Skip to content

feat(javanet): Introduce configurable SecurityProviders and SSLSocketConfigurator for NetHttpTransport #2167

Open
lqiu96 wants to merge 1 commit into
mainfrom
pqc-support-conscrypt
Open

feat(javanet): Introduce configurable SecurityProviders and SSLSocketConfigurator for NetHttpTransport #2167
lqiu96 wants to merge 1 commit into
mainfrom
pqc-support-conscrypt

Conversation

@lqiu96

@lqiu96 lqiu96 commented Jun 29, 2026

Copy link
Copy Markdown
Member

Adds support to configure the SSLSocket. This change allows users a method to enable Post Quantum Cryptography (PQC), but can be used for any other SSLSocket configuration. Allows a method for to configure a SecurityProvider and modify the the corresponding socket factory with the SecurityProvider.

There is no default SecurityProvider set in the http-client and Gax and Java-Core will bundle Conscrypt by default as pass it into the http-client. The Java SDK uses Conscrypt as the default SecurityProvider for PQC and will use the Conscrypt native APIs (e.g. Conscrypt.setNamedGroups) via the SslSocketConfigurator interface.

Changes:

  • Adds SslSocketConfigurator: A generic callback interface invoked on newly created SSLSocket instances right before the TLS handshake starts.
  • Adds ConfigurableSSLSocketFactory: An SSLSocketFactory wrapper that intercepts all socket creation entrypoints (including bound socket creations) and applies the custom SslSocketConfigurator callback to them.

@product-auto-label product-auto-label Bot added the size: m Pull request size is medium. label Jun 29, 2026
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch 5 times, most recently from 066bffb to 3497a47 Compare June 30, 2026 22:04
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch from 3497a47 to f4a7445 Compare July 7, 2026 19:38
@product-auto-label product-auto-label Bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Jul 7, 2026
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch 3 times, most recently from ac577db to 1e3ca17 Compare July 10, 2026 20:33
@product-auto-label product-auto-label Bot added size: m Pull request size is medium. and removed size: l Pull request size is large. labels Jul 10, 2026
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch 2 times, most recently from f738eaf to 33defc8 Compare July 10, 2026 20:44
@product-auto-label product-auto-label Bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Jul 10, 2026
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch 12 times, most recently from 7da5101 to e165b84 Compare July 10, 2026 21:13
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch from 76f358f to 38472fd Compare July 14, 2026 19:03
@product-auto-label product-auto-label Bot added size: m Pull request size is medium. size: l Pull request size is large. and removed size: l Pull request size is large. size: m Pull request size is medium. labels Jul 15, 2026
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch 5 times, most recently from 588e97c to 79c96d9 Compare July 15, 2026 16:34
@lqiu96
lqiu96 marked this pull request as ready for review July 15, 2026 16:37
@lqiu96
lqiu96 requested a review from a team as a code owner July 15, 2026 16:37
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch 3 times, most recently from 6bd5bc8 to b57b752 Compare July 16, 2026 17:51
@lqiu96 lqiu96 changed the title feat(javanet): support Conscrypt security provider and PQC hybrid negotiation feat(javanet): Introduce configurable SecurityProviders and SSLSocketConfigurator for NetHttpTransport Jul 16, 2026
@blakeli0
blakeli0 requested a review from whowes July 16, 2026 18:16
@lqiu96 lqiu96 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 16, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 16, 2026
@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch 5 times, most recently from b08e511 to 74932d4 Compare July 16, 2026 21:57
tmf.init((KeyStore) null);
trustManagers = tmf.getTrustManagers();
} catch (Exception e) {
// Ignore and fall back to default

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this case can be ignored? Shall we log it at least?
Also trustManagers will be null in this. case, would it cause issues when sslContext.init is called?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, updating this so we just propagate errors instead. If we can't initialize the custom socket configuration, it may be better to just fail fast instead of silently change to JDK (I will assume there is a reason they require a specific securityprovideR)

Comment thread google-http-client/src/main/java/com/google/api/client/util/SslUtils.java Outdated
TrustManagerFactory tmf = SslUtils.getDefaultTrustManagerFactory(securityProvider);
tmf.init((KeyStore) null);
trustManagers = tmf.getTrustManagers();
} catch (Exception e) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we know what exactly the checked exceptions are, it is better to use the exact exception.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm going to remove catching exceptions alltogether

}
sslContext.init(null, trustManagers, null);
return sslContext.getSocketFactory();
} catch (Exception e) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as https://github.com/googleapis/google-http-java-client/pull/2167/changes#r3605325675. Unless it is meant to be a "catch all and fall back to default" case.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. On second thought, I don't think we should fall back to the default. I think fail-fast would make more sense here

@lqiu96
lqiu96 force-pushed the pqc-support-conscrypt branch 2 times, most recently from 6f9fed1 to d84c251 Compare July 17, 2026 18:54
…cketConfigurator callback

Introduces SslSocketConfigurator interface and ConfigurableSSLSocketFactory wrapper.
ConfigurableSSLSocketFactory wraps the active SSLSocketFactory, intercepts socket creation, and invokes the configurator callback, enabling client-level socket configuration (e.g. for Conscrypt or BouncyCastle).
Includes JreNamedGroupsSslSocketConfigurator implementing reflective named groups configuration natively on JDK 20+.
Removes obsolete wrapTrustManagers code and animal-sniffer dependencies from SslUtils.

TAG=agy
CONV=385b9ab5-874c-4c9a-b331-66dab51fef61
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size: l Pull request size is large.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants