Skip to content

fix(gdch): support EC private keys#1896

Open
diegomarquezp wants to merge 33 commits intomainfrom
b/488439640
Open

fix(gdch): support EC private keys#1896
diegomarquezp wants to merge 33 commits intomainfrom
b/488439640

Conversation

@diegomarquezp
Copy link
Contributor

@diegomarquezp diegomarquezp commented Mar 4, 2026
edited
Loading

Context: b/488439640

Implementation originally proposed in b/431924643#comment9

The primary objective is to enable support for Elliptic Curve (EC) keys and non-URI audience formats, aligning the Java SDK with the behavior of the Python and Go implementations. Additionally, the GDCH key creation tool creates EC keys only, meaning the GDCH implementation was not following the convention.

Key Changes

  • Algorithm Support: Updated the credential signing process to use the ES256 (ECDSA) algorithm, which is the required standard for GDCH service accounts.
  • Audience Flexibility: Changed the apiAudience field from a URI to a String to accommodate "magic" non-URI strings (e.g., specific administrative audiences) required by certain GDCH services.
  • OAuth2Utils Refactoring: Enhanced privateKeyFromPkcs8 to accept an algorithm parameter, allowing the library to parse EC keys instead of defaulting exclusively to RSA.
  • Test fixes: Fixes in a couple of test files as per Sonarqube analysis.

Testing

  • Updated GdchCredentialsTest to include test cases for EC key parsing and token signing.

@product-auto-label product-auto-label bot added the size: l Pull request size is large. label Mar 4, 2026
@diegomarquezp diegomarquezp marked this pull request as ready for review March 9, 2026 21:36
@diegomarquezp diegomarquezp requested review from a team as code owners March 9, 2026 21:36
@diegomarquezp diegomarquezp requested a review from a team as a code owner March 10, 2026 21:22
@diegomarquezp diegomarquezp changed the title feat(gdch): support EC private keys fix(gdch): support EC private keys Mar 10, 2026
lqiu96
lqiu96 reviewed Mar 11, 2026
View reviewed changes
lqiu96
lqiu96 reviewed Mar 11, 2026
View reviewed changes
lqiu96
lqiu96 reviewed Mar 11, 2026
View reviewed changes
lqiu96
lqiu96 reviewed Mar 11, 2026
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/GdchCredentials.java
return (Integer) value;
}

private static String signUsingEsSha256(
Copy link
Member

@lqiu96 lqiu96 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is a lot of logic in here. Can we add some documentation here (comments or a link to the algorithm) and would it be possible to add tests for this method?

Copy link
Contributor Author

@diegomarquezp diegomarquezp Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added comments and tests for this method and the helper right below.

lqiu96
lqiu96 reviewed Mar 17, 2026
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java Outdated
* @throws IOException if the PKCS#8 data is invalid or if an unexpected exception occurs during
* key creation.
*/
public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8, String algorithm)
Copy link
Member

@lqiu96 lqiu96 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is a public method, what happens if a user calls this with an algorithm that doens't exist?

thoughts on this: can we have the second algorithm be an enum where the two options are RSA or EC so that users can't mistakenly put the wrong algorithm?

Copy link
Contributor Author

@diegomarquezp diegomarquezp Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/googleapis/google-auth-library-java/pull/1896/changes#r2949462487 I think we don't really want to support more than just EC.

Copy link
Member

@lqiu96 lqiu96 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're right. can this method be package-private? And can we have a check to restrict this so that only EC algorithm is supported/ valid

Copy link
Contributor Author

@diegomarquezp diegomarquezp Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A mistake of mine: I thought this was GdchCredentials. Yes this public utils class is better suited to an enum.

Copy link
Contributor Author

@diegomarquezp diegomarquezp Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@diegomarquezp diegomarquezp added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 18, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 18, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 18, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lqiu96 lqiu96 lqiu96 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size: l Pull request size is large.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@diegomarquezp @lqiu96 @yoshi-kokoro