8366522: CodeSource.getCodeSigners() throws NPE within empty certs

Reviewed-by: mullan
2026-01-28 03:58:21 +00:00 · 2026-01-15 18:52:44 +00:00 · 2026-01-15 18:52:44 +00:00 · 3f01e8b9b8
commit 3f01e8b9b8
parent 34705a77f9
2 changed files with 117 additions and 2 deletions
--- a/src/java.base/share/classes/java/security/CodeSource.java
+++ b/src/java.base/share/classes/java/security/CodeSource.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2026, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -238,7 +238,12 @@ public class CodeSource implements java.io.Serializable {
        } else if (certs != null) {
            // Convert the certs to code signers
            signers = convertCertArrayToSignerArray(certs);
-            return signers.clone();
+            if (signers != null) {
+                return signers.clone();
+
+            } else {
+                return new CodeSigner[0];
+            }

        } else {
            return null;
--- a/test/jdk/java/security/CodeSource/CodeSourceNoInputs.java
+++ b/test/jdk/java/security/CodeSource/CodeSourceNoInputs.java
@ -0,0 +1,110 @@
+/*
+ * Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.security.CodeSigner;
+import java.security.CodeSource;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+
+/**
+ * @test
+ * @bug 8366522
+ * @summary Verify that getCertificates() and getCodeSigners() return correct
+ *          results when CodeSource is created with empty or null Certificate[]
+ *          or CodeSigner[] arguments, or there are no X509 certificates in
+ *          certs. Make sure that NPE is not thrown from
+ *          CodeSource.getCodeSigners()
+ */
+public class CodeSourceNoInputs {
+    private static final Certificate NON_X509_CERT = new Certificate("") {
+        @Override
+        public byte[] getEncoded() {
+            return new byte[0];
+        }
+
+        @Override
+        public void verify(PublicKey key) {
+        }
+
+        @Override
+        public void verify(PublicKey key, String sigProvider) {
+        }
+
+        @Override
+        public String toString() {
+            return "";
+        }
+
+        @Override
+        public PublicKey getPublicKey() {
+            return null;
+        }
+    };
+
+    public static void main(String[] args) throws Exception {
+        CodeSource cs;
+
+        cs = new CodeSource(null, (Certificate[]) null);
+        if (cs.getCodeSigners() != null || cs.getCertificates() != null) {
+
+            throw new SecurityException("Both CodeSource.getCodeSigners() " +
+                "and CodeSource.getCertificates() should return null for " +
+                "new CodeSource(null, (Certificate[]) null)");
+        }
+
+        cs = new CodeSource(null, (CodeSigner[]) null);
+        if (cs.getCodeSigners() != null || cs.getCertificates() != null) {
+
+            throw new SecurityException("Both CodeSource.getCodeSigners() " +
+                "and CodeSource.getCertificates() should return null for " +
+                "new CodeSource(null, (CodeSigners[]) null)");
+        }
+
+        cs = new CodeSource(null, new Certificate[0]);
+        if (cs.getCodeSigners().length != 0
+            || cs.getCertificates().length != 0) {
+
+            throw new SecurityException("Both CodeSource.getCodeSigners()" +
+                "and CodeSource.getCertificates() should return empty arrays " +
+                "for new CodeSource(null, new Certificate[0])");
+
+        }
+
+        cs = new CodeSource(null, new CodeSigner[0]);
+        if (cs.getCodeSigners().length != 0
+            || cs.getCertificates().length != 0) {
+
+            throw new SecurityException("Both CodeSource.getCodeSigners() and" +
+                " CodeSource.getCertificates() should return empty arrays for" +
+                " new CodeSource(null, new CodeSigners[0])");
+        }
+
+        cs = new CodeSource(null, new Certificate[]{NON_X509_CERT});
+        if (cs.getCodeSigners().length != 0 || cs.getCertificates() == null) {
+
+            throw new SecurityException("Both CodeSource.getCodeSigners() and" +
+                " CodeSource.getCertificates() should return arrays for new" +
+                " CodeSource(null, new CodeSigners[1]{NON-X509-CERTIFICATE})");
+        }
+    }
+}