RFR: 8378003: JarURLConnection.getCertificates() incorrectly returns null for signed JAR files after JDK-8377338

Jaikiran Pai jpai at openjdk.org
Mon Feb 16 16:10:47 UTC 2026 

Can I please get a review of this change which addresses a regression that was introduced after the integration of https://bugs.openjdk.org/browse/JDK-8377338?

As noted in https://bugs.openjdk.org/browse/JDK-8378003, after the change in JDK-8377338, `JarURLConnection.getCertificates()` and `getCodeSigners()` started incorrectly returning null for JAR entries in signed JAR files.

The original change in JDK-8377338 removed the overridden `getCertificates()` and `getCodeSigners()` methods from `URLJarFile$URLJarFileEntry`. When doing that I had verified that the `getCertificates()` and `getCodeSigners()` that would get now invoked on `java.util.jar.JarEntry` (due to the removal of these overridden methods) were indeed returning the certificates and codesigners that belong to the underlying `JarEntry` `je`. I was assured of this because the `certs` and `signers` fields were captured in the constructor of `JarEntry` constructor:


public JarEntry(JarEntry je) {
    this((ZipEntry)je);
    this.attr = je.attr;
    this.certs = je.certs;
    this.signers = je.signers;
}

and then JarEntry.getCertificates() and getCodeSigners() did this:


public Certificate[] getCertificates() {
    return certs == null ? null : certs.clone();
}

public CodeSigner[] getCodeSigners() {
    return signers == null ? null : signers.clone();
}

So removal of the overrides appeared harmless. I however missed the fact that some JarEntry implementations like `java.util.jar.JarFile$JarFileEntry` compute the `certs` and `signers` field lazily. So when such `JarEntry` is passed to the ("copy") constructor of `JarEntry`, `null` values are captured for those fields. The removal of the overridden methods thus meant that the explicit calls to `JarEntry.getCertificates/getCodeSigners()` to compute the certs and signers no longer happened. This is what caused the regression.

This also exposed the lack of tests in this area. I have now introduced a jtreg test to reproduce the issue and verify the fix. The fix reintroduces the overrides in `URLJarFile$URLJarFileEntry` and explicitly calls the `getCertificates()` and `getCodeSigners()` on the underlying `je` JarEntry. At the same time, it retains the original goal of JDK-8377338 and doesn't clone the returned arrays to prevent the duplicated array cloning.

P.S: I am willing to completely backout the change done in JDK-8377338 and retain just this new test, if that's preferred.

-------------

Commit messages:
 - 8378003: JarURLConnection.getCertificates() incorrectly returns null for signed JAR files after JDK-8377338
 - Add a test

Changes: https://git.openjdk.org/jdk/pull/29748/files
  Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=29748&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8378003
  Stats: 203 lines in 2 files changed: 203 ins; 0 del; 0 mod
  Patch: https://git.openjdk.org/jdk/pull/29748.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/29748/head:pull/29748

PR: https://git.openjdk.org/jdk/pull/29748

More information about the net-dev mailing list