RFR: 8370688: java.util.jar.JarEntry.getCodeSigners() and getCertificates() should specify that they return a copy of the arrays
Sean Mullan
mullan at openjdk.org
Wed Dec 3 14:00:48 UTC 2025
On Wed, 3 Dec 2025 10:35:40 GMT, Alan Bateman <alanb at openjdk.org> wrote:
> > > As far as I remember, we have similar text in some API specification for methods that return a copy of the array, reusing that text might be useful (I'll try and find such an instance).
> >
> >
> > `javax.net.ssl.SSLParameters` has a few APIs which word this in a couple of different ways:
> > https://docs.oracle.com/en/java/javase/25/docs/api/java.base/javax/net/ssl/SSLParameters.html#getCipherSuites()
> > ```
> > Returns:
> > a copy of the array of ciphersuites or null if none have been set.
> > ```
>
> A SSLParameters is optionally created with array of cipher suites so it works there. A JarEntry is not created with an array so I don't think this wording make sense.
>
> > https://docs.oracle.com/en/java/javase/25/docs/api/java.base/javax/net/ssl/SSLParameters.html#getApplicationProtocols()
> > ```
> > This method will return a new array each time it is invoked.
> > ```
>
> That could work for JarEntry although debatable if we really need this.
The second one looks good to me. This will need a CSR.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/28615#issuecomment-3606998031
More information about the security-dev
mailing list