feat: Add support for mTLS authentication via X.509 certificates

This commit introduces a new credential source type, 'certificate', enabling the use of mTLS for authentication with X.509 certificates. It includes the necessary logic to load certificate configurations (both explicit paths and default locations) and establish an mTLS-enabled transport.

Author: nbayati

oauth2_http/java/com/google/auth/mtls/X509Provider.java

@@ -52,8 +52,9 @@ public class X509Provider {
   static final String CERTIFICATE_CONFIGURATION_ENV_VARIABLE = "GOOGLE_API_CERTIFICATE_CONFIG";
   static final String WELL_KNOWN_CERTIFICATE_CONFIG_FILE = "certificate_config.json";
   static final String CLOUDSDK_CONFIG_DIRECTORY = "gcloud";
+  private WorkloadCertificateConfiguration loadedConfig;
 
-  private String certConfigPathOverride;
+  private final String certConfigPathOverride;
 
   /**
    * Creates an X509 provider with an override path for the certificate configuration, bypassing the
@@ -75,6 +76,34 @@ public X509Provider() {
     this(null);
   }
 
+  /**
+   * Returns the path to the client certificate file specified by the loaded workload certificate
+   * configuration.
+   *
+   * <p>If the configuration has not been loaded yet (e.g., if {@link #getKeyStore()} has not been
+   * called), this method will attempt to load it first by searching the override path, environment
+   * variable, and well-known locations.
+   *
+   * @return The path to the certificate file.
+   * @throws IOException if the certificate configuration cannot be found or loaded, or if the
+   *     configuration file does not specify a certificate path.
+   * @throws CertificateSourceUnavailableException if the configuration file is not found.
+   */
+  public String getCertificatePath() throws IOException {
+    if (loadedConfig == null) {
+      // Attempt to load the configuration. This call might throw IOException or
+      // CertificateSourceUnavailableException if loading fails.
+      loadedConfig = getWorkloadCertificateConfiguration();
+    }
+    String certPath = loadedConfig.getCertPath();
+    if (Strings.isNullOrEmpty(certPath)) {
+      // Ensure the loaded configuration actually contains the required path.
+      throw new IOException(
+          "Certificate configuration loaded successfully, but does not contain a 'certificate_file' path.");
+    }
+    return certPath;
+  }
+
   /**
    * Finds the certificate configuration file, then builds a Keystore using the X.509 certificate
    * and private key pointed to by the configuration. This will check the following locations in
@@ -90,8 +119,10 @@ public X509Provider() {
    * @throws IOException if there is an error retrieving the certificate configuration.
    */
   public KeyStore getKeyStore() throws IOException {
-
-    WorkloadCertificateConfiguration workloadCertConfig = getWorkloadCertificateConfiguration();
+    if (loadedConfig == null) {
+      loadedConfig = getWorkloadCertificateConfiguration();
+    }
+    WorkloadCertificateConfiguration workloadCertConfig = loadedConfig;
 
     InputStream certStream = null;
     InputStream privateKeyStream = null;

oauth2_http/java/com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.java

@@ -0,0 +1,122 @@
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import com.google.gson.Gson;
+import com.google.gson.JsonArray;
+import com.google.gson.JsonPrimitive;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.InvalidPathException;
+import java.nio.file.Paths;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+
+/**
+ * Provider for retrieving subject tokens for {@link IdentityPoolCredentials} by reading an X.509
+ * certificate from the filesystem. The certificate file (e.g., PEM or DER encoded) is read, the
+ * leaf certificate is base64-encoded (DER format), wrapped in a JSON array, and used as the subject
+ * token for STS exchange.
+ */
+public class CertificateIdentityPoolSubjectTokenSupplier
+    implements IdentityPoolSubjectTokenSupplier {
+
+  private static final Gson GSON = new Gson();
+  private final IdentityPoolCredentialSource credentialSource;
+
+  CertificateIdentityPoolSubjectTokenSupplier(IdentityPoolCredentialSource credentialSource) {
+    this.credentialSource = checkNotNull(credentialSource, "credentialSource cannot be null");
+    // This check ensures that the credential source was intended for certificate usage.
+    // IdentityPoolCredentials logic should guarantee credentialLocation is set in this case.
+    checkNotNull(
+        credentialSource.certificateConfig,
+        "credentialSource.certificateConfig cannot be null when creating"
+            + " CertificateIdentityPoolSubjectTokenSupplier");
+  }
+
+  private static X509Certificate loadLeafCertificate(String path)
+      throws IOException, CertificateException {
+    byte[] leafCertBytes;
+    try {
+      // IdentityPoolCredentials should have already validated the path exists via X509Provider.
+      leafCertBytes = Files.readAllBytes(Paths.get(path));
+    } catch (InvalidPathException e) {
+      throw new IOException("Invalid certificate file path provided: " + path, e);
+    }
+    // Files.readAllBytes throws IOException for other read errors.
+    return parseCertificate(leafCertBytes);
+  }
+
+  private static X509Certificate parseCertificate(byte[] certData) throws CertificateException {
+    if (certData == null || certData.length == 0) {
+      throw new IllegalArgumentException("Invalid certificate data: empty or null input");
+    }
+
+    try {
+      CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+      InputStream certificateStream = new ByteArrayInputStream(certData);
+      return (X509Certificate) certificateFactory.generateCertificate(certificateStream);
+    } catch (CertificateException e) {
+      throw new CertificateException("Failed to parse X.509 certificate data.", e);
+    }
+  }
+
+  private static String encodeCert(X509Certificate certificate)
+      throws CertificateEncodingException {
+    return Base64.getEncoder().encodeToString(certificate.getEncoded());
+  }
+
+  @Override
+  public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
+    try {
+      // credentialSource.credentialLocation is expected to be non-null here,
+      // set during IdentityPoolCredentials construction for certificate type.
+      X509Certificate leafCert = loadLeafCertificate(credentialSource.credentialLocation);
+      String encodedCert = encodeCert(leafCert);
+
+      JsonArray certChain = new JsonArray();
+      certChain.add(new JsonPrimitive(encodedCert));
+
+      return GSON.toJson(certChain);
+    } catch (CertificateException e) {
+      throw new IOException(
+          "Failed to parse certificate from: " + credentialSource.credentialLocation, e);
+    }
+  }
+}

oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentialSource.java

@@ -31,6 +31,8 @@
 
 package com.google.auth.oauth2;
 
+import static com.google.common.base.Preconditions.checkArgument;
+
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
@@ -48,6 +50,157 @@ public class IdentityPoolCredentialSource extends ExternalAccountCredentials.Cre
   String credentialLocation;
   @Nullable String subjectTokenFieldName;
   @Nullable Map<String, String> headers;
+  @Nullable CertificateConfig certificateConfig;
+
+  /**
+   * Extracts and configures the {@link CertificateConfig} from the provided credential source.
+   *
+   * @param credentialSourceMap A map containing the certificate configuration.
+   * @return A new {@link CertificateConfig} instance.
+   * @throws IllegalArgumentException if the 'certificate' entry is not a Map or if required fields
+   *     within the certificate configuration have invalid types.
+   */
+  private CertificateConfig getCertificateConfig(Map<String, Object> credentialSourceMap) {
+    Object certValue = credentialSourceMap.get("certificate");
+    if (!(certValue instanceof Map)) {
+      throw new IllegalArgumentException(
+          "The 'certificate' credential source must be a JSON object (Map).");
+    }
+    Map<String, Object> certificateMap = (Map<String, Object>) certValue;
+
+    Boolean useDefaultCertificateConfig =
+        getOptionalBoolean(certificateMap, "use_default_certificate_config");
+    String trustChain = getOptionalString(certificateMap, "trust_chain_path");
+    String certificateConfigLocation =
+        getOptionalString(certificateMap, "certificate_config_location");
+
+    return new CertificateConfig(
+        useDefaultCertificateConfig, certificateConfigLocation, trustChain);
+  }
+
+  /**
+   * Retrieves an optional boolean value from a map.
+   *
+   * @param map The map to retrieve from.
+   * @param key The key of the boolean value.
+   * @return The boolean value if present and of the correct type, otherwise null.
+   * @throws IllegalArgumentException if the value is present but not a boolean.
+   */
+  private @Nullable Boolean getOptionalBoolean(Map<String, Object> map, String key) {
+    Object value = map.get(key);
+    if (value == null) {
+      return null;
+    }
+    if (!(value instanceof Boolean)) {
+      throw new IllegalArgumentException(
+          String.format(
+              "Invalid type for '%s' in certificate configuration: expected Boolean, got %s.",
+              key, value.getClass().getSimpleName()));
+    }
+    return (Boolean) value;
+  }
+
+  /**
+   * Retrieves an optional string value from a map.
+   *
+   * @param map The map to retrieve from.
+   * @param key The key of the string value.
+   * @return The string value if present and of the correct type, otherwise null.
+   * @throws IllegalArgumentException if the value is present but not a string.
+   */
+  private @Nullable String getOptionalString(Map<String, Object> map, String key) {
+    Object value = map.get(key);
+    if (value == null) {
+      return null;
+    }
+    if (!(value instanceof String)) {
+      throw new IllegalArgumentException(
+          String.format(
+              "Invalid type for '%s' in certificate configuration: expected String, got %s.",
+              key, value.getClass().getSimpleName()));
+    }
+    return (String) value;
+  }
+  /**
+   * Represents the configuration options for X.509-based workload credentials (mTLS). It specifies
+   * how to locate and use the client certificate, private key, and optional trust chain for mutual
+   * TLS authentication.
+   */
+  public static class CertificateConfig implements java.io.Serializable {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * If true, attempts to load the default certificate configuration. It checks the
+     * GOOGLE_API_CERTIFICATE_CONFIG environment variable first, then a conventional default file
+     * location. Cannot be true if {@code certificateConfigLocation} is set.
+     */
+    private final boolean useDefaultCertificateConfig;
+
+    /**
+     * Specifies the path to the client certificate and private key file. This is used when {@code
+     * useDefaultCertificateConfig} is false or unset. Must be set if {@code
+     * useDefaultCertificateConfig} is false.
+     */
+    @Nullable private final String certificateConfigLocation;
+
+    /**
+     * Specifies the path to a PEM-formatted file containing the X.509 certificate trust chain. This
+     * file should contain any intermediate certificates required to complete the trust chain
+     * between the leaf certificate (used for mTLS) and the root certificate(s) in your workload
+     * identity pool's trust store. The leaf certificate and any certificates already present in the
+     * workload identity pool's trust store are optional in this file. Certificates should be
+     * ordered with the leaf certificate (or the certificate which signed the leaf) first.
+     */
+    @Nullable private final String trustChainPath;
+
+    /**
+     * Constructor for {@code CertificateConfig}.
+     *
+     * @param useDefaultCertificateConfig Whether to use the default certificate configuration.
+     * @param certificateConfigLocation Path to the client certificate and private key file.
+     * @param trustChainPath Path to the trust chain file.
+     * @throws IllegalArgumentException if the configuration is invalid (e.g., neither default nor
+     *     location is specified, or both are specified).
+     */
+    CertificateConfig(
+        @Nullable Boolean useDefaultCertificateConfig,
+        @Nullable String certificateConfigLocation,
+        @Nullable String trustChainPath) {
+
+      boolean useDefault = useDefaultCertificateConfig != null && useDefaultCertificateConfig;
+      boolean locationIsPresent =
+          certificateConfigLocation != null && !certificateConfigLocation.isEmpty();
+
+      checkArgument(
+          !(!useDefault && !locationIsPresent),
+          "credentials: \"certificate\" object must either specify a certificate_config_location or use_default_certificate_config should be true");
+
+      checkArgument(
+          !(useDefault && locationIsPresent),
+          "credentials: \"certificate\" object cannot specify both a certificate_config_location and use_default_certificate_config=true");
+
+      this.useDefaultCertificateConfig = useDefault;
+      this.certificateConfigLocation = certificateConfigLocation;
+      this.trustChainPath = trustChainPath;
+    }
+
+    /** Returns whether the default certificate configuration should be used. */
+    public boolean useDefaultCertificateConfig() {
+      return useDefaultCertificateConfig;
+    }
+
+    /** Returns the path to the client certificate file, or null if not set. */
+    @Nullable
+    public String getCertificateConfigLocation() {
+      return certificateConfigLocation;
+    }
+
+    /** Returns the path to the trust chain file, or null if not set. */
+    @Nullable
+    public String getTrustChainPath() {
+      return trustChainPath;
+    }
+  }
 
   /**
    * The source of the 3P credential.
@@ -69,9 +222,15 @@ public class IdentityPoolCredentialSource extends ExternalAccountCredentials.Cre
   public IdentityPoolCredentialSource(Map<String, Object> credentialSourceMap) {
     super(credentialSourceMap);
 
-    if (credentialSourceMap.containsKey("file") && credentialSourceMap.containsKey("url")) {
+    boolean filePresent = credentialSourceMap.containsKey("file");
+    boolean urlPresent = credentialSourceMap.containsKey("url");
+    boolean certificatePresent = credentialSourceMap.containsKey("certificate");
+
+    if ((filePresent && urlPresent)
+        || (filePresent && certificatePresent)
+        || (urlPresent && certificatePresent)) {
       throw new IllegalArgumentException(
-          "Only one credential source type can be set, either file or url.");
+          "Only one credential source type can be set: 'file', 'url', or 'certificate'.");
     }
 
     if (credentialSourceMap.containsKey("file")) {
@@ -80,6 +239,9 @@ public IdentityPoolCredentialSource(Map<String, Object> credentialSourceMap) {
     } else if (credentialSourceMap.containsKey("url")) {
       credentialLocation = (String) credentialSourceMap.get("url");
       credentialSourceType = IdentityPoolCredentialSourceType.URL;
+    } else if (credentialSourceMap.containsKey("certificate")) {
+      credentialSourceType = IdentityPoolCredentialSourceType.CERTIFICATE;
+      this.certificateConfig = getCertificateConfig(credentialSourceMap);
     } else {
       throw new IllegalArgumentException(
           "Missing credential source file location or URL. At least one must be specified.");
@@ -121,7 +283,8 @@ boolean hasHeaders() {
 
   enum IdentityPoolCredentialSourceType {
     FILE,
-    URL
+    URL,
+    CERTIFICATE
   }
 
   enum CredentialFormatType {