RFR: 8366522: CodeSource.getCodeSigners() throws NPE within empty certs [v3]
Kirill Shirokov
duke at openjdk.org
Tue Dec 30 03:29:57 UTC 2025
On Thu, 30 Oct 2025 17:15:53 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Kirill Shirokov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
>>
>> - Merge branch 'master' into JDK-8366522-fix-npe-codeSourceGetCodeSigners
>> - Merge branch 'master' into JDK-8366522-fix-npe-codeSourceGetCodeSigners
>> - 8366522: CodeSource.getCodeSigners() throws NPE within empty certs
>
> src/java.base/share/classes/java/security/CodeSource.java line 241:
>
>> 239: // Convert the certs to code signers
>> 240: signers = convertCertArrayToSignerArray(certs);
>> 241: if (signers != null) {
>
> I think this should return an empty array, and not null. This would make it consistent with `CodeSource.getCertificates()` which returns an empty array when a `CodeSource` object is constructed with an empty array of `CodeSigner`.
I agree, considering the statement from line 666:
private CodeSigner[] convertCertArrayToSignerArray(
...
if (signers.isEmpty()) {
return null;
}
This would make getCodeSigners() return value more consistent for the following corner cases:
new CodeSource(certificates=null): getCertificates()=null; getCodeSigners()=null
new CodeSource(certificates=[]): getCertificates()=[]; getCodeSigners()=[]
new CodeSource(certificates=[NON-X509-CERT]): getCertificates()=[]; getCodeSigners()=[]
new CodeSource(codeSigners=null): getCertificates()=null; getCodeSigners()=null
new CodeSource(codeSigners=[]): getCertificates()=[]; getCodeSigners()=[]
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27105#discussion_r2652139979
More information about the security-dev
mailing list