fix(gdch): support EC private keys

oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java

@@ -86,7 +86,7 @@ public class OAuth2Credentials extends Credentials {
   // Change listeners are not serialized
   private transient List<CredentialsChangedListener> changeListeners;
   // Until we expose this to the users it can remain transient and non-serializable
-  @VisibleForTesting transient Clock clock = Clock.SYSTEM;
+  transient Clock clock = Clock.SYSTEM;
 
   /**
    * Returns the credentials instance from the given access token.

oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java

@@ -40,7 +40,6 @@
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.util.PemReader;
 import com.google.api.client.util.PemReader.Section;
-import com.google.api.client.util.SecurityUtils;
 import com.google.auth.http.AuthHttpConstants;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.base.Strings;
@@ -80,6 +79,11 @@
  */
 public class OAuth2Utils {
 
+  public enum Pkcs8Algorithm {
+    RSA,
+    EC
+  }
+
   static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
 
   public static final String TOKEN_TYPE_ACCESS_TOKEN =
@@ -267,6 +271,20 @@ static Map<String, Object> validateMap(Map<String, Object> map, String key, Stri
    *     key creation.
    */
   public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8) throws IOException {
+    return privateKeyFromPkcs8(privateKeyPkcs8, Pkcs8Algorithm.RSA);
+  }
+
+  /**
+   * Converts a PKCS#8 string to a private key of the specified algorithm.
+   *
+   * @param privateKeyPkcs8 the PKCS#8 string.
+   * @param algorithm the algorithm of the private key.
+   * @return the private key.
+   * @throws IOException if the PKCS#8 data is invalid or if an unexpected exception occurs during
+   *     key creation.
+   */
+  public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8, Pkcs8Algorithm algorithm)
+      throws IOException {
     Reader reader = new StringReader(privateKeyPkcs8);
     Section section = PemReader.readFirstSectionAndClose(reader, "PRIVATE KEY");
     if (section == null) {
@@ -276,7 +294,7 @@ public static PrivateKey privateKeyFromPkcs8(String privateKeyPkcs8) throws IOEx
     PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(bytes);
     Exception unexpectedException;
     try {
-      KeyFactory keyFactory = SecurityUtils.getRsaKeyFactory();
+      KeyFactory keyFactory = KeyFactory.getInstance(algorithm.toString());
       return keyFactory.generatePrivate(keySpec);
     } catch (NoSuchAlgorithmException | InvalidKeySpecException exception) {
       unexpectedException = exception;

oauth2_http/javatests/com/google/auth/TestUtils.java

@@ -116,6 +116,26 @@ public static Map<String, String> parseQuery(String query) throws IOException {
     return map;
   }
 
+  /**
+   * Parses the request body as either JSON or a query string.
+   *
+   * @param content The request body content.
+   * @return A map of the parsed parameters.
+   * @throws IOException If the content cannot be parsed.
+   */
+  public static Map<String, String> parseBody(String content) throws IOException {
+    if (content != null && content.trim().startsWith("{")) {
+      GenericJson json = JSON_FACTORY.fromString(content, GenericJson.class);
+      Map<String, String> map = new HashMap<>();
+      for (Map.Entry<String, Object> entry : json.entrySet()) {
+        Object value = entry.getValue();
+        map.put(entry.getKey(), value == null ? null : value.toString());
+      }
+      return map;
+    }
+    return parseQuery(content);
+  }
+
   public static String errorJson(String message) throws IOException {
     GenericJson errorResponse = new GenericJson();
     errorResponse.setFactory(JSON_FACTORY);

oauth2_http/javatests/com/google/auth/oauth2/DefaultCredentialsProviderTest.java

@@ -38,6 +38,7 @@
 import static org.junit.jupiter.api.Assertions.assertSame;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.LowLevelHttpRequest;
@@ -94,7 +95,7 @@ class DefaultCredentialsProviderTest {
   private static final String GDCH_SA_CA_CERT_FILE_NAME = "cert.pem";
   private static final String GDCH_SA_CA_CERT_PATH =
       GdchCredentialsTest.class.getClassLoader().getResource(GDCH_SA_CA_CERT_FILE_NAME).getPath();
-  private static final URI GDCH_SA_API_AUDIENCE = URI.create("https://gdch-api-audience");
+  private static final String GDCH_SA_API_AUDIENCE = "https://gdch-api-audience";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
@@ -180,48 +181,36 @@ void getDefaultCredentials_noCredentials_singleGceTestRequest() {
   }
 
   @Test
-  void getDefaultCredentials_noCredentials_linuxNotGce() throws IOException {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "Linux");
-    String productFilePath = SMBIOS_PATH_LINUX;
-    InputStream productStream = new ByteArrayInputStream("test".getBytes());
-    testProvider.addFile(productFilePath, productStream);
-
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+  void getDefaultCredentials_noCredentials_linuxNotGce() {
+    checkStaticGceDetection("Linux", "test", false);
   }
 
   @Test
-  void getDefaultCredentials_static_linux() throws IOException {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "Linux");
-    String productFilePath = SMBIOS_PATH_LINUX;
-    File productFile = new File(productFilePath);
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
-    testProvider.addFile(productFile.getAbsolutePath(), productStream);
-
-    assertTrue(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+  void getDefaultCredentials_static_linux() {
+    checkStaticGceDetection("Linux", "Googlekdjsfhg", true);
   }
 
   @Test
-  void getDefaultCredentials_static_windows_configuredAsLinux_notGce() throws IOException {
-    TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "windows");
-    String productFilePath = SMBIOS_PATH_LINUX;
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
-    testProvider.addFile(productFilePath, productStream);
-
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+  void getDefaultCredentials_static_windows_configuredAsLinux_notGce() {
+    checkStaticGceDetection("windows", "Googlekdjsfhg", false);
   }
 
   @Test
-  void getDefaultCredentials_static_unsupportedPlatform_notGce() throws IOException {
+  void getDefaultCredentials_static_unsupportedPlatform_notGce() {
+    checkStaticGceDetection("macos", "Googlekdjsfhg", false);
+  }
+
+  private void checkStaticGceDetection(String osName, String productContent, boolean expected) {
+    assumeTrue(
+        System.getProperty("os.name").toLowerCase().startsWith("linux"),
+        "This test only runs on Linux.");
     TestDefaultCredentialsProvider testProvider = new TestDefaultCredentialsProvider();
-    testProvider.setProperty("os.name", "macos");
+    testProvider.setProperty("os.name", osName);
     String productFilePath = SMBIOS_PATH_LINUX;
-    InputStream productStream = new ByteArrayInputStream("Googlekdjsfhg".getBytes());
+    InputStream productStream = new ByteArrayInputStream(productContent.getBytes());
     testProvider.addFile(productFilePath, productStream);
 
-    assertFalse(ComputeEngineCredentials.checkStaticGceDetection(testProvider));
+    assertEquals(expected, ComputeEngineCredentials.checkStaticGceDetection(testProvider));
   }
 
   @Test