fix(gdch): support EC private keys

oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java

@@ -86,7 +86,7 @@ public class OAuth2Credentials extends Credentials {
   // Change listeners are not serialized
   private transient List<CredentialsChangedListener> changeListeners;
   // Until we expose this to the users it can remain transient and non-serializable
-  @VisibleForTesting transient Clock clock = Clock.SYSTEM;
+  transient Clock clock = Clock.SYSTEM;
 
   /**
    * Returns the credentials instance from the given access token.

oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -40,7 +40,6 @@
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.util.PemReader;
 import com.google.api.client.util.PemReader.Section;
-import com.google.api.client.util.SecurityUtils;
 import com.google.api.core.InternalApi;
 import com.google.auth.http.AuthHttpConstants;
 import com.google.auth.http.HttpTransportFactory;
@@ -82,6 +81,11 @@
 @InternalApi
 public class OAuth2Utils {
 
+  enum Pkcs8Algorithm {
+    RSA,
+    EC
+  }
+
   static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
 
   public static final String TOKEN_TYPE_ACCESS_TOKEN =
@@ -269,6 +273,20 @@ static Map<String, Object> validateMap(Map<String, Object> map, String key, Stri
    *     key creation.
    */
   public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8) throws IOException {
+    return privateKeyFromPkcs8(privateKeyPkcs8, Pkcs8Algorithm.RSA);
+  }
+
+  /**
+   * Converts a PKCS#8 string to a private key of the specified algorithm.
+   *
+   * @param privateKeyPkcs8 the PKCS#8 string.
+   * @param algorithm the algorithm of the private key.
+   * @return the private key.
+   * @throws IOException if the PKCS#8 data is invalid or if an unexpected exception occurs during
+   *     key creation.
+   */
+  public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8, Pkcs8Algorithm algorithm)
+      throws IOException {
     Reader reader = new StringReader(privateKeyPkcs8);
     Section section = PemReader.readFirstSectionAndClose(reader, "PRIVATE KEY");
     if (section == null) {
@@ -278,7 +296,7 @@ public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8) throws IOEx
     PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(bytes);
     Exception unexpectedException;
     try {
-      KeyFactory keyFactory = SecurityUtils.getRsaKeyFactory();
+      KeyFactory keyFactory = KeyFactory.getInstance(algorithm.toString());
       return keyFactory.generatePrivate(keySpec);
     } catch (NoSuchAlgorithmException | InvalidKeySpecException exception) {
       unexpectedException = exception;

oauth2_http/javatests/com/google/auth/TestUtils.java

@@ -101,6 +101,13 @@ public static InputStream stringToInputStream(String text) {
     }
   }
 
+  /**
+   * Parses a URI query string into a map of key-value pairs.
+   *
+   * @param query The URI query string (e.g., "key1=val1&key2=val2").
+   * @return A map of decoded keys to decoded values.
+   * @throws IOException If the query string is malformed.
+   */
   public static Map<String, String> parseQuery(String query) throws IOException {
     Map<String, String> map = new HashMap<>();
     Iterable<String> entries = Splitter.on('&').split(query);
@@ -116,6 +123,23 @@ public static Map<String, String> parseQuery(String query) throws IOException {
     return map;
   }
 
+  /**
+   * Parses a JSON string into a map of key-value pairs.
+   *
+   * @param content The JSON string representation of a flat object.
+   * @return A map of keys to string representations of their values.
+   * @throws IOException If the JSON is malformed.
+   */
+  public static Map<String, String> parseJson(String content) throws IOException {
+    GenericJson json = JSON_FACTORY.fromString(content, GenericJson.class);
+    Map<String, String> map = new HashMap<>();
+    for (Map.Entry<String, Object> entry : json.entrySet()) {
+      Object value = entry.getValue();
+      map.put(entry.getKey(), value == null ? null : value.toString());
+    }
+    return map;
+  }
+
   public static String errorJson(String message) throws IOException {
     GenericJson errorResponse = new GenericJson();
     errorResponse.setFactory(JSON_FACTORY);

oauth2_http/javatests/com/google/auth/oauth2/DefaultCredentialsProviderTest.java

@@ -83,7 +83,7 @@ class DefaultCredentialsProviderTest {
   private static final String SA_PRIVATE_KEY_ID = "d84a4fefcf50791d4a90f2d7af17469d6282df9d";
   private static final String SA_PRIVATE_KEY_PKCS8 =
       ServiceAccountCredentialsTest.PRIVATE_KEY_PKCS8;
-  private static final String GDCH_SA_FORMAT_VERSION = GdchCredentials.SUPPORTED_FORMAT_VERSION;
+
   private static final String GDCH_SA_PROJECT_ID = "gdch-service-account-project-id";
   private static final String GDCH_SA_PRIVATE_KEY_ID = "d84a4fefcf50791d4a90f2d7af17469d6282df9d";
   private static final String GDCH_SA_PRIVATE_KEY_PKC8 = GdchCredentialsTest.PRIVATE_KEY_PKCS8;
@@ -94,7 +94,7 @@ class DefaultCredentialsProviderTest {
   private static final String GDCH_SA_CA_CERT_FILE_NAME = "cert.pem";
   private static final String GDCH_SA_CA_CERT_PATH =
       GdchCredentialsTest.class.getClassLoader().getResource(GDCH_SA_CA_CERT_FILE_NAME).getPath();
-  private static final URI GDCH_SA_API_AUDIENCE = URI.create("https://gdch-api-audience");
+  private static final String GDCH_SA_API_AUDIENCE = "https://gdch-api-audience";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
@@ -180,48 +180,33 @@ void getDefaultCredentials_noCredentials_singleGceTestRequest() {
   }
 
   @Test
-  void getDefaultCredentials_noCredentials_linuxNotGce() throws IOException {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "Linux");
-    String productFilePath = SMBIOS_PATH_LINUX;
-    InputStream productStream = new ByteArrayInputStream("test".getBytes());
-    testProvider.addFile(productFilePath, productStream);
-
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+  void getDefaultCredentials_noCredentials_linuxNotGce() {
+    checkStaticGceDetection("linux", "test", false);
   }
 
   @Test
-  void getDefaultCredentials_static_linux() throws IOException {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "Linux");
-    String productFilePath = SMBIOS_PATH_LINUX;
-    File productFile = new File(productFilePath);
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
-    testProvider.addFile(productFile.getAbsolutePath(), productStream);
-
-    assertTrue(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+  void getDefaultCredentials_static_linux() {
+    checkStaticGceDetection("linux", "Googlekdjsfhg", true);
   }
 
   @Test
-  void getDefaultCredentials_static_windows_configuredAsLinux_notGce() throws IOException {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "windows");
-    String productFilePath = SMBIOS_PATH_LINUX;
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
-    testProvider.addFile(productFilePath, productStream);
-
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+  void getDefaultCredentials_static_windows_configuredAsLinux_notGce() {
+    checkStaticGceDetection("windows", "Googlekdjsfhg", false);
   }
 
   @Test
-  void getDefaultCredentials_static_unsupportedPlatform_notGce() throws IOException {
+  void getDefaultCredentials_static_unsupportedPlatform_notGce() {
+    checkStaticGceDetection("macos", "Googlekdjsfhg", false);
+  }
+
+  private void checkStaticGceDetection(String osName, String productContent, boolean expected) {
     TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "macos");
+    testProvider.setProperty("os.name", osName);
     String productFilePath = SMBIOS_PATH_LINUX;
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
+    InputStream productStream = new ByteArrayInputStream(productContent.getBytes());
     testProvider.addFile(productFilePath, productStream);
 
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+    assertEquals(expected, ComputeEngineCredentials.checkStaticGceDetection(testProvider));
   }
 
   @Test
@@ -390,7 +375,7 @@ void getDefaultCredentials_GdchServiceAccount() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     InputStream gdchServiceAccountStream =
         GdchCredentialsTest.writeGdchServiceAccountStream(
-            GDCH_SA_FORMAT_VERSION,
+            GdchCredentials.SUPPORTED_JSON_FORMAT_VERSION,
             GDCH_SA_PROJECT_ID,
             GDCH_SA_PRIVATE_KEY_ID,
             GDCH_SA_PRIVATE_KEY_PKC8,