Added separate test class for mTLS-utils. Added missing cert and malformed cert tests to X509Provider.

Author: vverman

oauth2_http/java/com/google/auth/mtls/MtlsUtils.java

@@ -115,15 +115,20 @@ static WorkloadCertificateConfiguration getWorkloadCertificateConfiguration(
   }
 
   private static File getWellKnownCertificateConfigFile(
-      EnvironmentProvider envProvider, PropertyProvider propProvider) {
+      EnvironmentProvider envProvider, PropertyProvider propProvider) throws IOException {
     File cloudConfigPath;
     String envPath = envProvider.getEnv("CLOUDSDK_CONFIG");
     if (envPath != null) {
       cloudConfigPath = new File(envPath);
     } else {
       String osName = propProvider.getProperty("os.name", "").toLowerCase(Locale.US);
       if (osName.indexOf("windows") >= 0) {
-        File appDataPath = new File(envProvider.getEnv("APPDATA"));
+        String appData = envProvider.getEnv("APPDATA");
+        if (Strings.isNullOrEmpty(appData)) {
+          throw new CertificateSourceUnavailableException(
+              "APPDATA environment variable is not set on Windows.");
+        }
+        File appDataPath = new File(appData);
         cloudConfigPath = new File(appDataPath, CLOUDSDK_CONFIG_DIRECTORY);
       } else {
         File configPath = new File(propProvider.getProperty("user.home", ""), ".config");

oauth2_http/java/com/google/auth/oauth2/EnvironmentProvider.java

@@ -1,3 +1,33 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
 package com.google.auth.oauth2;
 
 import com.google.api.core.InternalApi;

oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java

@@ -176,9 +176,6 @@ private IdentityPoolSubjectTokenSupplier createCertificateSubjectTokenSupplier(
 
   private X509Provider getX509Provider(
       Builder builder, IdentityPoolCredentialSource credentialSource) {
-    final IdentityPoolCredentialSource.CertificateConfig certConfig =
-        credentialSource.getCertificateConfig();
-
     // Use the provided X509Provider if available, otherwise initialize a default one.
     X509Provider x509Provider = builder.x509Provider;
     if (x509Provider == null) {
@@ -193,6 +190,9 @@ private X509Provider getX509Provider(
   private static String getExplicitCertConfigPath(IdentityPoolCredentialSource credentialSource) {
     IdentityPoolCredentialSource.CertificateConfig certConfig =
         credentialSource.getCertificateConfig();
+    if (certConfig == null) {
+      return null;
+    }
     return certConfig.useDefaultCertificateConfig()
         ? null
         : certConfig.getCertificateConfigLocation();

oauth2_http/java/com/google/auth/oauth2/PropertyProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are

oauth2_http/java/com/google/auth/oauth2/SystemPropertyProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are

oauth2_http/javatests/com/google/auth/mtls/MtlsUtilsTest.java

@@ -0,0 +1,246 @@
+/*
+ * Copyright 2026, Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.mtls;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+import com.google.auth.oauth2.EnvironmentProvider;
+import com.google.auth.oauth2.PropertyProvider;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+
+class MtlsUtilsTest {
+
+  @TempDir Path tempDir;
+
+  @Test
+  void getCertificatePath_succeeds() throws IOException {
+    Path configFile = tempDir.resolve("config.json");
+    Files.write(
+        configFile,
+        "{\"cert_configs\":{\"workload\":{\"cert_path\":\"cert.pem\",\"key_path\":\"key.pem\"}}}"
+            .getBytes());
+
+    EnvironmentProvider envProvider =
+        new EnvironmentProvider() {
+          @Override
+          public String getEnv(String name) {
+            return null;
+          }
+        };
+    PropertyProvider propProvider =
+        new PropertyProvider() {
+          @Override
+          public String getProperty(String name, String def) {
+            return def;
+          }
+        };
+
+    String certPath =
+        MtlsUtils.getCertificatePath(envProvider, propProvider, configFile.toString());
+
+    assertEquals("cert.pem", certPath);
+  }
+
+  @Test
+  void getCertificatePath_missingCertPath_throws() throws IOException {
+    Path configFile = tempDir.resolve("config.json");
+    Files.write(
+        configFile, "{\"cert_configs\":{\"workload\":{\"key_path\":\"key.pem\"}}}".getBytes());
+
+    EnvironmentProvider envProvider =
+        new EnvironmentProvider() {
+          @Override
+          public String getEnv(String name) {
+            return null;
+          }
+        };
+    PropertyProvider propProvider =
+        new PropertyProvider() {
+          @Override
+          public String getProperty(String name, String def) {
+            return def;
+          }
+        };
+
+    assertThrows(
+        IllegalArgumentException.class,
+        () -> MtlsUtils.getCertificatePath(envProvider, propProvider, configFile.toString()));
+  }
+
+  @Test
+  void getWorkloadCertificateConfiguration_overridePath() throws IOException {
+    Path configFile = tempDir.resolve("custom_config.json");
+    Files.write(
+        configFile,
+        "{\"cert_configs\":{\"workload\":{\"cert_path\":\"cert.pem\",\"key_path\":\"key.pem\"}}}"
+            .getBytes());
+
+    EnvironmentProvider envProvider =
+        new EnvironmentProvider() {
+          @Override
+          public String getEnv(String name) {
+            return null;
+          }
+        };
+    PropertyProvider propProvider =
+        new PropertyProvider() {
+          @Override
+          public String getProperty(String name, String def) {
+            return def;
+          }
+        };
+
+    WorkloadCertificateConfiguration config =
+        MtlsUtils.getWorkloadCertificateConfiguration(
+            envProvider, propProvider, configFile.toString());
+
+    assertNotNull(config);
+    assertEquals("cert.pem", config.getCertPath());
+    assertEquals("key.pem", config.getPrivateKeyPath());
+  }
+
+  @Test
+  void getWorkloadCertificateConfiguration_envVar() throws IOException {
+    Path configFile = tempDir.resolve("env_config.json");
+    Files.write(
+        configFile,
+        "{\"cert_configs\":{\"workload\":{\"cert_path\":\"cert.pem\",\"key_path\":\"key.pem\"}}}"
+            .getBytes());
+
+    EnvironmentProvider envProvider =
+        new EnvironmentProvider() {
+          @Override
+          public String getEnv(String name) {
+            return "GOOGLE_API_CERTIFICATE_CONFIG".equals(name) ? configFile.toString() : null;
+          }
+        };
+    PropertyProvider propProvider =
+        new PropertyProvider() {
+          @Override
+          public String getProperty(String name, String def) {
+            return def;
+          }
+        };
+
+    WorkloadCertificateConfiguration config =
+        MtlsUtils.getWorkloadCertificateConfiguration(envProvider, propProvider, null);
+
+    assertNotNull(config);
+    assertEquals("cert.pem", config.getCertPath());
+  }
+
+  @Test
+  void getWellKnownCertificateConfigFile_windows() throws IOException {
+    EnvironmentProvider envProvider =
+        new EnvironmentProvider() {
+          @Override
+          public String getEnv(String name) {
+            return "APPDATA".equals(name) ? tempDir.toString() : null;
+          }
+        };
+    PropertyProvider propProvider =
+        new PropertyProvider() {
+          @Override
+          public String getProperty(String name, String def) {
+            return "os.name".equals(name) ? "Windows 10" : def;
+          }
+        };
+
+    CertificateSourceUnavailableException exception =
+        assertThrows(
+            CertificateSourceUnavailableException.class,
+            () -> MtlsUtils.getWorkloadCertificateConfiguration(envProvider, propProvider, null));
+
+    String expectedPath =
+        new File(tempDir.toFile(), "gcloud/certificate_config.json").getAbsolutePath();
+    assertTrue(exception.getMessage().contains(expectedPath));
+  }
+
+  @Test
+  void getWellKnownCertificateConfigFile_linux() throws IOException {
+    EnvironmentProvider envProvider =
+        new EnvironmentProvider() {
+          @Override
+          public String getEnv(String name) {
+            return null;
+          }
+        };
+    PropertyProvider propProvider =
+        new PropertyProvider() {
+          @Override
+          public String getProperty(String name, String def) {
+            if ("os.name".equals(name)) return "Linux";
+            if ("user.home".equals(name)) return tempDir.toString();
+            return def;
+          }
+        };
+
+    CertificateSourceUnavailableException exception =
+        assertThrows(
+            CertificateSourceUnavailableException.class,
+            () -> MtlsUtils.getWorkloadCertificateConfiguration(envProvider, propProvider, null));
+
+    String expectedPath =
+        new File(tempDir.toFile(), ".config/gcloud/certificate_config.json").getAbsolutePath();
+    assertTrue(exception.getMessage().contains(expectedPath));
+  }
+
+  @Test
+  void getWellKnownCertificateConfigFile_windows_missingAppData_throws() {
+    EnvironmentProvider envProvider =
+        new EnvironmentProvider() {
+          @Override
+          public String getEnv(String name) {
+            return null;
+          }
+        };
+    PropertyProvider propProvider =
+        new PropertyProvider() {
+          @Override
+          public String getProperty(String name, String def) {
+            return "os.name".equals(name) ? "Windows 10" : def;
+          }
+        };
+
+    CertificateSourceUnavailableException exception =
+        assertThrows(
+            CertificateSourceUnavailableException.class,
+            () -> MtlsUtils.getWorkloadCertificateConfiguration(envProvider, propProvider, null));
+
+    assertEquals("APPDATA environment variable is not set on Windows.", exception.getMessage());
+  }
+}

oauth2_http/javatests/com/google/auth/mtls/X509ProviderTest.java

@@ -169,4 +169,43 @@ void x509Provider_succeeds_withWindowsPath()
     assertEquals(1, store.size());
     assertNotNull(store.getCertificateAlias(expectedCert));
   }
+
+  @Test
+  void x509Provider_certFileDoesntExist_throws() throws IOException {
+    Path tempConfig = Files.createTempFile("config", ".json");
+    tempConfig.toFile().deleteOnExit();
+    Path nonExistentCert = tempConfig.getParent().resolve("non_existent_cert.pem");
+
+    Files.write(
+        tempConfig,
+        ("{\"cert_configs\":{\"workload\":{\"cert_path\":\""
+                + nonExistentCert.toString()
+                + "\",\"key_path\":\"key.pem\"}}}")
+            .getBytes());
+
+    X509Provider testProvider = new X509Provider(tempConfig.toString());
+
+    assertThrows(IOException.class, testProvider::getKeyStore);
+  }
+
+  @Test
+  void x509Provider_malformedCert_throws() throws IOException {
+    Path tempConfig = Files.createTempFile("config", ".json");
+    tempConfig.toFile().deleteOnExit();
+    Path malformedCert = Files.createTempFile("badcert", ".pem");
+    malformedCert.toFile().deleteOnExit();
+
+    Files.write(malformedCert, "This is not a valid certificate".getBytes());
+
+    Files.write(
+        tempConfig,
+        ("{\"cert_configs\":{\"workload\":{\"cert_path\":\""
+                + malformedCert.toString()
+                + "\",\"key_path\":\"key.pem\"}}}")
+            .getBytes());
+
+    X509Provider testProvider = new X509Provider(tempConfig.toString());
+
+    assertThrows(Exception.class, testProvider::getKeyStore);
+  }
 }

oauth2_http/javatests/com/google/auth/oauth2/TestPropertyProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are