topic Re: Coldfusion SIM HMAC-SHA512 Update in Integration and Testing

Coldfusion SIM HMAC-SHA512 Update

mojenals — Wed, 23 Jan 2019 18:00:41 GMT

Hi all... I currently have a working SIM MD5 solution and am updating to SHA512. I believe that I have walked through the necessary steps as outlined here ( https://support.authorize.net/s/article/Do-I-need-to-upgrade-my-transaction-fingerprint-from-HMAC-MD5-to-HMAC-SHA512-and-how ), however continue to receive an Error Code 99.

Essentially, the only changes are, as I read them
-- to request a Signature Key, change to binary, use this as the HMAC key
-- change the algorithm from HMACMD5 to HMACSHA512

MD5 Solution:
<cfset digest=HMAC("#authNetLogin#^#sequence#^#fp_timestamp#^#x_amount#^","#authNetTrnxKey#","HMACMD5") />

SHA512:
<cfset authNetHexSignatureKey = "REMOVED_FROM_CODE" />
<cfset authNetBinarySignatureKey = toBinary(authNetHexSignatureKey) />
<cfset digest=HMAC("#authNetLogin#^#sequence#^#fp_timestamp#^#x_amount#^","#authNetBinarySignatureKey#","HMACSHA512")>

The existing Error 99 tool ( https://developer.authorize.net/api/reference/responseCode99.html ) appears to be for use in the old MD5 method. Is there another tool for this?

I have looked at the data being posted using the dump tool here ( http://developer.authorize.net/bin/developer/paramdump ) and everything LOOKS ok.

Any assistance would be appreciated.

Thanks.

Re: Coldfusion SIM HMAC-SHA512 Update

Renaissance — Thu, 24 Jan 2019 05:01:33 GMT

I would venture that your issue is one or more of the following, with a disclaimer that I have never used sim:

-for MD5, as I understand it, you created part of your string in the merchant interface. You do not do that for the new hash. The sequence is an arbitrary number that you make up.

-the above creates a new step in the process where you have to pass the value of your sequence in the request (because Authorize doesn’t have it in the interface anymore)

Re: Coldfusion SIM HMAC-SHA512 Update

Renaissance — Thu, 24 Jan 2019 05:03:18 GMT

A third problem is you are missing a caret at the beginning of your string.

Re: Coldfusion SIM HMAC-SHA512 Update

ebuist1 — Thu, 24 Jan 2019 16:26:49 GMT

@Renaissance wrote:
A third problem is you are missing a caret at the beginning of your string.

The Do I need to upgrade my transaction... linked in the first post and the SIM Guide (page 30) do not specify a caret at the beginning of the string used to generate the hash. Both show the format to be "x_login^x_fp_sequence^x_fp_timestamp^x_amount^".

I am having this exact same problem, only with a Java implementation. Ours is also currently working by generating an MD5 hash using the above string and the Transaction Key, and passing that in the x_fp_hash field. However, when SHA512 is used with the same string above and the Signature Key instead, I get Error 99 every time (The server-generated fingerprint does not match the merchant-specified fingerprint in the x_fp_hash field).

Interesting that the Do I need to upgrade my transaction... page says the Signature Key needs to first be converted to binary before computing SHA512 hash but the SIM Guide does not. I have tried it both ways and still always get Error 99. What are we missing here?

Re: Coldfusion SIM HMAC-SHA512 Update

mojenals — Thu, 24 Jan 2019 16:55:04 GMT

@Renaissance wrote:
A third problem is you are missing a caret at the beginning of your string.

@Renaissance I appreciate the input, however, for the initial fingerprint, a leading ^ was not necessary in the MD5 implementation nor is called for in the SHA512 implentation, according to here ( https://support.authorize.net/s/article/Do-I-need-to-upgrade-my-transaction-fingerprint-from-HMAC-MD5-to-HMAC-SHA512-and-how )

Taken from link ...

For example, if we presume an API Login ID of "authnettest", a sequence number of "789", a timestamp of "67897654," an amount of "10.50", and no currency code, the hash input would look like this:

authnettest^789^67897654^10.50^

The leading ^ instruction comes from here ( https://developer.authorize.net/support/hash_upgrade/ ), this page discusses how to validate the AuthNet response from the Hosted Payment Form by comparing the transHashSHA2, with a locally calculated value... however, using SHA512 (and the new signature key method) I haven't been able to successfully submit the initial SIM request ... to load the Hosted Payment Form.

Re: Coldfusion SIM HMAC-SHA512 Update

mojenals — Thu, 24 Jan 2019 17:12:59 GMT

@Renaissance I appreciate your time and your input, however...

@Renaissance wrote:
-for MD5, as I understand it, you created part of your string in the merchant interface. You do not do that for the new hash. The sequence is an arbitrary number that you make up.

In the MD5 method, we used a Transaction Key for the HMAC key. The Transaction Key was pulled from the merchant interface and used directly in the HMAC function, without any changes made. The new hash method uses a Signature Key that is also taken from the merchant interface, however it is not used directly in the HMAC function. It is, in its inital state, a hex string, that is to be converted to binary prior to using as the key in the HMAC function.

Taken from ( Do I need to upgrade my ... )
It is important to note that the Signature Key is presented in the Merchant Interface, in hexadecimal format. You will need to convert the Signature Key to binary format before calculating the HMAC-SHA512 hash.
...
You would then hash this input with the HMAC-SHA512 algorithm, using the binary-encoded Signature Key as the HMAC key.

It is my understanding that the toBinary() function would accomplish this in CF.

@Renaissance wrote:
-the above creates a new step in the process where you have to pass the value of your sequence in the request (because Authorize doesn’t have it in the interface anymore)

I believe that you are using the term sequence to refere to the Key (Transaction vs Signature), I've outline (as I understand them) the difference between these two values and the MD5 vs SHA512 methods. To be clear, both methods, MD5 and SHA512, require a sequence to both be passed as a form field key/value pair and used inte the creation of the HMAC fingerprint... this is supposed to be a value that you create (generally an invoice number or other unique value)

The unique merchant-generated sequence number (x_fp_sequence);

Re: Coldfusion SIM HMAC-SHA512 Update

Renaissance — Thu, 24 Jan 2019 17:19:22 GMT

You are right. I've been helping people with this. I don't use SIM/DPM and the other methods have a leading caret.

I am not versed in this, but am I not correct that using MD5 you had to enter a number in the merchant inferface, and that number was going to be used in calculating the hash? I keep hearing of "the merchant will lose the ability to put xzy in the merchant interface". I may be totally off.

That was what I was referring to as possibly your problem. From what I read, you don't use the value inputted in the merchant interface. You just randomly generate a number on your end and use it. So you could just do "123" and use that for the sequence. This is totally separate from the signature key or transaction key.

Then you pass along the 123 in the request. I won't be on here anymore today, but I'll see what you've got later on.

Re: Coldfusion SIM HMAC-SHA512 Update

mojenals — Thu, 24 Jan 2019 18:04:02 GMT

@Renaissance wrote:
... but am I not correct that using MD5 you had to enter a number in the merchant inferface, and that number was going to be used in calculating the hash? I keep hearing of "the merchant will lose the ability to put xzy in the merchant interface". I may be totally off.

That was what I was referring to as possibly your problem. From what I read, you don't use the value inputted in the merchant interface. You just randomly generate a number on your end and use it. So you could just do "123" and use that for the sequence. This is totally separate from the signature key or transaction key.

From MD5 Hash End of Life....

Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.

As I read it, the change in the Merchant Interface is that the user will no longer be able to enable/update MD5 Hash as an authorized method. So they are disabling the option of selecting MD5.

You are correct, we are not using the MD5 Hash string inputed in the Merchant Interface > MD5-Hash, that is/was used to encrypt the responses from AuthNet, not for calculating the signature when submitting a request for load of the Hosted Payment Form. We are using the key values assigned by AuthNet. The Signature Key, once made binary, is the new version of the old Transaction Key.

The usage of sequence itself hasn't changed and is a unique value used within the hashed string and passed as a form element. Taken from Do I need to upgrade ...

The API Login ID (x_login);
The unique merchant-generated sequence number (x_fp_sequence);
The transaction's timestamp in UNIX Epoch time, i.e. how many seconds have passed since Midnight UTC on January 1, 1970 (x_fp_timestamp);
The transaction amount (x_amount);
The currency code (x_currency_code), which should be blank if no currency code is submitted.

For example, if we presume an API Login ID of "authnettest", a sequence number of "789", a timestamp of "67897654," an amount of "10.50", and no currency code, the hash input would look like this:

authnettest^789^67897654^10.50^

The only changes, as I read them, are

use SHA512 instead of MD5
use binary converted Signature Key, instead of plain text Transaction Key

everything else is supposed to be the same, even the field that the hash/fingerprint is submitted via and AuthNet will determine which method you've used.

Re: Coldfusion SIM HMAC-SHA512 Update

mojenals — Thu, 24 Jan 2019 19:09:19 GMT

I am still working on a Coldfusion solution, however since I am beginning to believe this has more to do with the underlying Java libraries than my implimentation, I have put into place a solution using PHP 5.3 to generate the fingerprint and pass back to CF for use in the existing calls. This works. Eventually, we will migrate away from SIM/DPM to the API, however for now...

I make a cfhttp call to the PHP form, that receives the necessary pieces to calc the fingerprint and returns the timestamp and fingerprint for use by the existing CF process.

I have read that users have had success using hex2bin(), base_convert(), and pack()... since hex2bin is not available in 5.3, I had to try the other two. The HMAC-SHA512 fingerprint calculated using base_convert() received Error 99, however the HMAC-SHA512 fingerprint calculated using pack() was successful and I was able to load the Direct Payment Form.

Re: Coldfusion SIM HMAC-SHA512 Update

mojenals — Thu, 31 Jan 2019 14:54:35 GMT

I was unable to develop a fully CF/Java implementation ... time simply too limited at this point and with a working solution in PHP, having to mark it as done step away.

Re: Coldfusion SIM HMAC-SHA512 Update

kabutotx — Tue, 26 Feb 2019 00:47:36 GMT

Here is code that works in CF/Lucee.

authSignature = the signature key

message = Built message from API, CIM, AIM or whatever.

key=binaryDecode(authSignature, "hex" );
hashResult = hmac(message, key, 'HMACSHA512');

Re: Coldfusion SIM HMAC-SHA512 Update

deanlaw — Tue, 26 Feb 2019 00:53:52 GMT

Not sure if you still need this, but I was able to get this to work. The signature key is in a hex format and the toBinary function is expecting base64 data. The binaryDecode function though allows you to specify that the data is hex. So your HMAC script should look like this:

This worked for me.

Re: Coldfusion SIM HMAC-SHA512 Update

mojenals — Tue, 26 Feb 2019 02:07:16 GMT

I appreciate your help @kabutotx and @deanlaw.

@kabutotx , the use of binaryDecode() was the solution.

@deanlaw , thank you for pointing out the difference between binaryDecode() and toBinary()

I have updated our CF code and successfully removed the PHP script.

Thanks!

Re: Coldfusion SIM HMAC-SHA512 Update

MinneSnowtain — Tue, 26 Feb 2019 23:21:02 GMT

Hi @deanlaw

What version of CF are you using? I'm attempting to get this working also and so far no go with CF 10 BUT

I'm using Auth.net sandbox

I'm also just using what is called the Silent Post Url which means auth.net posts data to my site and so I'm attempting to generate this hashed string and compare that to the value from Auth.net form field X_SHA2_HASH.

It's not very clear what the hashed sting should be but I believe it needs to be constructed of the 30 form fields separated by ^ and maybe a trailing ^ or prepended ^ or both..i've tried all 4 options and so far my result doesn't match but no clue if the problem is CF10 or auth.net sandbox or me. So any clues would be appreciated.

Re: Coldfusion SIM HMAC-SHA512 Update

kabutotx — Wed, 27 Feb 2019 00:37:01 GMT

It should work with CF 10+. The hmac function is the newset and CF 10+.
(There is a CF_HMAC addon available that might work for older CF) I see you are following the other thread on the Silent Post URL. I am using the API version for CF. Each API builds a different message, so check with that API.

Re: Coldfusion SIM HMAC-SHA512 Update

deanlaw — Wed, 27 Feb 2019 00:45:07 GMT

@MinneSnowtainI am using ACF 2016. I also have ACF 11 running on another server, which I have not tested yet, but it should work the same.

If you look at this guide, SIM Guide, starting at the bottom of page 29, it outlines what the fingerprint is comprised of. "x_login^x_fp_sequence^x_fp_timestamp^x_amount^". There is also a 5th field that you can use, which is for currency, which looks like this: "x_login^x_fp_sequence^x_fp_timestamp^x_amount^US" (notice, no trailing carat). You can see this in example 2 on page 30. You would then use your binary converted Session Key (not your Transaction Key) to generate the SHA512 hash.

<cfset authNetHexSignatureKey = "REMOVED_FROM_CODE" />
<cfset authNetBinarySignatureKey = binaryDecode(authNetHexSignatureKey, "hex") />
<cfset digest=HMAC("#x_login#^#x_fp_sequence#^#fp_timestamp#^#x_amount#^","#authNetBinarySignatureKey#","HMACSHA512")>

Also, after generating the digest variable above, I submit it using the x_fp_hash field. I don't know if this is different using the Silent Post feature.

Hope this helps.

Re: Coldfusion SIM HMAC-SHA512 Update

MinneSnowtain — Wed, 27 Feb 2019 01:39:51 GMT

Thank you @deanlaw and @kabutotx

So @kabutotx did you try using CF10? or are you just guessing that it should work?

Unfortunately I'm not using the API and I'm not sending this hashed result but comparing my hash result with what I get posted (just a regular ole form post) from auth.net. Unfortunately the string that Auth.net uses to hash is a bit of a mystery to me which makes this harder yet.

Re: Coldfusion SIM HMAC-SHA512 Update

kabutotx — Wed, 27 Feb 2019 02:01:28 GMT

Didn't try CF 10 but hmac builtin function was added to CF at that version.

I assume you are using the old SIM API, so follow @deanlaw posted above.

Re: Coldfusion SIM HMAC-SHA512 Update

MinneSnowtain — Wed, 27 Feb 2019 17:03:46 GMT

I am happy to report that my posted signature TO auth.net is valid using:

Now if only I could validate what sandbox returns back to me via the silent post.

This now confirms there is something wrong with the string I create that is hashed.

So far this is what I've tried

that string did not result is a match

same string as above but added

it did not match

same as orignal string but added

it did not match

same as orignal string but added

it did not match

Re: Coldfusion SIM HMAC-SHA512 Update

kabutotx — Wed, 27 Feb 2019 17:48:08 GMT

Per page 73 It is ^field and an ending ^. So each of your form. field should start with a ^ and then the data and the whole thing (string of all form fields) should end with a ^.