diff --git a/src/java.base/share/classes/java/security/cert/TrustAnchor.java b/src/java.base/share/classes/java/security/cert/TrustAnchor.java
index fd5bf6a2da10a..0dc7b7014de20 100644
--- a/src/java.base/share/classes/java/security/cert/TrustAnchor.java
+++ b/src/java.base/share/classes/java/security/cert/TrustAnchor.java
@@ -26,6 +26,7 @@
 package java.security.cert;
 
 import org.checkerframework.checker.interning.qual.UsesObjectEquals;
+import org.checkerframework.checker.nullness.qual.Nullable;
 import org.checkerframework.framework.qual.AnnotatedFor;
 
 import java.io.IOException;
@@ -64,7 +65,7 @@
  * @since       1.4
  * @author      Sean Mullan
  */
-@AnnotatedFor({"interning"})
+@AnnotatedFor({"interning", "nullness"})
 public @UsesObjectEquals class TrustAnchor {
 
     private final PublicKey pubKey;
@@ -131,7 +132,7 @@
      * @throws NullPointerException if the specified
      * {@code X509Certificate} is {@code null}
      */
-    public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)
+    public TrustAnchor(X509Certificate trustedCert, byte @Nullable [] nameConstraints)
     {
         if (trustedCert == null)
             throw new NullPointerException("the trustedCert parameter must " +
@@ -171,7 +172,7 @@ public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)
      * @since 1.5
      */
     public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey,
-            byte[] nameConstraints) {
+            byte @Nullable [] nameConstraints) {
         if ((caPrincipal == null) || (pubKey == null)) {
             throw new NullPointerException();
         }
@@ -213,7 +214,7 @@ public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey,
      * @throws NullPointerException if the specified {@code caName} or
      * {@code pubKey} parameter is {@code null}
      */
-    public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints)
+    public TrustAnchor(String caName, PublicKey pubKey, byte @Nullable [] nameConstraints)
     {
         if (pubKey == null)
             throw new NullPointerException("the pubKey parameter must be " +
@@ -238,7 +239,7 @@ public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints)
      * @return a trusted {@code X509Certificate} or {@code null}
      * if the trust anchor was not specified as a trusted certificate
      */
-    public final X509Certificate getTrustedCert() {
+    public final @Nullable X509Certificate getTrustedCert() {
         return this.trustedCert;
     }
 
@@ -250,7 +251,7 @@ public final X509Certificate getTrustedCert() {
      * public key and name or X500Principal pair
      * @since 1.5
      */
-    public final X500Principal getCA() {
+    public final @Nullable X500Principal getCA() {
         return this.caPrincipal;
     }
 
@@ -262,7 +263,7 @@ public final X500Principal getCA() {
      * {@code null} if the trust anchor was not specified as a trusted
      * public key and name or X500Principal pair
      */
-    public final String getCAName() {
+    public final @Nullable String getCAName() {
         return this.caName;
     }
 
@@ -273,7 +274,7 @@ public final String getCAName() {
      * if the trust anchor was not specified as a trusted public key and name
      * or X500Principal pair
      */
-    public final PublicKey getCAPublicKey() {
+    public final @Nullable PublicKey getCAPublicKey() {
         return this.pubKey;
     }
 
@@ -318,7 +319,7 @@ private void setNameConstraints(byte[] bytes) {
      *         a NameConstraints extension used for checking name constraints,
      *         or {@code null} if not set.
      */
-    public final byte [] getNameConstraints() {
+    public final byte @Nullable [] getNameConstraints() {
         return ncBytes == null ? null : ncBytes.clone();
     }