Add Nullability to spring-security-crypto

Closes gh-17533

Author: rwinch

crypto/spring-security-crypto.gradle

@@ -1,3 +1,7 @@
+plugins {
+	id 'security-nullability'
+}
+
 apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {

crypto/src/main/java/org/springframework/security/crypto/argon2/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+@NullMarked
+package org.springframework.security.crypto.argon2;
+
+import org.jspecify.annotations.NullMarked;

crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java

@@ -210,9 +210,9 @@ public class BCrypt {
 	static final int MAX_LOG_ROUNDS = 31;
 
 	// Expanded Blowfish key
-	private int P[];
+	private int P[] = new int[0];
 
-	private int S[];
+	private int S[] = new int[0];
 
 	/**
 	 * Encode a byte array using bcrypt's slightly-modified base64 encoding scheme. Note

crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java

@@ -22,6 +22,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.crypto.password.PasswordEncoder;
 
@@ -43,7 +44,7 @@ public class BCryptPasswordEncoder implements PasswordEncoder {
 
 	private final BCryptVersion version;
 
-	private final SecureRandom random;
+	private final @Nullable SecureRandom random;
 
 	public BCryptPasswordEncoder() {
 		this(-1);
@@ -67,15 +68,15 @@ public BCryptPasswordEncoder(BCryptVersion version) {
 	 * @param version the version of bcrypt, can be 2a,2b,2y
 	 * @param random the secure random instance to use
 	 */
-	public BCryptPasswordEncoder(BCryptVersion version, SecureRandom random) {
+	public BCryptPasswordEncoder(BCryptVersion version, @Nullable SecureRandom random) {
 		this(version, -1, random);
 	}
 
 	/**
 	 * @param strength the log rounds to use, between 4 and 31
 	 * @param random the secure random instance to use
 	 */
-	public BCryptPasswordEncoder(int strength, SecureRandom random) {
+	public BCryptPasswordEncoder(int strength, @Nullable SecureRandom random) {
 		this(BCryptVersion.$2A, strength, random);
 	}
 
@@ -92,7 +93,7 @@ public BCryptPasswordEncoder(BCryptVersion version, int strength) {
 	 * @param strength the log rounds to use, between 4 and 31
 	 * @param random the secure random instance to use
 	 */
-	public BCryptPasswordEncoder(BCryptVersion version, int strength, SecureRandom random) {
+	public BCryptPasswordEncoder(BCryptVersion version, int strength, @Nullable SecureRandom random) {
 		if (strength != -1 && (strength < BCrypt.MIN_LOG_ROUNDS || strength > BCrypt.MAX_LOG_ROUNDS)) {
 			throw new IllegalArgumentException("Bad strength");
 		}

crypto/src/main/java/org/springframework/security/crypto/bcrypt/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+@NullMarked
+package org.springframework.security.crypto.bcrypt;
+
+import org.jspecify.annotations.NullMarked;

crypto/src/main/java/org/springframework/security/crypto/codec/Utf8.java

@@ -22,6 +22,8 @@
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * UTF-8 Charset encoder/decoder.
  * <p>
@@ -39,7 +41,7 @@ private Utf8() {
 	/**
 	 * Get the bytes of the String in UTF-8 encoded form.
 	 */
-	public static byte[] encode(CharSequence string) {
+	public static byte[] encode(@Nullable CharSequence string) {
 		try {
 			ByteBuffer bytes = CHARSET.newEncoder().encode(CharBuffer.wrap(string));
 			byte[] bytesCopy = new byte[bytes.limit()];

crypto/src/main/java/org/springframework/security/crypto/codec/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Internal codec classes. Only intended for use within the framework.
  */
+@NullMarked
 package org.springframework.security.crypto.codec;
+
+import org.jspecify.annotations.NullMarked;

crypto/src/main/java/org/springframework/security/crypto/encrypt/AesBytesEncryptor.java

@@ -25,6 +25,8 @@
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.SecretKeySpec;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.crypto.codec.Hex;
 import org.springframework.security.crypto.keygen.BytesKeyGenerator;
 import org.springframework.security.crypto.keygen.KeyGenerators;
@@ -81,7 +83,7 @@ public AesBytesEncryptor(String password, CharSequence salt) {
 	 * @param salt the hex-encoded salt value
 	 * @param ivGenerator the generator used to generate the initialization vector
 	 */
-	public AesBytesEncryptor(String password, CharSequence salt, BytesKeyGenerator ivGenerator) {
+	public AesBytesEncryptor(String password, CharSequence salt, @Nullable BytesKeyGenerator ivGenerator) {
 		this(password, salt, ivGenerator, CipherAlgorithm.CBC);
 	}
 
@@ -95,7 +97,8 @@ public AesBytesEncryptor(String password, CharSequence salt, BytesKeyGenerator i
 	 * @param ivGenerator the generator used to generate the initialization vector
 	 * @param alg the {@link CipherAlgorithm} to be used
 	 */
-	public AesBytesEncryptor(String password, CharSequence salt, BytesKeyGenerator ivGenerator, CipherAlgorithm alg) {
+	public AesBytesEncryptor(String password, CharSequence salt, @Nullable BytesKeyGenerator ivGenerator,
+			CipherAlgorithm alg) {
 		this(CipherUtils.newSecretKey("PBKDF2WithHmacSHA1",
 				new PBEKeySpec(password.toCharArray(), Hex.decode(salt), 1024, 256)), ivGenerator, alg);
 	}
@@ -108,7 +111,7 @@ public AesBytesEncryptor(String password, CharSequence salt, BytesKeyGenerator i
 	 * {@link CipherAlgorithm}
 	 * @param alg the {@link CipherAlgorithm} to be used
 	 */
-	public AesBytesEncryptor(SecretKey secretKey, BytesKeyGenerator ivGenerator, CipherAlgorithm alg) {
+	public AesBytesEncryptor(SecretKey secretKey, @Nullable BytesKeyGenerator ivGenerator, CipherAlgorithm alg) {
 		this.secretKey = new SecretKeySpec(secretKey.getEncoded(), "AES");
 		this.alg = alg;
 		this.encryptor = alg.createCipher();

crypto/src/main/java/org/springframework/security/crypto/encrypt/CipherUtils.java

@@ -32,6 +32,8 @@
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.PBEParameterSpec;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * Static helper for working with the Cipher API.
  *
@@ -109,7 +111,8 @@ static void initCipher(Cipher cipher, int mode, SecretKey secretKey, byte[] salt
 	/**
 	 * Initializes the Cipher for use.
 	 */
-	static void initCipher(Cipher cipher, int mode, SecretKey secretKey, AlgorithmParameterSpec parameterSpec) {
+	static void initCipher(Cipher cipher, int mode, SecretKey secretKey,
+			@Nullable AlgorithmParameterSpec parameterSpec) {
 		try {
 			if (parameterSpec != null) {
 				cipher.init(mode, secretKey, parameterSpec);

crypto/src/main/java/org/springframework/security/crypto/encrypt/KeyStoreKeyFactory.java

@@ -25,6 +25,8 @@
 import java.security.interfaces.RSAPrivateCrtKey;
 import java.security.spec.RSAPublicKeySpec;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.core.io.Resource;
 import org.springframework.util.StringUtils;
 
@@ -39,7 +41,7 @@ public class KeyStoreKeyFactory {
 
 	private final char[] password;
 
-	private KeyStore store;
+	private @Nullable KeyStore store;
 
 	private final Object lock = new Object();