chore: [wip] PQC POC 2

.github/workflows/pqc-tests.yml

@@ -0,0 +1,65 @@
+name: PQC Connectivity Integration Tests
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  pqc-tests:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+        cache: 'maven'
+
+    # 1. Checkout sibling HTTP Client repository (MUST point to your modified fork/branch containing PQC JJSSE fixes)
+    - name: Checkout google-http-java-client
+      uses: actions/checkout@v4
+      with:
+        repository: <your-github-username>/google-http-java-client # UPDATE with your fork
+        ref: <your-pqc-branch> # UPDATE with your branch containing PQC JJSSE fixes
+        path: google-http-java-client
+
+    # 2. Build and install modified google-http-client SNAPSHOT locally
+    - name: Build and Install google-http-java-client
+      run: |
+        cd google-http-java-client
+        mvn clean install -DskipTests=true -Dcheckstyle.skip -Dclirr.skip -Denforcer.skip -Dfmt.skip
+
+    # 3. Checkout this monorepo
+    - name: Checkout google-cloud-java-pqc
+      uses: actions/checkout@v4
+      with:
+        path: google-cloud-java-pqc
+
+    # 4. Build the entire monorepo core components required by the tests
+    - name: Build and Install Core Dependency Reactor
+      run: |
+        cd google-cloud-java-pqc
+        mvn clean install -pl sdk-platform-java/pqc-test/pqc-test-snapshot,sdk-platform-java/pqc-test/pqc-test-release -am -T 1.5C -Dcheckstyle.skip -Dclirr.skip -Denforcer.skip -Dfmt.skip -DskipTests=true
+
+    # 5. Run Snapshot PQC Tests (EXPECT PASS)
+    - name: Run Snapshot PQC Connectivity Tests (Expect PASS)
+      run: |
+        cd google-cloud-java-pqc/sdk-platform-java/pqc-test/pqc-test-snapshot
+        mvn install -Dcheckstyle.skip -Dclirr.skip -Denforcer.skip -Dfmt.skip -Dtest=RunPqcTest
+
+    # 6. Run Release PQC Tests (EXPECT FAIL)
+    - name: Run Release PQC Connectivity Tests (Expect FAIL)
+      # We expect this step to fail. If it passes, it means release libraries are negotiating PQC (which is incorrect).
+      # Thus we run it and assert that the maven command fails (exit code != 0).
+      run: |
+        cd google-cloud-java-pqc/sdk-platform-java/pqc-test/pqc-test-release
+        if mvn install -Dcheckstyle.skip -Dclirr.skip -Denforcer.skip -Dfmt.skip -Dtest=RunPqcTest; then
+          echo "Error: Release tests passed but they were expected to fail!"
+          exit 1
+        else
+          echo "Success: Release tests failed-fast as expected."
+          exit 0
+        fi

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -31,6 +31,8 @@
 
 package com.google.auth.oauth2;
 
+import com.google.api.client.util.SslUtils;
+import java.security.GeneralSecurityException;
 import com.google.api.client.http.HttpHeaders;
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
@@ -104,7 +106,16 @@ enum Pkcs8Algorithm {
   public static final String CLOUD_PLATFORM_SCOPE =
       "https://www.googleapis.com/auth/cloud-platform";
 
-  static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
+  static final HttpTransport HTTP_TRANSPORT;
+  static {
+    try {
+      HTTP_TRANSPORT = new NetHttpTransport.Builder()
+          .setSslSocketFactory(SslUtils.getTlsSslContext().getSocketFactory())
+          .build();
+    } catch (GeneralSecurityException e) {
+      throw new RuntimeException("Failed to initialize PQC-hardened HTTP transport", e);
+    }
+  }
 
   public static final HttpTransportFactory HTTP_TRANSPORT_FACTORY =
       new DefaultHttpTransportFactory();

sdk-platform-java/gapic-generator-java-pom-parent/pom.xml

@@ -19,6 +19,7 @@
   </parent>
 
   <properties>
+    <bouncycastle.version>1.80</bouncycastle.version>
     <skipUnitTests>false</skipUnitTests>
     <checkstyle.header.file>java.header</checkstyle.header.file>
     <maven.compiler.release>8</maven.compiler.release>
@@ -27,7 +28,7 @@
         consistent across modules in this repository -->
     <javax.annotation-api.version>1.3.2</javax.annotation-api.version>
     <grpc.version>1.81.0</grpc.version>
-    <google.http-client.version>2.1.0</google.http-client.version>
+    <google.http-client.version>2.1.1-SNAPSHOT</google.http-client.version>
     <gson.version>2.13.2</gson.version>
     <guava.version>33.5.0-jre</guava.version>
     <protobuf.version>4.33.2</protobuf.version>

sdk-platform-java/gax-java/gax-grpc/pom.xml

@@ -99,6 +99,17 @@
       <optional>true</optional>
     </dependency>
 
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk18on</artifactId>
+      <version>${bouncycastle.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bctls-jdk18on</artifactId>
+      <version>${bouncycastle.version}</version>
+    </dependency>
+
     <!-- test dependencies -->
     <dependency>
       <groupId>io.grpc</groupId>

sdk-platform-java/gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java

@@ -812,13 +812,90 @@ public ManagedChannelBuilder<?> createDecoratedChannelBuilder() throws IOExcepti
     if (interceptorProvider != null) {
       builder.intercept(interceptorProvider.getInterceptors());
     }
+    // Apply PQC configuration by default as a standard feature of GAX.
+    builder = applyPqcConfiguration(builder);
+
     if (channelConfigurator != null) {
       builder = channelConfigurator.apply(builder);
     }
 
     return builder;
   }
 
+  private ManagedChannelBuilder<?> applyPqcConfiguration(ManagedChannelBuilder<?> builder) {
+    // Configure the PQ and classical hybrid named groups:
+    // 1. X25519MLKEM768 (codepoint 4588): Hybrid classical (X25519) + post-quantum (ML-KEM-768) key exchange.
+    //    Provides defense-in-depth: if ML-KEM is compromised, security reverts to classical strength of X25519.
+    // 2. MLKEM768 (codepoint 1896): Pure post-quantum key exchange using ML-KEM-768.
+    // 3. X25519 (codepoint 29): Classical elliptic curve Diffie-Hellman key exchange, used as a fallback.
+    String[] hybridGroups = new String[] {"X25519MLKEM768", "MLKEM768", "X25519"};
+    String builderClassName = builder.getClass().getName();
+    boolean isShaded = "io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder".equals(builderClassName);
+    boolean isUnshaded = "io.grpc.netty.NettyChannelBuilder".equals(builderClassName);
+
+    if (isShaded || isUnshaded) {
+      try {
+        Object sslContext = buildOpenSslContext(isShaded, hybridGroups);
+        if (sslContext != null) {
+          setSslContextOnBuilder(builder, sslContext, isShaded);
+          return builder;
+        }
+      } catch (Exception e) {
+        // Graceful degradation: do not modify any global JVM property
+      }
+    }
+    return builder;
+  }
+
+  /**
+   * Dynamically configures and builds an OpenSsl SslContext targeting post-quantum groups.
+   *
+   * <p><b>Rationale for Reflection:</b>
+   * In the gax-grpc module, we maintain dual compatibility with both shaded Netty
+   * (io.grpc.netty.shaded) and unshaded Netty (io.grpc.netty) channel builders. Shaded Netty is
+   * a runtime dependency of gax-grpc rather than a compile-time dependency to prevent class
+   * path pollution. 
+   *
+   * <p>By utilizing reflection here, we can check the runtime class type of the channel builder
+   * and dynamically resolve and configure the corresponding shaded or unshaded SslContextBuilder
+   * and OpenSslContextOption classes without requiring compile-time dependencies on shaded Netty.
+   *
+   * @param isShaded True if using shaded Netty, false if unshaded.
+   * @param groups Preference list of TLS named groups.
+   * @return Configured SslContext object.
+   */
+  @SuppressWarnings("unchecked")
+  private Object buildOpenSslContext(boolean isShaded, String[] groups) throws Exception {
+    String prefix = isShaded ? "io.grpc.netty.shaded." : "";
+    Class<?> grpcSslContextsClass = Class.forName(prefix + "io.grpc.netty.GrpcSslContexts");
+    Class<?> sslContextBuilderClass = Class.forName(prefix + "io.netty.handler.ssl.SslContextBuilder");
+    Class<?> openSslContextOptionClass = Class.forName(prefix + "io.netty.handler.ssl.OpenSslContextOption");
+    Class<?> sslContextOptionClass = Class.forName(prefix + "io.netty.handler.ssl.SslContextOption");
+
+    // GrpcSslContexts.forClient() -> returns SslContextBuilder
+    java.lang.reflect.Method forClientMethod = grpcSslContextsClass.getMethod("forClient");
+    Object sslContextBuilder = forClientMethod.invoke(null);
+
+    // OpenSslContextOption.GROUPS
+    java.lang.reflect.Field groupsField = openSslContextOptionClass.getDeclaredField("GROUPS");
+    Object groupsOption = groupsField.get(null);
+
+    // SslContextBuilder.option(SslContextOption, Object)
+    java.lang.reflect.Method optionMethod = sslContextBuilderClass.getMethod("option", sslContextOptionClass, Object.class);
+    optionMethod.invoke(sslContextBuilder, groupsOption, groups);
+
+    // SslContextBuilder.build() -> returns SslContext
+    java.lang.reflect.Method buildMethod = sslContextBuilderClass.getMethod("build");
+    return buildMethod.invoke(sslContextBuilder);
+  }
+
+  private void setSslContextOnBuilder(Object builder, Object sslContext, boolean isShaded) throws Exception {
+    String prefix = isShaded ? "io.grpc.netty.shaded." : "";
+    Class<?> sslContextClass = Class.forName(prefix + "io.netty.handler.ssl.SslContext");
+    java.lang.reflect.Method sslContextMethod = builder.getClass().getMethod("sslContext", sslContextClass);
+    sslContextMethod.invoke(builder, sslContext);
+  }
+
   private ManagedChannel createSingleChannel() throws IOException {
     ManagedChannelBuilder<?> builder = createDecoratedChannelBuilder();
 

sdk-platform-java/gax-java/gax-httpjson/pom.xml

@@ -20,6 +20,17 @@
   </properties>
 
   <dependencies>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk18on</artifactId>
+      <version>${bouncycastle.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bctls-jdk18on</artifactId>
+      <version>${bouncycastle.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>com.google.api</groupId>
       <artifactId>gax</artifactId>

sdk-platform-java/gax-java/gax-httpjson/src/main/java/com/google/api/gax/httpjson/InstantiatingHttpJsonChannelProvider.java

@@ -42,6 +42,8 @@
 import com.google.auth.mtls.DefaultMtlsProviderFactory;
 import com.google.auth.mtls.MtlsProvider;
 import com.google.common.annotations.VisibleForTesting;
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
@@ -185,16 +187,26 @@ public TransportChannelProvider withCredentials(Credentials credentials) {
   }
 
   HttpTransport createHttpTransport() throws IOException, GeneralSecurityException {
-    if (mtlsProvider == null) {
-      return null;
-    }
-    if (certificateBasedAccess.useMtlsClientCertificate()) {
+    // 1. Get the scope-specific PQC-hardened SSLContext utilizing Bouncy Castle.
+    SSLContext sslContext = com.google.api.client.util.SslUtils.getTlsSslContext();
+
+    // 2. Initialize the NetHttpTransport builder pre-configured with our PQC SSL context.
+    NetHttpTransport.Builder builder = new NetHttpTransport.Builder()
+        .setSslSocketFactory(sslContext.getSocketFactory());
+
+    // 3. Verify if mTLS is supported and explicitly requested in the current client session.
+    if (mtlsProvider != null && certificateBasedAccess.useMtlsClientCertificate()) {
+      // 4. Retrieve the mutual TLS client key store from the session-specific mtlsProvider.
       KeyStore mtlsKeyStore = mtlsProvider.getKeyStore();
+      // 5. Ensure key store is valid before configuring mutual TLS client certificates.
       if (mtlsKeyStore != null) {
-        return new NetHttpTransport.Builder().trustCertificates(null, mtlsKeyStore, "").build();
+        // 6. Configure the mutual TLS certificates while preserving the PQC SSL context.
+        builder.trustCertificates(null, mtlsKeyStore, "");
       }
     }
-    return null;
+
+    // 7. Return the compiled and PQC-hardened NetHttpTransport instance.
+    return builder.build();
   }
 
   private HttpJsonTransportChannel createChannel() throws IOException, GeneralSecurityException {

sdk-platform-java/pom.xml

@@ -23,6 +23,7 @@
     <module>gapic-generator-java-bom</module>
     <module>java-shared-dependencies</module>
     <module>sdk-platform-java-config</module>
+    <module>pqc-test</module>
   </modules>
   <!-- Do not deploy the aggregator POM -->
   <build>

sdk-platform-java/pqc-test/pom.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>com.google.api</groupId>
+    <artifactId>gapic-generator-java-pom-parent</artifactId>
+    <version>2.73.0-SNAPSHOT</version>
+    <relativePath>../gapic-generator-java-pom-parent</relativePath>
+  </parent>
+
+  <groupId>com.google.api</groupId>
+  <artifactId>pqc-test-parent</artifactId>
+  <packaging>pom</packaging>
+  <version>2.81.0-SNAPSHOT</version>
+
+  <modules>
+    <module>pqc-test-common</module>
+    <module>pqc-test-snapshot</module>
+    <module>pqc-test-release</module>
+  </modules>
+</project>

sdk-platform-java/pqc-test/pqc-test-common/pom.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>com.google.api</groupId>
+    <artifactId>pqc-test-parent</artifactId>
+    <version>2.81.0-SNAPSHOT</version>
+    <relativePath>../pom.xml</relativePath>
+  </parent>
+
+  <artifactId>pqc-test-common</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.google.api</groupId>
+      <artifactId>gax-httpjson</artifactId>
+      <version>2.81.0-SNAPSHOT</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.api</groupId>
+      <artifactId>gax-grpc</artifactId>
+      <version>2.81.0-SNAPSHOT</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk18on</artifactId>
+      <version>${bouncycastle.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bctls-jdk18on</artifactId>
+      <version>${bouncycastle.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <version>5.10.2</version>
+    </dependency>
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-netty</artifactId>
+      <version>${grpc.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-stub</artifactId>
+      <version>${grpc.version}</version>
+    </dependency>
+  </dependencies>
+</project>