builder.intercept(interceptorProvider.getInterceptors());
}

if (channelConfigurator != null) {
builder = channelConfigurator.apply(builder);
}

return builder;
}


private ManagedChannel createSingleChannel() throws IOException {
ManagedChannelBuilder<?> builder = createDecoratedChannelBuilder();

Expand Down
11 changes: 11 additions & 0 deletions sdk-platform-java/gax-java/gax-httpjson/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,17 @@
</properties>

<dependencies>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bctls-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>

<dependency>
<groupId>com.google.api</groupId>
<artifactId>gax</artifactId>
Expand Down
4 changes: 4 additions & 0 deletions ...pjson/src/main/java/com/google/api/gax/httpjson/InstantiatingHttpJsonChannelProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@
import com.google.auth.mtls.DefaultMtlsProviderFactory;
import com.google.auth.mtls.MtlsProvider;
import com.google.common.annotations.VisibleForTesting;
import javax.net.ssl.SSLContext;
import java.security.NoSuchAlgorithmException;
Comment on lines +45 to +46
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The imports for javax.net.ssl.SSLContext and java.security.NoSuchAlgorithmException are unused in this file and should be removed.

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
Expand Down Expand Up @@ -185,6 +187,8 @@ public TransportChannelProvider withCredentials(Credentials credentials) {
}

HttpTransport createHttpTransport() throws IOException, GeneralSecurityException {


if (mtlsProvider == null) {
return null;
}
Expand Down
3 changes: 3 additions & 0 deletions ...core/google-cloud-core-http/src/main/java/com/google/cloud/http/HttpTransportOptions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,9 @@ public HttpTransport create() {
// Maybe not on App Engine
}
}



return new NetHttpTransport();
}
}
Expand Down
1 change: 1 addition & 0 deletions sdk-platform-java/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
<module>gapic-generator-java-bom</module>
<module>java-shared-dependencies</module>
<module>sdk-platform-java-config</module>
<module>pqc-test</module>
</modules>
<!-- Do not deploy the aggregator POM -->
<build>
Expand Down
24 changes: 24 additions & 0 deletions sdk-platform-java/pqc-test/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>com.google.api</groupId>
<artifactId>gapic-generator-java-pom-parent</artifactId>
<version>2.73.0-SNAPSHOT</version>
<relativePath>../gapic-generator-java-pom-parent</relativePath>
</parent>

<groupId>com.google.api</groupId>
<artifactId>pqc-test-parent</artifactId>
<packaging>pom</packaging>
<version>2.81.0-SNAPSHOT</version>

<modules>
<module>pqc-test-common</module>
<module>pqc-test-snapshot</module>
<module>pqc-test-release</module>
</modules>
</project>
59 changes: 59 additions & 0 deletions sdk-platform-java/pqc-test/pqc-test-common/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>com.google.api</groupId>
<artifactId>pqc-test-parent</artifactId>
<version>2.81.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

<artifactId>pqc-test-common</artifactId>

<dependencies>
<dependency>
<groupId>com.google.api</groupId>
<artifactId>gax-httpjson</artifactId>
<version>2.81.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>com.google.api</groupId>
<artifactId>gax-grpc</artifactId>
<version>2.81.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bctls-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>5.10.2</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty</artifactId>
<version>${grpc.version}</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-stub</artifactId>
<version>${grpc.version}</version>
</dependency>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-bigquery</artifactId>
<version>2.67.0-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
</dependencies>
</project>
Loading
Loading