Merchants using our webhooks and working PHP do have some alternative options for decrypting the webhook payload without using LIBSODIUM.
The reason we provide LIBSODIUM example is because PHP5 does not support openssl integration very well, so merchants cannot use more secure solutions. There are a couple of other ways, in case merchants can avoid using LIBSODIUM.
- If you are using PHP7.1+, then you can directly use openssl with more parameters, which allows you to use aes-256-gcm. Note that it will not work in case you still use PHP5.
When you use PHP frameworks, some of them provide their own implementation or wrapper for openssl. For example,
Phalcon: https://docs.phalconphp.com/ar/3.2/api/Phalcon_Crypt
CakePHP: https://api.cakephp.org/2.8/class-Security.html
There are also some user libraries that provide example code but we cannot guarantee these solutions
https://github.com/Spomky-Labs/php-aes-gcm
For merchants with PHP5 - you can consider the following user library:
https://github.com/rootindex/module-peach-aes