tecnofit / auric-vault
Simple PHP SDK used to store sensitive data using the AuricVault PCI/HIPAA compliant encryption service.
Installs: 15 384
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 2
Requires
- php: >=7.1
- ext-json: *
- ext-mbstring: *
- guzzlehttp/guzzle: ^6.5
- psr/http-message: ^1.0
Requires (Dev)
This package is auto-updated.
Last update: 2022-08-21 18:19:46 UTC
README
The AuricVault® tokenization service is a PCI and HIPAA compliant data storage service that associates tokens with secure encrypted data. The encrypted data can be stored, retrieved, updated, and deleted.
Vault-Managed Encryption Methods
These methods allow the service to handle all the encryption and key management requirements.
- encrypt
- reencrypt
- decrypt
- delete-token
- token-info
- touch-token
Install
composer require tecnofit/auric-vault
Credentials
In order to make requests to AuricVault you must configure the access credentials, it can be for production environment or sandbox:
<?php // We consider that there is already a registered PSR-4 compatible autoloader use Tecnofit\AuricVault\Credentials; use Tecnofit\AuricVault\Environments\Sandbox; use Tecnofit\AuricVault\Hmacs\Sha512; /* Production environment: */ $credentials = new Credentials('CONFIGURATION', 'MTID', new Sha512('SECRET_KEY')); /* Sandbox environment: */ $credentials = new Credentials('CONFIGURATION', 'MTID', new Sha512('SECRET_KEY'), new Sandbox());
Encrypt
Encrypt a plaintext value and return a generated token. The generated token is stored in the vault. The last4 parameter is optional.
<?php // We consider that a PSR-4 compatible autoloader already exists and the credentials have been set to $credentials use Tecnofit\AuricVault\Requests\Encrypt\EncryptService; use Tecnofit\AuricVault\Retention; try { $encryptService = new EncryptService($credentials); $requestEncrypt = $encryptService->createEncryptBuilder() ->setId(1) ->setSegment('543') ->setRetention(Retention::BIG_YEAR) // Or Retention::FOREVER ->setLast4('1111') // The last4 parameter is optional. ->setPlaintextValue('4111111111111111'); $response = $encryptService->send($requestEncrypt); var_dump($response->getToken()); // "Jyhj3GfKZv0F7Vb1111" } catch (\Tecnofit\AuricVault\Exceptions\ClientException $e) { var_dump($e->getResponse()->getBody()->getContents()); } catch (\Tecnofit\AuricVault\Exceptions\BadRequestException $e) { var_dump($e->getMessage()); }
Encrypt (with existing token)
Encrypt a plaintext value and store it using the passed-in token identifier. This allows you to migrate tokens you already have to the AuricVault® service and maintain the same token identifier in your databases.
<?php // We consider that a PSR-4 compatible autoloader already exists and the credentials have been set to $credentials use Tecnofit\AuricVault\Requests\Encrypt\EncryptService; use Tecnofit\AuricVault\Retention; try { $encryptService = new EncryptService($credentials); $requestEncrypt = $encryptService->createEncryptBuilder() ->setId(1) ->setSegment('543') ->setRetention(Retention::BIG_YEAR) // Or Retention::FOREVER ->setPlaintextValue('4111111111111111') ->setToken('SBLIQRPSCBNYQRBFYMH'); $response = $encryptService->send($requestEncrypt); var_dump($response->getToken()); // "SBLIQRPSCBNYQRBFYMH" } catch (\Tecnofit\AuricVault\Exceptions\ClientException $e) { var_dump($e->getResponse()->getBody()->getContents()); } catch (\Tecnofit\AuricVault\Exceptions\BadRequestException $e) { var_dump($e->getMessage()); }
Reencrypt
Submit new plaintext data to be encrypted for an existing token.
<?php // We consider that a PSR-4 compatible autoloader already exists and the credentials have been set to $credentials use Tecnofit\AuricVault\Requests\Reencrypt\ReencryptService; use Tecnofit\AuricVault\Retention; try { $reencryptService = new ReencryptService($credentials); $requestReencrypt = $reencryptService->createReencryptBuilder() ->setId(1) ->setSegment('543') ->setRetention(Retention::BIG_YEAR) // Or Retention::FOREVER ->setPlaintextValue('4111111111111111') ->setToken('JVY1hlZ9qQ0UsJf1111'); $response = $reencryptService->send($requestReencrypt); var_dump($response); // Return object "\Tecnofit\AuricVault\Requests\Reencrypt\ReencryptResponse" } catch (\Tecnofit\AuricVault\Exceptions\ClientException $e) { var_dump($e->getResponse()->getBody()->getContents()); } catch (\Tecnofit\AuricVault\Exceptions\BadRequestException $e) { var_dump($e->getMessage()); }
Decrypt
Retrieve the decrypted plaintext.
<?php // We consider that a PSR-4 compatible autoloader already exists and the credentials have been set to $credentials use Tecnofit\AuricVault\Requests\Decrypt\DecryptService; try { $decryptService = new DecryptService($credentials); $requestDecrypt = $decryptService->createDecryptBuilder() ->setToken('DAiO2uurxd0GllMrld!'); $response = $decryptService->send($requestDecrypt); var_dump($response->getPlaintextValue()); // Sample Unicode: Héllø World! } catch (\Tecnofit\AuricVault\Exceptions\ClientException $e) { var_dump($e->getResponse()->getBody()->getContents()); } catch (\Tecnofit\AuricVault\Exceptions\BadRequestException $e) { var_dump($e->getMessage()); }
Delete Token
Delete previously-stored tokens.
The service returns the same message for both a not-found token and a token that exists, but to which you do not have permission. This ensures the existence of the token does not leakto a third party that should not have access to the data.
<?php // We consider that a PSR-4 compatible autoloader already exists and the credentials have been set to $credentials use Tecnofit\AuricVault\Requests\Delete\DeleteService; try { $deleteService = new DeleteService($credentials); $requestDelete = $deleteService->createDeleteBuilder() ->setToken('e7c469cf-45fa-4d29-9b36-054cabe40e67'); $response = $deleteService->send($requestDelete); var_dump($response); // Return object "\Tecnofit\AuricVault\Requests\Delete\DeleteResponse" } catch (\Tecnofit\AuricVault\Exceptions\ClientException $e) { var_dump($e->getResponse()->getBody()->getContents()); } catch (\Tecnofit\AuricVault\Exceptions\BadRequestException $e) { var_dump($e->getMessage()); }
Token Info
Retrieve information about a token. Useful for finding out if a token exists in the system without needing to retrieve the actual data.
<?php // We consider that a PSR-4 compatible autoloader already exists and the credentials have been set to $credentials use Tecnofit\AuricVault\Requests\Info\InfoService; try { $infoService = new InfoService($credentials); $requestInfo = $infoService->createInfoBuilder() ->setToken('Uvsr6MLnPb0G5E7rypt'); $response = $infoService->send($requestInfo); echo $response->getVersion(); // 2.1 echo $response->getElapsedTime(); // 0.0059 var_dump($response->getLastAccessedDate()); // /DateTimeInterface var_dump($response->getTokenCreatedDate()); // /DateTimeInterface echo $response->getRetention(); // big-year echo $response->getSegment(); // 543 var_dump($response->isTokenExists()); // true var_dump($response->isVaultEncrypted()); // true } catch (\Tecnofit\AuricVault\Exceptions\ClientException $e) { var_dump($e->getResponse()->getBody()->getContents()); } catch (\Tecnofit\AuricVault\Exceptions\BadRequestException $e) { var_dump($e->getMessage()); }
Touch Token
The touch_token method is similar to the token_info method except that it does update the token’s last accessed date time stamp. This method is used to reset the start of the retention period to the current date/time.
<?php // We consider that a PSR-4 compatible autoloader already exists and the credentials have been set to $credentials use Tecnofit\AuricVault\Requests\Touch\TouchService; try { $touchService = new TouchService($credentials); $requestTouch = $touchService->createTouchBuilder() ->setToken('e5f8ab2a-c8b5-4ab8-acbd-d2501a30b617'); $response = $touchService->send($requestTouch); echo $response->getVersion(); // 2.1 echo $response->getElapsedTime(); // 0.0059 var_dump($response->getLastAccessedDate()); // /DateTimeInterface var_dump($response->getTokenCreatedDate()); // /DateTimeInterface echo $response->getRetention(); // big-year echo $response->getSegment(); // 543 var_dump($response->isTokenExists()); // true var_dump($response->isVaultEncrypted()); // true } catch (\Tecnofit\AuricVault\Exceptions\ClientException $e) { var_dump($e->getResponse()->getBody()->getContents()); } catch (\Tecnofit\AuricVault\Exceptions\BadRequestException $e) { var_dump($e->getMessage()); }
License
The MIT License (MIT). Please see License File for more information.