Skip to content

feat(javanet): support Conscrypt security provider and PQC hybrid negotiation#2167

Open
lqiu96 wants to merge 2 commits into
mainfrom
pqc-support-conscrypt
Open

feat(javanet): support Conscrypt security provider and PQC hybrid negotiation#2167
lqiu96 wants to merge 2 commits into
mainfrom
pqc-support-conscrypt

Conversation

@lqiu96

@lqiu96 lqiu96 commented Jun 29, 2026

Copy link
Copy Markdown
Member

Adds support to configure the SSLSocket needed to enable Post Quantum Cryptography (PQC). Allows a method for to configure a SecurityProvider and modify the the corresponding socket factory with the SecurityProvider.

There is no default SecurityProvider set in the http-client and Gax and Java-Core will bundle Conscrypt by default as pass it into the http-client. The Java SDK uses Conscrypt as the default SecurityProvider for PQC and will use the Conscrypt native APIs (e.g. Conscrypt.setNamedGroups) via the SslSocketConfigurator interface.

Changes:

  • Adds SslSocketConfigurator: A generic callback interface invoked on newly created SSLSocket instances right before the TLS handshake starts.
  • Adds ConfigurableSSLSocketFactory: An SSLSocketFactory wrapper that intercepts all socket creation entrypoints (including bound socket creations) and applies the custom SslSocketConfigurator callback to them.
  • Adds JreNamedGroupsSslSocketConfigurator: A default implementation of SslSocketConfigurator that reflectively configures named groups (curves) using standard JDK 20+ SSLParameters.setNamedGroups(String[]) API.

Introduce JreNamedGroupsSslSocketConfigurator as way for customers to use native JDK methods to configure the named groups if their selected SecurityProvider is unable to provide a native API to use PQC as it uses the JDK APIs and would work with whatever SecurityProvider (JDK's SSLParameters.setNamedGroups)

@product-auto-label product-auto-label Bot added the size: m Pull request size is medium. label Jun 29, 2026
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch 5 times, most recently from 066bffb to 3497a47 Compare June 30, 2026 22:04
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch from 3497a47 to f4a7445 Compare July 7, 2026 19:38
@product-auto-label product-auto-label Bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Jul 7, 2026
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch 3 times, most recently from ac577db to 1e3ca17 Compare July 10, 2026 20:33
@product-auto-label product-auto-label Bot added size: m Pull request size is medium. and removed size: l Pull request size is large. labels Jul 10, 2026
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch 2 times, most recently from f738eaf to 33defc8 Compare July 10, 2026 20:44
@product-auto-label product-auto-label Bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Jul 10, 2026
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch 12 times, most recently from 7da5101 to e165b84 Compare July 10, 2026 21:13
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch 2 times, most recently from d150877 to d90f643 Compare July 13, 2026 16:24
@lqiu96 lqiu96 requested a review from blakeli0 July 13, 2026 16:25
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch from d90f643 to b4d0fb8 Compare July 13, 2026 18:44
if (securityProvider != null) {
return SSLContext.getInstance(TLS_ALGORITHM, securityProvider);
}
// 2. Default: Try Conscrypt (assumed to be available as part of SDK)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we always pass the Conscrypt provider in? So this library may not have to be dependent on Conscrypt?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is an option. Right now that's the intention of provided scope, library isn't dependent on Conscrypt and will only enable it by default if it's used via a library in the Java SDK

Conscrypt.setNamedGroups(sslSocket, groups);
return socket;
}
// 2. Otherwise (user-provided security provider or JDK fallback), try standard JSSE

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a case that we have to support? This is a generic http library and I don't think we have to try to enable PQC by default. As long as we expose an option and users (including GAPIC/Apiary libraries) can set the PQC algorithm then we should be good.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll double check the requirements. The earlier design mentioned that we will support PQC by default in the http-client. This functionality mirrors what gRPC-Java is doing which enables it by default (both being general purpose libraries)

@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch 11 times, most recently from 76f358f to 38472fd Compare July 14, 2026 19:03
@product-auto-label product-auto-label Bot added size: m Pull request size is medium. size: l Pull request size is large. and removed size: l Pull request size is large. size: m Pull request size is medium. labels Jul 15, 2026
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch 4 times, most recently from 1ec1ada to 588e97c Compare July 15, 2026 16:33
…cketConfigurator callback

Introduces SslSocketConfigurator interface and ConfigurableSSLSocketFactory wrapper.
ConfigurableSSLSocketFactory wraps the active SSLSocketFactory, intercepts socket creation, and invokes the configurator callback, enabling client-level socket configuration (e.g. for Conscrypt or BouncyCastle).
Includes JreNamedGroupsSslSocketConfigurator implementing reflective named groups configuration natively on JDK 20+.
Removes obsolete wrapTrustManagers code and animal-sniffer dependencies from SslUtils.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
@lqiu96 lqiu96 force-pushed the pqc-support-conscrypt branch from 588e97c to 79c96d9 Compare July 15, 2026 16:34
@lqiu96 lqiu96 marked this pull request as ready for review July 15, 2026 16:37
@lqiu96 lqiu96 requested a review from a team as a code owner July 15, 2026 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size: l Pull request size is large.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants