|
| 1 | +# GAPIC Post-Quantum Cryptography (PQC) Support & Verification |
| 2 | + |
| 3 | +This directory contains verification tools and samples to test, trace, and verify Post-Quantum Cryptography (PQC) support in Google Cloud Java client libraries, covering both gRPC and HttpJson (REST) transports. |
| 4 | + |
| 5 | +--- |
| 6 | + |
| 7 | +## 1. Prerequisites & Dependencies |
| 8 | + |
| 9 | +### Java Version |
| 10 | +* To perform PQC handshakes, JDK 11+ is required for compiling Conscrypt. JDK 17+ or JDK 21+ is highly recommended. |
| 11 | +* Conscrypt acts as the security provider providing hybrid group `X25519MLKEM768`. |
| 12 | + |
| 13 | +### Core Snapshot Artifacts |
| 14 | +The PQC verification depends on local SNAPSHOT builds of libraries containing our PQC enhancements: |
| 15 | +1. **`google-http-java-client`** (`pqc-support-conscrypt` branch): Enforces and wraps standard HTTP connections to prefer Conscrypt PQC sockets. |
| 16 | +2. **`gRPC-Java`** (`1.83.0-SNAPSHOT`): Enables Netty 4.2 support which negotiates hybrid key exchange by default. |
| 17 | + |
| 18 | +--- |
| 19 | + |
| 20 | +## 2. Setting Up Showcase (Local TLS Server) |
| 21 | + |
| 22 | +The `ITPqc` test suite runs integration tests against the local secure **GAPIC Showcase** server. |
| 23 | + |
| 24 | +### Step 2.1: Download & Build Showcase with TLS Support |
| 25 | +Clone the showcase server and checkout the PQC TLS support branch: |
| 26 | +```shell |
| 27 | +git clone https://github.com/googleapis/gapic-showcase.git |
| 28 | +cd gapic-showcase |
| 29 | +git checkout feat-pqc-tls |
| 30 | +go build ./cmd/gapic-showcase |
| 31 | +``` |
| 32 | + |
| 33 | +### Step 2.2: Generate TLS Certificates |
| 34 | +Generate self-signed testing certificates using `openssl` (saved to `~/pqc-certs`): |
| 35 | +```shell |
| 36 | +mkdir -p ~/pqc-certs |
| 37 | +openssl req -x509 -newkey rsa:4096 -keyout ~/pqc-certs/server.key -out ~/pqc-certs/server.crt -sha256 -days 365 -nodes -subj "/CN=localhost" |
| 38 | +openssl x509 -outform pem -in ~/pqc-certs/server.crt -out ~/pqc-certs/ca.crt |
| 39 | +``` |
| 40 | + |
| 41 | +### Step 2.3: Run the Showcase Server |
| 42 | +Start the Showcase server in TLS mode using the generated certificate: |
| 43 | +```shell |
| 44 | +# Run on secure port 7470 |
| 45 | +./gapic-showcase run \ |
| 46 | + --tls-cert ~/pqc-certs/server.crt \ |
| 47 | + --tls-key ~/pqc-certs/server.key \ |
| 48 | + --port 7470 |
| 49 | +``` |
| 50 | + |
| 51 | +--- |
| 52 | + |
| 53 | +## 3. Running Local Verification Tests |
| 54 | + |
| 55 | +Use the helper script `build-with-local-http-client.sh` to automatically build/install `google-http-java-client` as a local snapshot, compile the monorepo, and execute Showcase PQC integration tests: |
| 56 | + |
| 57 | +```shell |
| 58 | +# Set path to the google-http-java-client repository |
| 59 | +export HTTP_CLIENT_DIR=~/IdeaProjects/google-http-java-client |
| 60 | + |
| 61 | +# Run the verification script |
| 62 | +./build-with-local-http-client.sh |
| 63 | +``` |
| 64 | + |
| 65 | +If successful, you will see `BUILD SUCCESS` and both `testGrpcPqc` and `testHttpJsonPqc` passing. |
| 66 | + |
| 67 | +--- |
| 68 | + |
| 69 | +## 4. Standalone BigQuery PQC Tracing Sample |
| 70 | + |
| 71 | +The class `BqPqcTest` runs a live connection to Google Cloud BigQuery, intercepts TLS sockets, and traces the negotiated curve/groups to verify `X25519MLKEM768` is used. |
| 72 | + |
| 73 | +### Run with Maven |
| 74 | +To execute the BigQuery trace sample: |
| 75 | + |
| 76 | +```shell |
| 77 | +cd pqc-verification |
| 78 | + |
| 79 | +# Run using exec-maven-plugin |
| 80 | +mvn clean compile exec:java -Dproject.id="your-gcp-project-id" |
| 81 | +``` |
| 82 | + |
| 83 | +### Expected Output |
| 84 | +If Conscrypt is configured correctly and your environment supports PQC, you will see output tracing the handshake: |
| 85 | +``` |
| 86 | +[DEBUG] Java Version: 17.0.19 |
| 87 | +[DEBUG] Java Runtime: 17.0.19+10 |
| 88 | +[DEBUG] Java VM : OpenJDK 64-Bit Server VM (17.0.19+10) |
| 89 | +[DEBUG] Conscrypt Version: 2.6.0 |
| 90 | +Registered Conscrypt provider at position 1. |
| 91 | +Initializing BigQuery client for project: your-gcp-project-id |
| 92 | +Listing datasets using BigQuery Client with TLS tracing... |
| 93 | +[TLS TRACE] Handshake Completed |
| 94 | + Protocol : TLSv1.3 |
| 95 | + CipherSuite: TLS_AES_128_GCM_SHA256 |
| 96 | + Curve Name : X25519MLKEM768 (via Conscrypt OpenSSLSocketImpl.getCurveNameForTesting) |
| 97 | + Is PQC? : YES (Hybrid Post-Quantum) |
| 98 | +- my_dataset1 |
| 99 | +- my_dataset2 |
| 100 | +``` |
0 commit comments