RFR: 8370688: java.util.jar.JarEntry.getCodeSigners() and getCertificates() should specify that they return a copy of the arrays
Alan Bateman
alanb at openjdk.org
Wed Dec 3 10:38:25 UTC 2025
On Wed, 3 Dec 2025 09:43:27 GMT, Jaikiran Pai <jpai at openjdk.org> wrote:
> > As far as I remember, we have similar text in some API specification for methods that return a copy of the array, reusing that text might be useful (I'll try and find such an instance).
>
> `javax.net.ssl.SSLParameters` has a few APIs which word this in a couple of different ways:
>
> https://docs.oracle.com/en/java/javase/25/docs/api/java.base/javax/net/ssl/SSLParameters.html#getCipherSuites()
>
> ```
> Returns:
> a copy of the array of ciphersuites or null if none have been set.
> ```
A SSLParameters is optionally created with array of cipher suites so it works there. A JarEntry is not created with an array so I don't think this wording make sense.
> https://docs.oracle.com/en/java/javase/25/docs/api/java.base/javax/net/ssl/SSLParameters.html#getApplicationProtocols()
>
> ```
> This method will return a new array each time it is invoked.
> ```
That could work for JarEntry although debatable if we really need this.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/28615#issuecomment-3606176594
More information about the security-dev
mailing list