When I call MessageDigest.digest() and similar methods that produce the final hash, is the resulting byte array guaranteed to be a new copy, free of other references? Or do I still need to make a defensive copy using e.g. messageDigest.digest().clone()?
I can't find any documentation on this. It would seem a big usability issue, not to mention a performance hit, if I need to call clone() every time I generate a message digest. On the other hand, if it isn't guaranteed to be free of other references, this would present a potential memory leak and security risk.