fix(gdch): support EC private keys (#1896)

* fix: allow for ES algorithm in GdchCredentials

* test: partially adapt tests

* test: finish adjusting tests

* chore: format

* fix: restore credential name

* docs: restore license

* fix: restore removed code

* test: increase coverage

* test(gdch): parameterize test

* test: remove unused var

* chore: remove unused throw clause

* test: parameterize more

* fix: remove unused parameter

* fix: make variables final as intended

* fix: remove unused throw clause

* fix: remove unused throw clause

* fix: make OAuth2Credentials clock package private for production code

* fix: use non deprecated base 64 encoder

* test: parameterize flagged tests

* chore: format

* test: fix assertion

* build: remove unused dependency

* test: run linux gce only on linux envs

* fix: sonarqube flags (use java.util.Base64)

* fix: improve error message template

* fix: keep overload of "with audience" that takes an URI

* fix: restore public getter of getApiAudience

* docs: add javadoc for signing logic

* test: test private signature and decode methods

* fix: add null and empty check for audience string

* docs: add javadoc for audience getters

* fix: use enum for possible algorithms

* fix: use obsolete javadoc instead of @deprecated

* refactor: use OAuth2Utils validate methods in GdchCredentials

* fix: restore GoogleAuthException throwing in GdchCredentials

* refactor: downgrade Pkcs8Algorithm and privateKeyFromPkcs8 to package-private

* refactor: split parseBody into parseJson and parseQuery in test utilities

* refactor: remove validation reflection by making signUsingEsSha256 package-private

* test: use hardcoded string literal for gdch api audience in test

* test: refactor to use assertThrows in GdchCredentialsTest and remove host OS check in DefaultCredentialsProviderTest

* fix: add comment about EC algorithm support in GdchCredentials

* fix: update GDCH audience error message to be more descriptive

* refactor: rename getApiAudienceString to getGdchAudience

* fix: Remove unused import

* docs: update GDCH audience getter javadocs

* test: add null-checks to builder and corresponding tests

* refactor: consolidate token type constants using OAuth2Utils

* refactor: throw GoogleAuthException for signing and transcoding errors

* docs: add javadoc to related test utils

* fix: use GoogleAuthException

* test: use assertThrows where applicable

* refactor: replace Preconditions with Strings.isNullOrEmpty for audience checks

* fix: consistent exception message

* chore: format

* test: use lowercase os name

* chore: address review comments for PR #1896

* chore: format

* Finalizing GDCH credentials support by addressing reviewer comments

* chore: format

* fix: parse EC private keys with  SEC1 algorithm

* chore: format

* fix: separate PKCs8 vs SEC1 logic in GdchCredentials

* fix: improved exception message, added comments to extractPrivateKeyValue

Original-PR: googleapis/google-auth-library-java#1896

Author: diegomarquezp

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/GdchCredentials.java

@@ -86,7 +86,7 @@ public class OAuth2Credentials extends Credentials {
   // Change listeners are not serialized
   private transient List<CredentialsChangedListener> changeListeners;
   // Until we expose this to the users it can remain transient and non-serializable
-  @VisibleForTesting transient Clock clock = Clock.SYSTEM;
+  transient Clock clock = Clock.SYSTEM;
 
   /**
    * Returns the credentials instance from the given access token.

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java

@@ -40,7 +40,6 @@
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.util.PemReader;
 import com.google.api.client.util.PemReader.Section;
-import com.google.api.client.util.SecurityUtils;
 import com.google.api.core.InternalApi;
 import com.google.auth.http.AuthHttpConstants;
 import com.google.auth.http.HttpTransportFactory;
@@ -82,6 +81,11 @@
 @InternalApi
 public class OAuth2Utils {
 
+  enum Pkcs8Algorithm {
+    RSA,
+    EC
+  }
+
   static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
 
   public static final String TOKEN_TYPE_ACCESS_TOKEN =
@@ -269,6 +273,24 @@ static Map<String, Object> validateMap(Map<String, Object> map, String key, Stri
    *     key creation.
    */
   public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8) throws IOException {
+    return privateKeyFromPkcs8(privateKeyPkcs8, Pkcs8Algorithm.RSA);
+  }
+
+  /**
+   * Reads a private key from a PKCS#8 encoded string.
+   *
+   * <p>If the key is labeled with "-----BEGIN PRIVATE KEY-----", it is parsed as PKCS#8 as per RFC
+   * 7468 Section 10.
+   *
+   * @see <a href="https://datatracker.ietf.org/doc/html/rfc7468#section-10">RFC 7468 Section 10</a>
+   * @param privateKeyPkcs8 base64 encoded private key string
+   * @param algorithm expected algorithm of the private key
+   * @return the private key.
+   * @throws IOException if the private key data is invalid or if an unexpected exception occurs
+   *     during key creation.
+   */
+  public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8, Pkcs8Algorithm algorithm)
+      throws IOException {
     Reader reader = new StringReader(privateKeyPkcs8);
     Section section = PemReader.readFirstSectionAndClose(reader, "PRIVATE KEY");
     if (section == null) {
@@ -278,7 +300,7 @@ public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8) throws IOEx
     PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(bytes);
     Exception unexpectedException;
     try {
-      KeyFactory keyFactory = SecurityUtils.getRsaKeyFactory();
+      KeyFactory keyFactory = KeyFactory.getInstance(algorithm.toString());
       return keyFactory.generatePrivate(keySpec);
     } catch (NoSuchAlgorithmException | InvalidKeySpecException exception) {
       unexpectedException = exception;

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -97,6 +97,13 @@ public static InputStream stringToInputStream(String text) {
     return new ByteArrayInputStream(text.getBytes(StandardCharsets.UTF_8));
   }
 
+  /**
+   * Parses a URI query string into a map of key-value pairs.
+   *
+   * @param query The URI query string (e.g., "key1=val1&key2=val2").
+   * @return A map of decoded keys to decoded values.
+   * @throws IOException If the query string is malformed.
+   */
   public static Map<String, String> parseQuery(String query) throws IOException {
     Map<String, String> map = new HashMap<>();
     Iterable<String> entries = Splitter.on('&').split(query);
@@ -112,6 +119,23 @@ public static Map<String, String> parseQuery(String query) throws IOException {
     return map;
   }
 
+  /**
+   * Parses a JSON string into a map of key-value pairs.
+   *
+   * @param content The JSON string representation of a flat object.
+   * @return A map of keys to string representations of their values.
+   * @throws IOException If the JSON is malformed.
+   */
+  public static Map<String, String> parseJson(String content) throws IOException {
+    GenericJson json = JSON_FACTORY.fromString(content, GenericJson.class);
+    Map<String, String> map = new HashMap<>();
+    for (Map.Entry<String, Object> entry : json.entrySet()) {
+      Object value = entry.getValue();
+      map.put(entry.getKey(), value == null ? null : value.toString());
+    }
+    return map;
+  }
+
   public static String errorJson(String message) throws IOException {
     GenericJson errorResponse = new GenericJson();
     errorResponse.setFactory(JSON_FACTORY);

google-auth-library-java/oauth2_http/javatests/com/google/auth/TestUtils.java

@@ -85,7 +85,7 @@ class DefaultCredentialsProviderTest {
   private static final String SA_PRIVATE_KEY_ID = "d84a4fefcf50791d4a90f2d7af17469d6282df9d";
   private static final String SA_PRIVATE_KEY_PKCS8 =
       ServiceAccountCredentialsTest.PRIVATE_KEY_PKCS8;
-  private static final String GDCH_SA_FORMAT_VERSION = GdchCredentials.SUPPORTED_FORMAT_VERSION;
+
   private static final String GDCH_SA_PROJECT_ID = "gdch-service-account-project-id";
   private static final String GDCH_SA_PRIVATE_KEY_ID = "d84a4fefcf50791d4a90f2d7af17469d6282df9d";
   private static final String GDCH_SA_PRIVATE_KEY_PKC8 = GdchCredentialsTest.PRIVATE_KEY_PKCS8;
@@ -96,7 +96,7 @@ class DefaultCredentialsProviderTest {
   private static final String GDCH_SA_CA_CERT_FILE_NAME = "cert.pem";
   private static final String GDCH_SA_CA_CERT_PATH =
       GdchCredentialsTest.class.getClassLoader().getResource(GDCH_SA_CA_CERT_FILE_NAME).getPath();
-  private static final URI GDCH_SA_API_AUDIENCE = URI.create("https://gdch-api-audience");
+  private static final String GDCH_SA_API_AUDIENCE = "https://gdch-api-audience";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
@@ -166,43 +166,32 @@ void getDefaultCredentials_noCredentials_singleGceTestRequest() {
 
   @Test
   void getDefaultCredentials_noCredentials_linuxNotGce() {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "Linux");
-    InputStream productStream = new ByteArrayInputStream("test".getBytes());
-    testProvider.addFile(SMBIOS_PATH_LINUX, productStream);
-
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+    checkStaticGceDetection("linux", "test", false);
   }
 
   @Test
   void getDefaultCredentials_static_linux() {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "Linux");
-    File productFile = new File(SMBIOS_PATH_LINUX);
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
-    testProvider.addFile(productFile.getAbsolutePath(), productStream);
-
-    assertTrue(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+    checkStaticGceDetection("linux", "Googlekdjsfhg", true);
   }
 
   @Test
   void getDefaultCredentials_static_windows_configuredAsLinux_notGce() {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "windows");
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
-    testProvider.addFile(SMBIOS_PATH_LINUX, productStream);
-
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+    checkStaticGceDetection("windows", "Googlekdjsfhg", false);
   }
 
   @Test
   void getDefaultCredentials_static_unsupportedPlatform_notGce() {
+    checkStaticGceDetection("macos", "Googlekdjsfhg", false);
+  }
+
+  private void checkStaticGceDetection(String osName, String productContent, boolean expected) {
     TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "macos");
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
-    testProvider.addFile(SMBIOS_PATH_LINUX, productStream);
+    testProvider.setProperty("os.name", osName);
+    String productFilePath = SMBIOS_PATH_LINUX;
+    InputStream productStream = new ByteArrayInputStream(productContent.getBytes());
+    testProvider.addFile(productFilePath, productStream);
 
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+    assertEquals(expected, ComputeEngineCredentials.checkStaticGceDetection(testProvider));
   }
 
   @Test
@@ -359,7 +348,7 @@ void getDefaultCredentials_GdchServiceAccount() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     InputStream gdchServiceAccountStream =
         GdchCredentialsTest.writeGdchServiceAccountStream(
-            GDCH_SA_FORMAT_VERSION,
+            GdchCredentials.SUPPORTED_JSON_FORMAT_VERSION,
             GDCH_SA_PROJECT_ID,
             GDCH_SA_PRIVATE_KEY_ID,
             GDCH_SA_PRIVATE_KEY_PKC8,