IBM · jasonkatonica · Jan 12, 2026
diff --git a/checkstyle.xml b/checkstyle.xml
@@ -2,7 +2,7 @@
 <!--
 ###############################################################################
 #
-# Copyright IBM Corp. 2023
+# Copyright IBM Corp. 2023, 2026
 #
 # This code is free software; you can redistribute it and/or modify it
 # under the terms provided by IBM in the LICENSE file that accompanied
@@ -41,5 +41,8 @@
         <module name="UnusedImports"/>
         <module name="UnusedLocalVariable"/>
         <module name="WhitespaceAfter"/>
+        <module name="WhitespaceAround">
+          <property name="allowEmptyConstructors" value="true"/>
+        </module>
     </module>
 </module>
diff --git a/src/main/java/com/ibm/crypto/plus/provider/AESCCMCipher.java b/src/main/java/com/ibm/crypto/plus/provider/AESCCMCipher.java
@@ -770,7 +770,7 @@ protected int engineUpdate(ByteBuffer input, ByteBuffer output) throws ShortBuff
     }
 
     private Runnable cleanOCKResources(byte[] Key, OCKContext ockContext) {
-        return() -> {
+        return () -> {
             try {
                 if (ockContext != null) {
                     CCMCipher.doCCM_cleanup(ockContext);

diff --git a/src/main/java/com/ibm/crypto/plus/provider/AESGCMCipher.java b/src/main/java/com/ibm/crypto/plus/provider/AESGCMCipher.java
@@ -1445,7 +1445,7 @@ private void resetVars(boolean afterFailure) {
     }
 
     private Runnable cleanOCKResources(PrimitiveWrapper.ByteArray Key) {
-        return() -> {
+        return () -> {
             try {
                 //JS00684 - Leave cleanup of internal variables to GCMCipher that caches them
                 if (Key.getValue() != null) {

diff --git a/src/main/java/com/ibm/crypto/plus/provider/AESKey.java b/src/main/java/com/ibm/crypto/plus/provider/AESKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2025
+ * Copyright IBM Corp. 2023, 2026
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -157,12 +157,12 @@ private void checkDestroyed() {
     }
 
     private Runnable cleanOCKResources(byte[] key) {
-        return() -> {
+        return () -> {
             try {
                 if (key != null) {
                     Arrays.fill(key, (byte) 0x00);
                 }
-            } catch (Exception e){
+            } catch (Exception e) {
                 if (OpenJCEPlusProvider.getDebug() != null) {
                     OpenJCEPlusProvider.getDebug().println("An error occurred while cleaning : " + e.getMessage());
                     e.printStackTrace();

diff --git a/src/main/java/com/ibm/crypto/plus/provider/AESKeyWrapCipher.java b/src/main/java/com/ibm/crypto/plus/provider/AESKeyWrapCipher.java
@@ -187,7 +187,7 @@ protected int engineGetOutputSize(int inputLen) {
         } else {
             result = Math.addExact(inputLen, 16);
         }
-        return (result < 0? 0:result);
+        return (result < 0 ? 0 : result);
     }
 
     @Override

diff --git a/src/main/java/com/ibm/crypto/plus/provider/ChaCha20Key.java b/src/main/java/com/ibm/crypto/plus/provider/ChaCha20Key.java
@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2025
+ * Copyright IBM Corp. 2023, 2026
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -160,12 +160,12 @@ private void checkDestroyed() {
     }
 
     private Runnable cleanOCKResources(byte[] key) {
-        return() -> {
+        return () -> {
             try {
                 if (key != null) {
                     Arrays.fill(key, (byte) 0x00);
                 }
-            } catch (Exception e){
+            } catch (Exception e) {
                 if (OpenJCEPlusProvider.getDebug() != null) {
                     OpenJCEPlusProvider.getDebug().println("An error occurred while cleaning : " + e.getMessage());
                     e.printStackTrace();

diff --git a/src/main/java/com/ibm/crypto/plus/provider/DESedeKey.java b/src/main/java/com/ibm/crypto/plus/provider/DESedeKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2025
+ * Copyright IBM Corp. 2023, 2026
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -161,12 +161,12 @@ private void checkDestroyed() {
     }
 
     private Runnable cleanOCKResources(byte[] key) {
-        return() -> {
+        return () -> {
             try {
                 if (key != null) {
                     Arrays.fill(key, (byte) 0x00);
                 }
-            } catch (Exception e){
+            } catch (Exception e) {
                 if (OpenJCEPlusProvider.getDebug() != null) {
                     OpenJCEPlusProvider.getDebug().println("An error occurred while cleaning : " + e.getMessage());
                     e.printStackTrace();

diff --git a/src/main/java/com/ibm/crypto/plus/provider/ECDSASignature.java b/src/main/java/com/ibm/crypto/plus/provider/ECDSASignature.java
@@ -130,7 +130,7 @@ protected void engineSetParameter(AlgorithmParameterSpec params)
         }
         if (params instanceof ECParameterSpec) {
             ECParameterSpec ecparams = (ECParameterSpec) params;
-            java.security.interfaces.ECKey key = (this.privateKey == null? this.publicKey : this.privateKey);
+            java.security.interfaces.ECKey key = (this.privateKey == null ? this.publicKey : this.privateKey);
             if ((key != null) && !ECUtil.equals(ecparams, key.getParams())) {
                 throw new InvalidAlgorithmParameterException(
                         "Signature params does not match key params");

diff --git a/src/main/java/com/ibm/crypto/plus/provider/MessageDigest.java b/src/main/java/com/ibm/crypto/plus/provider/MessageDigest.java
@@ -38,7 +38,7 @@ protected void engineUpdate(byte[] input, int offset, int length) {
             throw new IllegalArgumentException("No input buffer given");
         }
         if ((offset < 0) || (length < 0) || (offset > input.length - length)) {
-            throw new ArrayIndexOutOfBoundsException("Range out of bounds for buffer of length " + input.length +" using offset: " + offset + ", input length: " + length);
+            throw new ArrayIndexOutOfBoundsException("Range out of bounds for buffer of length " + input.length + " using offset: " + offset + ", input length: " + length);
         }
         try {
             this.digest.update(input, offset, length);

diff --git a/src/main/java/com/ibm/crypto/plus/provider/OpenJCEPlusProvider.java b/src/main/java/com/ibm/crypto/plus/provider/OpenJCEPlusProvider.java
@@ -56,7 +56,7 @@ public abstract class OpenJCEPlusProvider extends java.security.Provider {
         super(name, PROVIDER_VER, info);
 
         numCleaners = Integer.getInteger("openjceplus.cleaners.num", DEFAULT_NUM_CLEANERS);
-        if (numCleaners < 1){
+        if (numCleaners < 1) {
             throw new IllegalArgumentException(numCleaners + " is an invalid number of cleaner threads, must be at least 1.");
         }
 

diff --git a/src/main/java/com/ibm/crypto/plus/provider/PBEKey.java b/src/main/java/com/ibm/crypto/plus/provider/PBEKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2025
+ * Copyright IBM Corp. 2025, 2026
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -84,7 +84,7 @@ public int hashCode() {
             for (int i = 1; i < this.key.length; i++) {
                 retval += this.key[i] * i;
             }
-            return(retval ^ getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode());
+            return (retval ^ getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode());
         } finally {
             // prevent this from being cleaned for the above block
             Reference.reachabilityFence(this);
@@ -182,12 +182,12 @@ private Object writeReplace() throws java.io.ObjectStreamException {
 
 
     private Runnable cleanOCKResources(byte[] key) {
-        return() -> {
+        return () -> {
             try {
                 if (key != null) {
                     Arrays.fill(key, (byte) 0x00);
                 }
-            } catch (Exception e){
+            } catch (Exception e) {
                 if (OpenJCEPlusProvider.getDebug() != null) {
                     OpenJCEPlusProvider.getDebug().println("An error occurred while cleaning : " + e.getMessage());
                     e.printStackTrace();

diff --git a/src/main/java/com/ibm/crypto/plus/provider/PBEKeyFactory.java b/src/main/java/com/ibm/crypto/plus/provider/PBEKeyFactory.java
@@ -165,7 +165,7 @@ protected KeySpec engineGetKeySpec(SecretKey key, Class<?> keySpecCl)
             if ((keySpecCl != null) && keySpecCl.isAssignableFrom(PBEKeySpec.class)) {
                 byte[] passwdBytes = key.getEncoded();
                 char[] passwdChars = new char[passwdBytes.length];
-                for (int i=0; i < passwdChars.length; i++)
+                for (int i = 0; i < passwdChars.length; i++)
                     passwdChars[i] = (char) (passwdBytes[i] & 0x7f);
                 PBEKeySpec ret = new PBEKeySpec(passwdChars);
                 // password char[] was cloned in PBEKeySpec constructor,

diff --git a/src/main/java/com/ibm/crypto/plus/provider/PBES1Core.java b/src/main/java/com/ibm/crypto/plus/provider/PBES1Core.java
@@ -176,7 +176,7 @@ protected void engineInit(int opmode, Key key,
         byte[] keySalt = null;
         int keyIterationCount = 0;
         if (key instanceof javax.crypto.interfaces.PBEKey) {
-            javax.crypto.interfaces.PBEKey pkey= (javax.crypto.interfaces.PBEKey) key;
+            javax.crypto.interfaces.PBEKey pkey = (javax.crypto.interfaces.PBEKey) key;
             keySalt = pkey.getSalt();
             keyIterationCount = pkey.getIterationCount();
         }
@@ -241,10 +241,10 @@ private byte[] passwordBigEndian(byte[] password) {
         }
 
         byte[] pass = new byte[(password.length * 2) + 2];
-        for (int i = 0, j = 0; i < password.length; i++, j+=2) {
+        for (int i = 0, j = 0; i < password.length; i++, j += 2) {
             char passwordChar = (char) (password[i] & 0x7f);
             pass[j] = (byte) ((passwordChar >>> 8) & 0xFF);
-            pass[j+1] = (byte) (passwordChar & 0xFF);
+            pass[j + 1] = (byte) (passwordChar & 0xFF);
         }
 
         return pass;

diff --git a/src/main/java/com/ibm/crypto/plus/provider/PBES2Core.java b/src/main/java/com/ibm/crypto/plus/provider/PBES2Core.java
@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2025
+ * Copyright IBM Corp. 2025, 2026
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -51,7 +51,7 @@ abstract class PBES2Core extends CipherSpi {
         if (cipherAlgo.equalsIgnoreCase("AES")) {
             cipher = new AESCipher(provider);
 
-            switch(kdfAlgo.toLowerCase()) {
+            switch (kdfAlgo.toLowerCase()) {
                 case "hmacsha1":
                     kdf = new PBKDF2Core.HmacSHA1(provider);
                     break;

diff --git a/src/main/java/com/ibm/crypto/plus/provider/PBKDF2KeyImpl.java b/src/main/java/com/ibm/crypto/plus/provider/PBKDF2KeyImpl.java
@@ -178,7 +178,7 @@ public int hashCode() {
         for (int i = 1; i < this.key.length; i++) {
             retval += this.key[i] * i;
         }
-        return(retval ^= getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode());
+        return (retval ^= getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode());
     }
 
     public boolean equals(Object obj) {
@@ -239,8 +239,8 @@ private void readObject(ObjectInputStream stream) throws IOException, ClassNotFo
         throw new InvalidObjectException("PBKDF2KeyImpl keys are not directly deserializable");
     }
 
-    private Runnable cleanOCKResources(byte[] key, char[] passwd, byte[] salt){
-        return() -> {
+    private Runnable cleanOCKResources(byte[] key, char[] passwd, byte[] salt) {
+        return () -> {
             try {
                 if (key != null) {
                     java.util.Arrays.fill(key, (byte) 0x00);
@@ -251,7 +251,7 @@ private Runnable cleanOCKResources(byte[] key, char[] passwd, byte[] salt){
                 if (salt != null) {
                     java.util.Arrays.fill(salt, (byte) 0x00);
                 }
-            } catch (Exception e){
+            } catch (Exception e) {
                 if (OpenJCEPlusProvider.getDebug() != null) {
                     OpenJCEPlusProvider.getDebug().println("An error occurred while cleaning : " + e.getMessage());
                     e.printStackTrace();

diff --git a/src/main/java/com/ibm/crypto/plus/provider/PrimitiveWrapper.java b/src/main/java/com/ibm/crypto/plus/provider/PrimitiveWrapper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2025
+ * Copyright IBM Corp. 2025. 2026
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -29,7 +29,7 @@ public Long(long value) {
             this.value = value;
         }
 
-        public long getValue(){
+        public long getValue() {
             return this.value;
         }
 
@@ -45,7 +45,7 @@ public Bool(boolean value) {
             this.value = value;
         }
 
-        public boolean getValue(){
+        public boolean getValue() {
             return this.value;
         }
 
@@ -61,7 +61,7 @@ public ByteArray(byte[] value) {
             this.value = value;
         }
 
-        public byte[] getValue(){
+        public byte[] getValue() {
             return this.value;
         }
 

diff --git a/src/main/java/com/ibm/crypto/plus/provider/RSAKeyFactory.java b/src/main/java/com/ibm/crypto/plus/provider/RSAKeyFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2024
+ * Copyright IBM Corp. 2023, 2026
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -126,7 +126,7 @@ static void checkKeyLengths(int modulusLen, BigInteger exponent, int minModulusL
         if ((specificModulesLen != null) && (!specificModulesLen.contains(modulusLen))) {
             if (flag.equals("verify")) {
                 throw new InvalidKeyException("In FIPS mode, only 1024, 2048, 3072, or 4096 size of RSA key is accepted.");
-            } else if (flag.equals("sign")){
+            } else if (flag.equals("sign")) {
                 throw new InvalidKeyException("In FIPS mode, only 2048, 3072, or 4096 size of RSA key is accepted.");
             }
         }

diff --git a/src/main/java/com/ibm/crypto/plus/provider/base/AESKeyWrap.java b/src/main/java/com/ibm/crypto/plus/provider/base/AESKeyWrap.java
@@ -35,7 +35,7 @@ public byte[] wrap(byte[] data, int start, int length) throws OCKException {
 
         int type = 1; //wrap
         if (padding) {
-            type = type|4; // add padding
+            type = type | 4; // add padding
         }
 
         try {
@@ -64,7 +64,7 @@ public byte[] unwrap(byte[] data, int start, int length) throws OCKException {
         try {
             output = NativeInterface.CIPHER_KeyWraporUnwrap(this.ockContext.getId(), inData, this.key, type);
         } catch (Exception e) {
-            throw new OCKException("Failed to unwrap data"+ e.getMessage());
+            throw new OCKException("Failed to unwrap data" + e.getMessage());
         }  finally {
             //Clear inData
             Arrays.fill(inData, (byte) 0);

diff --git a/src/main/java/com/ibm/crypto/plus/provider/base/ECKey.java b/src/main/java/com/ibm/crypto/plus/provider/base/ECKey.java
@@ -131,7 +131,7 @@ public static ECKey generateKeyPair(OCKContext ockContext, int size, SecureRando
         long ecKeyId;
         try {
             ecKeyId = NativeInterface.ECKEY_generate(ockContext.getId(), size);
-        } catch (OCKException oe){
+        } catch (OCKException oe) {
             if (oe.getMessage().contains("Incorrect key size") && allowIncorrectKeysizes) {
                 // If the flag is set and an incorrect key size was provided, default to 256.
                 ecKeyId = NativeInterface.ECKEY_generate(ockContext.getId(), 256);
@@ -509,7 +509,7 @@ protected static boolean validId(long id) {
     }
 
     private Runnable cleanOCKResources(byte[] privateKeyBytes, long ecKeyId, PrimitiveWrapper.Long pkeyId, OCKContext ockContext) {
-        return() -> {
+        return () -> {
             try {
                 if ((privateKeyBytes != null) && (privateKeyBytes != unobtainedKeyBytes)) {
                     Arrays.fill(privateKeyBytes, (byte) 0x00);

diff --git a/src/main/java/com/ibm/crypto/plus/provider/base/ExtendedRandom.java b/src/main/java/com/ibm/crypto/plus/provider/base/ExtendedRandom.java
@@ -62,7 +62,7 @@ public synchronized void setSeed(byte[] seed) throws OCKException {
     }
 
     private Runnable cleanOCKResources(long ockPRNGContextId, OCKContext ockContext) {
-        return() -> {
+        return () -> {
             try {
                 if (ockPRNGContextId != 0) {
                     NativeInterface.EXTRAND_delete(ockContext.getId(), ockPRNGContextId);

diff --git a/src/main/java/com/ibm/crypto/plus/provider/base/GCMCipher.java b/src/main/java/com/ibm/crypto/plus/provider/base/GCMCipher.java
@@ -77,18 +77,18 @@ protected FastJNIBuffer initialValue() {
     // each key size needs different cache since a GCM context initialized with a 16B key
     // cannot be used for any other key size without destroying it
     // Same story for FIPS mode contexts
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE16 = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE24 = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE32 = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE16FIPS = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE24FIPS = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE32FIPS = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD16 = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD24 = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD32 = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD16FIPS = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD24FIPS = new ThreadLocal<GCMContextPointer>() {};
-    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD32FIPS = new ThreadLocal<GCMContextPointer>() {};
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE16 = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE24 = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE32 = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE16FIPS = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE24FIPS = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferE32FIPS = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD16 = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD24 = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD32 = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD16FIPS = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD24FIPS = new ThreadLocal<GCMContextPointer>();
+    private static final ThreadLocal<GCMContextPointer> gcmContextBufferD32FIPS = new ThreadLocal<GCMContextPointer>();
     private static final boolean useJavaTLS = true;
 
     private static final Map<Integer, String> ErrorCodes;
@@ -1067,8 +1067,8 @@ long getCtx() {
             return gcmCtx;
         }
 
-        private Runnable cleanOCKResources(long gcmCtx, long ockContext){
-            return() -> {
+        private Runnable cleanOCKResources(long gcmCtx, long ockContext) {
+            return () -> {
                 try {
                     if (gcmCtx != 0) {
                         NativeInterface.free_GCM_ctx(ockContext, gcmCtx);

diff --git a/src/main/java/com/ibm/crypto/plus/provider/base/HKDF.java b/src/main/java/com/ibm/crypto/plus/provider/base/HKDF.java
@@ -121,7 +121,7 @@ protected static boolean validId(long id) {
     }
 
     private Runnable cleanOCKResources(long hkdfId, byte[] reinitKey, OCKContext ockContext) {
-        return() -> {
+        return () -> {
             try {
                 if (hkdfId != 0) {
                     NativeInterface.HKDF_delete(ockContext.getId(), hkdfId);