topic SHA-512 in Perl in Integration and Testing

SHA-512 in Perl

smorrow123 — Wed, 16 Jan 2019 19:07:17 GMT

Our authorize.net processing is done in some OLD perl cgi code - any perl programmers out there?

We are trying to convert to the SHA-512 hashing. Our current processing uses MD5, via the perl module Digest::MD5.

I use LWP::UserAgent to POST directly to the secure.authorize.net gateway transact dll URL.

What I get returned is an array of values. The MD5 hash is currently in the 38th array element. Authorize.net has been unable to tell me where I can find the returned SHA-512 hash value to compare to what I am generating in the program.

For my test:

I changed it to use Digest::SHA for the hashing. I generated the signature key and have it stored in hex in our database.

my $sha512_string = '^' . $auth_net_login_id . '^' . $tranid . '^' . $grandtotal . '^';

my $key = pack 'H*', $sig_key; ##to convert the store hex value to binary - as recommended here

my $sha512 = Digest::SHA->new;
my $sent_sha512_hash = $sha512->hmac_sha512($sha512_string, $key);

When I display that value, it just shows a bunch of weird characters on the screen - I don't know if that's expected or not. I am only displaying it to compare to what comes from authorize.net.

When the values are returned from Authorize.net (in the array), I display all the elements. There is a value in element 68 that looks like a hex value but that isn't what is in the hash that I generated.

So, isn't the hash returned from Authorize.net in the array? If not, then how do I obtain it using the methods we currently have in place? I don't consider this as using the API. Or is the problem that I am hashing it wrong on my end?

I obtained the perl code for our current processing via Authorize.net MANY years ago from one of their perl customers. It has worked fine ever since. I do not have the knowledge, experience or brain power to change the whole process, unless someone could provide all the perl code (I know that's asking a lot). I also have a general knowlege of php but unfortunately the examples on this forum are too different from our perl process to be able to correlate the two.

I hope someone can help! Thanks in advance!

Re: SHA-512 in Perl

Renaissance — Thu, 17 Jan 2019 02:12:23 GMT

What product do you use? Sorry, not familiar with LWP. If you use DPM you need to use a different string. I just posted some code that may work. In regards to those strange characters that is most likely due to your hash function outputting raw binary. For that, try putting ($sha512_string, $key,false) and see what happens. The output of your hash should be a series of plan English letters and numbers.

I do not know a thing about Perl but it’s worth a try. For finding out where the sha512 is at in your array, does Perl have a function where you can loop through it and output the keys? Again just something to try.

Re: SHA-512 in Perl

tmnejp — Thu, 17 Jan 2019 11:17:52 GMT

@smorrow123 The bunch of weird characters in the key are expected, you've taken a string of hex characters (ex. A4F1...etc) and packed their binary values in a variable. When perl tries to inerpret these as a string it results in "random" characters.

The solution to your problem is probably needing $sha512_string to be the 30 value thing described here:

https://community.developer.authorize.net/t5/Integration-and-Testing/Upgrading-MD5-to-new-hash-SIM/m-p/65788/highlight/true#M39403

I used the CGI perl module which allows parameters to be accessed in a named format (like 'x_SHA2_Hash') this might be very difficult to figure out which parameter is which if all you have is an array of values. Using CGI my solution is:

my $QUERY = new CGI; # This would be definied somewhere else
my $x_SHA2_hash = $QUERY->param('x_SHA2_Hash');
my @keys = ( 'x_trans_id', 'x_test_request', 'x_response_code', 
    'x_auth_code', 'x_cvv2_resp_code', 'x_cavv_response',
    'x_avs_code', 'x_method', 'x_account_number', 'x_amount', 'x_company', 
    'x_first_name', 'x_last_name', 'x_address',
    'x_city', 'x_state', 'x_zip', 'x_country', 'x_phone', 'x_fax', 'x_email', 
    'x_ship_to_company', 'x_ship_to_first_name',
    'x_ship_to_last_name', 'x_ship_to_address', 'x_ship_to_city', 
    'x_ship_to_state', 'x_ship_to_zip', 'x_ship_to_country', 'x_invoice_num' );
my $key;
my $plain_text = "^";
foreach $key ( @keys ) {
    $plain_text .= $QUERY->param($key)."^";
}

$key = pack 'H*', $signature_key;
$hash_val = hmac_sha512_hex( $plain_text, $key );

if ( defined($x_SHA2_hash) && $x_SHA2_hash ne '' &&
    lc($hash_val) eq lc($x_SHA2_hash) ) {
    $authorized = 1;
}

Re: SHA-512 in Perl

smorrow123 — Thu, 17 Jan 2019 12:38:43 GMT

Renaissance -

After my first post, I changed the hashing to hex (they don’t tell you that, but the old MD5 hash was done in hex, so I thought this one might be, too), and then had a result which looked more like what I needed it to be. But it still didn’t match what was in the 68th element of the returned array. The way you suggested is exactly what I did in my test. I displayed all the values individually for each array element returned. And that 68th element is the one that looked like it might be a hex hash value. Like I said, Authorize.net can’t tell me how the hashed value is returned or how I access it. So, all I have to go by is visual confirmation. And what’s in the 68th element doesn’t match what is in my hex-hashed value.

I use the LWP perl module to access the AuthorizeNet URL directly. I don’t know what DPM is. You said you “posted some code that may work”. Where is that? I’m a newbie on the forum.

Thanks!

Re: SHA-512 in Perl

smorrow123 — Thu, 17 Jan 2019 12:57:03 GMT

Tmnejp-

I changed my hashing to hex, and that value made a lot more sense, so that’s what I’m working with now.

I don’t understand why Authorize.net specifically said to hash the 3 items along with the sig-key, but you’re saying we need to go with 30 of them. I’m not using SIM - are you? And if not, are you still using this method successfully?

I’m willing to try anything, but now I need to understand what 30 items you’re using. The post you linked to said 30 fields, but the example only had 15. Exactly what fields are those? Are they what you prepared to send TO authorize.net OR are they what authorize.net returned after authorization? It looks like what authorize.net returned but I have more than 30 elements in the returned array! There are some that I specifically use, so I know where they are, but to match what you have here, I’d have to get the other ones defined. I no longer have any documentation for this.

This has me SO aggravated!! Why can’t authorize.net tell us the correct information??

I won’t be able to work on this for a few days - but I’ll monitor responses and give it a try when I can.

Thanks for your help!

Re: SHA-512 in Perl

Renaissance — Thu, 17 Jan 2019 17:21:38 GMT

@smorrow123

The code is in php, but may give you a better idea of what to use in the hash. DPM stands for direct post method. It is an integration that is before my time as I’ve only been a web developer for 2 years and only been programming for a year and a half.

The hashing is done differently depending on what method you used. I posted working code for my method a few days ago, and then it came to my attention that DPM and SIM use a different method, so I pulled those docs and did my best to come up with some code for those folks.

So ignore that first block of code cause it’s not working for you. Use the block of code that is near the end of the thread. I would work on getting your fingerprint working first, and then tackle the verification on your end, because that has the appearance of being a little more complicated.

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/td-p/65774

And if you have a large hexidecimal value in your array, that’s the hash I am pretty sure. This is my new hobby since November for when I’m waiting at restaurants or too tired to do anything else. I know nothing of Perl but I will see what I can do to get you up and running.

Re: SHA-512 in Perl

Renaissance — Thu, 17 Jan 2019 17:27:41 GMT

@smorrow123,

The 3 values on the main webpage are what is used for the recent API integration methods. DPM and SIM are deprecated and I think that’s why their methods are nowhere to be found on the main website, but only in the SIM/DPM guide. Towards the end of the thread I linked I give a summary of how this seems to work. Sounds like you’re using DPM, so your fingerprint will be one thing and if you choose to verify on your end you will have a different string.

Re: SHA-512 in Perl

smorrow123 — Fri, 18 Jan 2019 15:54:26 GMT

@Renaissance Is there a way to get a copy of the SIM/DPM documentation? Does it include information for SHA-512? The old MD5 method only uses 3 fields along with the MD5 hash, and the Authorize.net rep I talked to said it would be very similar to the MD5 implementation.

Won’t be working on this again until next week, but I’d like to get my ducks in a row in the meantime. Thx.

Re: SHA-512 in Perl

Renaissance — Fri, 18 Jan 2019 17:23:59 GMT

Yes sir! https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf

Re: SHA-512 in Perl

ePayGov — Mon, 21 Jan 2019 03:25:25 GMT

Hey,

I use LWP too using Perl and MySQL. You are using DPM which uses the POST METHOD.

An also stuck, nothing worked. I used MySQL SHA2 Function and the HEX AND UNHEX function

to no avail. I have over 100+ counties and municipalities and these governments account resist changes the same way they resist a plague.

Am willing to pay anyone who can help with the code.

Thx

Re: SHA-512 in Perl

Renaissance — Mon, 21 Jan 2019 17:55:56 GMT

Hey my friend. Send me a message if you want some help. I am a php programmer and not well versed in Perl Syntax. However if you know the syntax working together I am confident we can make it work.

Re: SHA-512 in Perl

airman81 — Mon, 21 Jan 2019 19:10:55 GMT

Here is my solution. I'm posting this again. Did not see me first post. Sorry if I didn't post correctly (newbie).

Here are the changes I made when posting to authorize.net:

 #use Digest::HMAC_MD5 qw(hmac_md5_hex);           # commented out
 use Digest::SHA qw(hmac_sha512_hex);              # added this line
 $hmac_data = $x_login."^".$x_fp_sequence."^".$x_fp_timestamp."^".$x_amount."^";   # no change
 ### assigned my new transaction key from authorize.net to $transaction_key here
 $transaction_key = pack("H*", $transaction_key);            # added this line  
 # $x_fp_hash = hmac_md5_hex($hmac_data, $transaction_key);  # commented out MD5 hash
 $x_fp_hash = hmac_sha512_hex($hmac_data,$transaction_key);  # added this line

Processing response from authorize.net:

I Did not change the following method of processing variables:

 read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});  ### Note: do not load "use CGI"
 @pairs = split(/&/, $buffer);
 %response=();
 $x=0;
 foreach $pair (@pairs) {
   ($name, $value) = split(/=/, $pair);
   $value =~ tr/+/ /;
   $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
   $response{$name}=$value;
 }

Commented out the following old md5 lines below...

 # use Digest::MD5 qw(md5 md5_hex md5_base64);
 # $data = $md5_key.$api_login_id.$response{x_trans_id}.$response{x_amount};
 # $loc_MD5_hash = md5_hex($data);
 # $loc_MD5_hash = uc($loc_MD5_hash);

Added the following...

 use Digest::SHA qw(hmac_sha512_hex);
 # assigned my new transaction key from authorize.net to $transaction_key here
 $keyx = pack("H*", $transaction_key);
 $data=qq~^$response{x_trans_id}^$response{x_test_request}^$response{x_response_code}^$response{x_auth_code}^$response{x_cvv2_resp_code}^$response{x_cavv_response}^$response{x_avs_code}^$response{x_method}^$response{x_account_number}^$response{x_amount}^$response{x_company}^$response{x_first_name}^$response{x_last_name}^$response{x_address}^$response{x_city}^$response{x_state}^$response{x_zip}^$response{x_country}^$response{x_phone}^$response{x_fax}^$response{x_email}^$response{x_ship_to_company}^$response{x_ship_to_first_name}^$response{x_ship_to_last_name}^$response{x_ship_to_address}^$response{x_ship_to_city}^$response{x_ship_to_state}^$response{x_ship_to_zip}^$response{x_ship_to_country}^$response{x_invoice_num}^~;
 $hash = hmac_sha512_hex($data,$transaction_key);
 $hash = uc($hash);

Finished processing as before...

Hope this helps.

Re: SHA-512 in Perl

smorrow123 — Mon, 21 Jan 2019 20:04:27 GMT

@Renaissance

I am just now starting to work on it after taking the weekend off.

I am trying to determine how to access the specific field names/values that are needed for hashing - since the current script accesses them as an array. Since I don't know where all the hashing fields are located within the array, I have to figure out how to access them another way. I'm not sure I have access to them as a params, when using the LWP::UserAgent that's in my script. I'm just not familiar enough with how all of this works, having gotten that code from someone else many moons ago.

But I'm plugging along, playing around with different ways of obtaining the values and just displaying them on the screen to try to figure this out. Right now I'm trying to deal with the dreaded 500 Internal Server error so am investigating in the error log to find out why.

I'll let you know if I need more help. Thanks for checking in!

Re: SHA-512 in Perl

airman81 — Mon, 21 Jan 2019 20:57:34 GMT

@smorrow123

If you want to try it without LWP (using raw processing) try this test script as your "x_relay_response_url" :

Note: You do not need or want to use "use CGI" in the same script with this method

#!/usr/bin/perl

MAIN:
{
 #
 # Read all responses from authorize.net
 #
 read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
 @pairs = split(/&/, $buffer);
 %response = ();
 $x = 0;
 foreach $pair (@pairs) {
   ($name, $value) = split(/=/, $pair);
   $value =~ tr/+/ /;
   $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
   $response{$name}=$value;
 }
 #
 # create a string of all required variables for the hash
 #
 $data = qq~^$response{x_trans_id}^$response{x_test_request}^$response{x_response_code}^$response{x_auth_code}^$response{x_cvv2_resp_code}^$response{x_cavv_response}^$response{x_avs_code}^$response{x_method}^$response{x_account_number}^$response{x_amount}^$response{x_company}^$response{x_first_name}^$response{x_last_name}^$response{x_address}^$response{x_city}^$response{x_state}^$response{x_zip}^$response{x_country}^$response{x_phone}^$response{x_fax}^$response{x_email}^$response{x_ship_to_company}^$response{x_ship_to_first_name}^$response{x_ship_to_last_name}^$response{x_ship_to_address}^$response{x_ship_to_city}^$response{x_ship_to_state}^$response{x_ship_to_zip}^$response{x_ship_to_country}^$response{x_invoice_num}^~;
 #
 # Display results
 #
 print qq~Content-type: text/html\n\n
<html>$data</html>~;
 exit;
}

Re: SHA-512 in Perl

smorrow123 — Mon, 21 Jan 2019 21:28:08 GMT

Thanks @airman81, but this is a bit greek to me and I AM using CGI in the same script, since it's used for the entire payment process, not just the authorization piece.

I am getting a response back, but can't figure out how to reference the field names and values. Here's the code I have:

my $useragent  = LWP::UserAgent->new( protocols_allowed => ["https"] );
 my $url = $merchant->{Payment_URL};  #secure.authorize.net/gateway/transact.dll

 my $request  = POST( $url, $request_values );  

#request values above is the name/value pairs being sent TO authorize.net


 my $response  = $useragent->request( $request );
 
 my @responses  = split( /\Q|/, $response->content );

if( $response->is_success )
{
  
       $apiresponse = $response->content;  
       foreach $pair(@responses)
       {
              # The next statement splits based on the pipe character: |
              # not sure what this accomplishes since it isn't referenced by name or val
              ($name,$val) = split(/\Q|/,$pair);
   
        }
        # split the words using the pipe character (|) as the delimiter.
       @words = split /\Q|/, $apiresponse;
        $response_code = $words[0];

        #additional processing; check response code, hashing, checking hash, etc.


}

The code (written by someone else) uses the @words array to find the values by element number. The documentation I found says not to do it that way because the order can change. So, I would like to reference them by name "x_trans_id", "x_SHA2_hash", etc. I just don't know HOW to do that. There is no $Query->param to work with. So, the names are probably in $responses or $apiresponses or SOMEWHERE. This is what I can't figure out - where/how do I access the field names and get the values - what syntax do I use?

It's been way too long since I've worked on these scripts!!!

Re: SHA-512 in Perl

Renaissance — Mon, 21 Jan 2019 21:29:20 GMT

@ePayGov,

Shoot me a message if you want help. We can make this work if the code posted thus far isn’t getting you what you need.

@smorrow123sounds like you’re on the case. One way would be to run a test transaction and input the values blatantly. So for instance if your hash uses the company value, type the name of the company in your dummy transaction as “company”, and do the same for the rest of them so that the value of the array item matches the actual value you’re trying to pull and use for your hash. If there was a way to loopt through the array and output the keys, as there is in php that would make life easier. But this is a good workaround if that can’t be done.

Re: SHA-512 in Perl

Renaissance — Mon, 21 Jan 2019 22:06:12 GMT

@smorrow123 the $name,$value may be what you need. I think $name may be the key. But I’m a little lost on what you’re doing. There are 2 separate pieces to this hash. One is the fingerprint and the other is the verification. So on this it looks like you’re doing the verification. When you say that they are in a different order, you mean after you convert to a numeric array? I would imagine that authorize sends them to you in the same order every time.

If you try to print $name inside that loop, or however it is in Perl that you output array items in a browser that may be just what you are looking for.

Re: SHA-512 in Perl

airman81 — Mon, 21 Jan 2019 22:17:13 GMT

@smorrow123

If your just running test payments consider the following.

A way to debug is to insert the follwoing code and have the script just exit/abort while at the same time showing the results of what is assigned to $debug.

print qq~Content-type: text/html\n\n
<html>$debug</html>~;
exit;

After you place the above code into a test location of your choice just run a test payment and see what prints out.

example1:

       foreach $pair(@responses)
       {
              # The next statement splits based on the pipe character: |
              # not sure what this accomplishes since it isn't referenced by name or val
              ($name,$val) = split(/\Q|/,$pair);
$debug.="$name = $val<br>"; ### See what each name=val is
        }
print qq~Content-type: text/html\n\n
<html>$debug</html>~;
exit;
        # split the words using the pipe character (|) as the delimiter.

example2:

       @words = split /\Q|/, $apiresponse;
        $response_code = $words[0];

foreach (@words) { $debug.= "$_<br>"; } ### See what is in @words
print qq~Content-type: text/html\n\n
<html>$debug</html>~;
exit;

example3:

       foreach $pair(@responses)
       {
              # The next statement splits based on the pipe character: |
              # not sure what this accomplishes since it isn't referenced by name or val
              ($name,$val) = split(/\Q|/,$pair);

              $namedresponses{$name}=$val; ### Place values into a hash which you can reference by name
        }
while (($k,$d) = each(%namedresponses)) { $debug.="$k = $d<br>"; }
print qq~Content-type: text/html\n\n
<html>$debug</html>~;
exit;
        # split the words using the pipe character (|) as the delimiter.

Re: SHA-512 in Perl

smorrow123 — Mon, 21 Jan 2019 22:22:27 GMT

I think the name, value is what I need, too, but the code that's there doesn't even USE those fields! I have no idea what it's doing. And it's splitting the individual pairs by using the pipe character rather than the equals. Should I expect an equals sign? I think the name/value pairs are separated by pipes but within each pair is there an equals sign that I should be splitting on?

All I'm doing at this point (I'm not even AT the point of creating the hash to compare to the one they're sending) is trying to figure out how I can access the individual values that have been returned by specific name. The existing code is just pulling out the values, and turning them into an array, then certain fields used later are extracted based on array element number. But the instructions for creating this hash says that they have to be in this specific order to generate the hash. I don't know where all those values ARE in the array.

So, I'm back to needing to figure out how to get the value associated with a specific field name x_trans_id, etc. I've got some other responses - so I'll check them and see where they take me and also check to see if splitting on the equals sign would help with the name/value pairs.

Sorry I'm not explaining myself very well. I've been away from serious programming for long enough that I can't "talk the language" anymore!!

Thanks.

Re: SHA-512 in Perl

smorrow123 — Mon, 21 Jan 2019 22:29:08 GMT

I already have the program displaying test values and then exiting - and I just keep going back and forth to try different things. I LOVE the idea of creating the hash and then referencing them that way. I will probably try that.

HOWEVER, as I alluded in my other post - my code splits the response using the pipe character to get the separate name/value pairs, and then for whatever reason, splits the name from the value also using a pipe value. I previously tried to print out a value based on "if $name eq 'x_response_code'" but it didn't find that. SO, should I be splitting on the equals sign? I'm going to give it a try - but our error log is so huge and my speed is so slow, if I get a 500 internal server error, it takes me 15 minutes to download the error log to see what happened!

Thanks for sticking with me. Really appreciate it!!