fix(gdch): support EC private keys#1896
Merged
diegomarquezp merged 65 commits intomainfrom Apr 8, 2026
Merged
Conversation
diegomarquezp
changed the title
lqiu96
reviewed
Mar 24, 2026
|
Acceso
El martes, 24 de marzo de 2026, Lawrence ***@***.***>
escribió:
… ***@***.**** commented on this pull request.
------------------------------
In oauth2_http/java/com/google/auth/oauth2/GdchCredentials.java
<#1896 (comment)>
:
> private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
+ @VisibleForTesting static final String SUPPORTED_FORMAT_VERSION = "1";
+
+ private static final String SERVICE_ACCOUNT_TOKEN_TYPE =
any documentation regarding this specific Uniform Resource Name and the
k8s variant? Why does GDCH require this one?
—
Reply to this email directly, view it on GitHub
<#1896?email_source=notifications&email_token=B5MKPO3KWUKTX3EMNGA4SAT4SK7YTA5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTIMBQGA4TIMRTGQ3KM4TFMFZW63VHMNXW23LFNZ2KKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#pullrequestreview-4000942346>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/B5MKPO4GWQZHDG3EL3IWC734SK7YTAVCNFSM6AAAAACWHGYLYWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHM2DAMBQHE2DEMZUGY>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
lqiu96
reviewed
Mar 26, 2026
lqiu96
reviewed
Mar 26, 2026
| private static final String SA_PRIVATE_KEY_PKCS8 = | ||
| ServiceAccountCredentialsTest.PRIVATE_KEY_PKCS8; | ||
| private static final String GDCH_SA_FORMAT_VERSION = GdchCredentials.SUPPORTED_FORMAT_VERSION; | ||
| private static final String GDCH_SA_FORMAT_VERSION = |
Member
There was a problem hiding this comment.
can the tests just use GdchCredentials.SUPPORTED_JSON_FORMAT_VERSION constant directly?
Contributor
Author
There was a problem hiding this comment.
Good point, done.
lqiu96
reviewed
Mar 26, 2026
Comment on lines
+1094
to
+1114
| // SEQUENCE length doesn't match actual length | ||
| byte[] invalidDer = new byte[] {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x01, 0x02}; | ||
| GoogleAuthException e = | ||
| assertThrows( | ||
| GoogleAuthException.class, () -> GdchCredentials.transcodeDerToConcat(invalidDer, 64)); | ||
| assertEquals("Invalid DER signature length.", e.getMessage()); | ||
| } | ||
|
|
||
| @Test | ||
| void transcodeDerToConcat_invalidRInteger() { | ||
| // Missing INTEGER for R | ||
| byte[] invalidDer = new byte[] {0x30, 0x06, 0x03, 0x01, 0x01, 0x02, 0x01, 0x02}; | ||
| GoogleAuthException e = | ||
| assertThrows( | ||
| GoogleAuthException.class, () -> GdchCredentials.transcodeDerToConcat(invalidDer, 64)); | ||
| assertEquals("Expected INTEGER for R.", e.getMessage()); | ||
| } | ||
|
|
||
| @Test | ||
| void transcodeDerToConcat_invalidSInteger() { | ||
| // Missing INTEGER for S |
Member
There was a problem hiding this comment.
For these test cases, can the comment show where it's missing the INTEGER value?
// Missing INTEGER for R
Is it missing something from byte[] invalidDer = new byte[] {0x30, 0x06, 0x03, 0x01, 0x01, 0x02, 0x01, 0x02};?
Contributor
Author
There was a problem hiding this comment.
Added a more specific comment
lqiu96
reviewed
Mar 26, 2026
oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java
Outdated
Show resolved
Hide resolved
lqiu96
approved these changes
Mar 26, 2026
Member
lqiu96
left a comment
lqiu96
left a comment
There was a problem hiding this comment.
Changes LGTM. added a few comments.
product-auto-label
bot
added
size: xl
lqiu96
reviewed
Apr 3, 2026
Comment on lines
+305
to
+311
| if (algorithm == Pkcs8Algorithm.EC) { | ||
| reader = new StringReader(privateKeyPkcs8); | ||
| section = PemReader.readFirstSectionAndClose(reader, "EC PRIVATE KEY"); | ||
| if (section != null) { | ||
| return privateKeyFromSec1(section.getBase64DecodedBytes()); | ||
| } | ||
| } |
Member
There was a problem hiding this comment.
Is PKCS#8 or SEC1 two different algorithms/ flows? Also Is this logic only needed for GDCH?
If so, can this logic exists inside GDCH itself?
e.g.
- Check the first section and determine if we should call pckc8 or sec1 method
- call privateKeyFromPkcs8 or privateKeyFromSec1
I think it would better to separate these concerns since it looks like privateKeyFromPkcs8 is now also making a call to privateKeyFromSec1. I think we have added proper checks, but since this resides in OAuth2Utils I'm worried this behavior may have unknown impact.
Contributor
Author
There was a problem hiding this comment.
Done. I still kept the algorithm parameter in OAuth2Utils to parse EC keys. WDYT?
diegomarquezp
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
lqiu96
reviewed
Apr 7, 2026
lqiu96
reviewed
Apr 7, 2026
product-auto-label
bot
added
size: l
|
lqiu96
pushed a commit
to googleapis/google-cloud-java
that referenced
this pull request
Apr 8, 2026
* fix: allow for ES algorithm in GdchCredentials * test: partially adapt tests * test: finish adjusting tests * chore: format * fix: restore credential name * docs: restore license * fix: restore removed code * test: increase coverage * test(gdch): parameterize test * test: remove unused var * chore: remove unused throw clause * test: parameterize more * fix: remove unused parameter * fix: make variables final as intended * fix: remove unused throw clause * fix: remove unused throw clause * fix: make OAuth2Credentials clock package private for production code * fix: use non deprecated base 64 encoder * test: parameterize flagged tests * chore: format * test: fix assertion * build: remove unused dependency * test: run linux gce only on linux envs * fix: sonarqube flags (use java.util.Base64) * fix: improve error message template * fix: keep overload of "with audience" that takes an URI * fix: restore public getter of getApiAudience * docs: add javadoc for signing logic * test: test private signature and decode methods * fix: add null and empty check for audience string * docs: add javadoc for audience getters * fix: use enum for possible algorithms * fix: use obsolete javadoc instead of @deprecated * refactor: use OAuth2Utils validate methods in GdchCredentials * fix: restore GoogleAuthException throwing in GdchCredentials * refactor: downgrade Pkcs8Algorithm and privateKeyFromPkcs8 to package-private * refactor: split parseBody into parseJson and parseQuery in test utilities * refactor: remove validation reflection by making signUsingEsSha256 package-private * test: use hardcoded string literal for gdch api audience in test * test: refactor to use assertThrows in GdchCredentialsTest and remove host OS check in DefaultCredentialsProviderTest * fix: add comment about EC algorithm support in GdchCredentials * fix: update GDCH audience error message to be more descriptive * refactor: rename getApiAudienceString to getGdchAudience * fix: Remove unused import * docs: update GDCH audience getter javadocs * test: add null-checks to builder and corresponding tests * refactor: consolidate token type constants using OAuth2Utils * refactor: throw GoogleAuthException for signing and transcoding errors * docs: add javadoc to related test utils * fix: use GoogleAuthException * test: use assertThrows where applicable * refactor: replace Preconditions with Strings.isNullOrEmpty for audience checks * fix: consistent exception message * chore: format * test: use lowercase os name * chore: address review comments for PR #1896 * chore: format * Finalizing GDCH credentials support by addressing reviewer comments * chore: format * fix: parse EC private keys with SEC1 algorithm * chore: format * fix: separate PKCs8 vs SEC1 logic in GdchCredentials * fix: improved exception message, added comments to extractPrivateKeyValue Original-PR: googleapis/google-auth-library-java#1896
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context: b/488439640
Implementation originally proposed in b/431924643#comment9
The primary objective is to enable support for Elliptic Curve (EC) keys and non-URI audience formats, aligning the Java SDK with the behavior of the Python and Go implementations. Additionally, the GDCH key creation tool creates EC keys only, meaning the GDCH implementation was not following the convention.
Key Changes
apiAudiencefield from aURIto aStringto accommodate "magic" non-URI strings (e.g., specific administrative audiences) required by certain GDCH services.privateKeyFromPkcs8to accept an algorithm parameter, allowing the library to parse EC keys instead of defaulting exclusively to RSA.Testing
GdchCredentialsTestto include test cases for EC key parsing and token signing.