1

When I call MessageDigest.digest() and similar methods that produce the final hash, is the resulting byte array guaranteed to be a new copy, free of other references? Or do I still need to make a defensive copy using e.g. messageDigest.digest().clone()?

I can't find any documentation on this. It would seem a big usability issue, not to mention a performance hit, if I need to call clone() every time I generate a message digest. On the other hand, if it isn't guaranteed to be free of other references, this would present a potential memory leak and security risk.

Garret Wilson
  • 18,219
  • 30
  • 144
  • 272
  • I have a hard time imagining what would keep references to them. It's most likely a local variable that gets returned and that's it, but you can always check the source. I doubt there are any explicit guarantees about it, but I'd expect the Crypto API designers to have a pretty good grip on things like this. – Kayaman May 21 '22 at 16:50

0 Answers0