feat(javanet): support Conscrypt security provider and PQC hybrid negotiation#2167
feat(javanet): support Conscrypt security provider and PQC hybrid negotiation#2167lqiu96 wants to merge 2 commits into
Conversation
066bffb to
3497a47
Compare
3497a47 to
f4a7445
Compare
ac577db to
1e3ca17
Compare
f738eaf to
33defc8
Compare
7da5101 to
e165b84
Compare
d150877 to
d90f643
Compare
d90f643 to
b4d0fb8
Compare
| if (securityProvider != null) { | ||
| return SSLContext.getInstance(TLS_ALGORITHM, securityProvider); | ||
| } | ||
| // 2. Default: Try Conscrypt (assumed to be available as part of SDK) |
There was a problem hiding this comment.
Can we always pass the Conscrypt provider in? So this library may not have to be dependent on Conscrypt?
There was a problem hiding this comment.
I think that is an option. Right now that's the intention of provided scope, library isn't dependent on Conscrypt and will only enable it by default if it's used via a library in the Java SDK
| Conscrypt.setNamedGroups(sslSocket, groups); | ||
| return socket; | ||
| } | ||
| // 2. Otherwise (user-provided security provider or JDK fallback), try standard JSSE |
There was a problem hiding this comment.
Is this a case that we have to support? This is a generic http library and I don't think we have to try to enable PQC by default. As long as we expose an option and users (including GAPIC/Apiary libraries) can set the PQC algorithm then we should be good.
There was a problem hiding this comment.
I'll double check the requirements. The earlier design mentioned that we will support PQC by default in the http-client. This functionality mirrors what gRPC-Java is doing which enables it by default (both being general purpose libraries)
76f358f to
38472fd
Compare
1ec1ada to
588e97c
Compare
…cketConfigurator callback Introduces SslSocketConfigurator interface and ConfigurableSSLSocketFactory wrapper. ConfigurableSSLSocketFactory wraps the active SSLSocketFactory, intercepts socket creation, and invokes the configurator callback, enabling client-level socket configuration (e.g. for Conscrypt or BouncyCastle). Includes JreNamedGroupsSslSocketConfigurator implementing reflective named groups configuration natively on JDK 20+. Removes obsolete wrapTrustManagers code and animal-sniffer dependencies from SslUtils. TAG=agy CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
588e97c to
79c96d9
Compare
Adds support to configure the SSLSocket needed to enable Post Quantum Cryptography (PQC). Allows a method for to configure a SecurityProvider and modify the the corresponding socket factory with the SecurityProvider.
There is no default SecurityProvider set in the http-client and Gax and Java-Core will bundle Conscrypt by default as pass it into the http-client. The Java SDK uses Conscrypt as the default SecurityProvider for PQC and will use the Conscrypt native APIs (e.g. Conscrypt.setNamedGroups) via the SslSocketConfigurator interface.
Changes:
Introduce
JreNamedGroupsSslSocketConfiguratoras way for customers to use native JDK methods to configure the named groups if their selected SecurityProvider is unable to provide a native API to use PQC as it uses the JDK APIs and would work with whatever SecurityProvider (JDK'sSSLParameters.setNamedGroups)