Merge pull request #1353 from Sephster/fix-iss-1351

Remove Key Leak

Author: Sephster

CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [8.5.3] - released 2023-07-06
+### Security
+- If a key string is provided to the CryptKey constructor with an invalid 
+passphrase, the LogicException message generated will expose the given key. 
+The key is no longer leaked via this exception (PR #1353)
+
 ## [8.5.2] - released 2023-06-16
 ### Changed
 - Bumped the versions for laminas/diactoros and psr/http-message to support 

src/CryptKey.php

@@ -64,7 +64,7 @@ public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck =
                 throw new LogicException('Unable to read key from file ' . $keyPath);
             }
         } else {
-            throw new LogicException('Unable to read key from file ' . $keyPath);
+            throw new LogicException('Invalid key supplied');
         }
 
         if ($keyPermissionsCheck === true) {

tests/Utils/CryptKeyTest.php

@@ -55,7 +55,7 @@ public function testKeyString()
     public function testUnsupportedKeyType()
     {
         $this->expectException(\LogicException::class);
-        $this->expectExceptionMessage('Unable to read key');
+        $this->expectExceptionMessage('Invalid key supplied');
 
         try {
             // Create the keypair