topic Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code in Integration and Testing

Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

Alicia05 — Wed, 16 Jan 2019 19:23:05 GMT

In an attempt to upgrade from MD5 to SHA-512 based transHashSHA2 I have created a test transaction using my sandbox account and have used the c# sample code to verify the output of the hash matches the x_SHA2_Hash that comes back in the silent post back for the transaction, but I have not been able to generate a matching hash.

Steps followed from upgrade guide:

Step 1. Generate a Signature Key and store it in a secure location on your serve

Step 2. Convert the Signature Key into a byte array.

Step 3. Create a message string that starts with a caret ("^"), followed by the following three fields delimited by carets, and terminated with another caret:

• The API Login ID that you send in createTransactionRequest in the name element.

• The transaction ID that we send in createTransactionResponse in the transId element.

• The transaction amount that we send in createTransactionResponse in the amount element.

For example, if your API Login ID is "ANet123", the value of transId is "20987654321", and the value of amount is "9.99", the message string would look like this:

^ANet123^20987654321^9.99^

Step 4. Use HMAC-SHA512 to hash the byte array form of the Signature Key from Step 2 with the message string from Step 3.

Step 5. Compare the value of transHashSHA2 with the output from the HMAC-SHA512 hash mentioned in Step 4.

If my signature key is "828BB6EDE1959" and my API login ID is ABC123, my transaction id is 0 (because test transactions do not have a trans id in the sandbox), and the amount of the payment was $75.00 using the sample code provided in the upgrade guide I could pass in the value generated in step 3 "^ABC123^0^75.00^" and my signature key in to HMACSHA512("828BB6EDE1959", "^ABC123^0^75.00^") and my output should match the underlined value below, correct?

Array
(
    [x_response_code] => 1
    [x_response_reason_code] => 1
    [x_response_reason_text] => (TESTMODE) This transaction has been approved.
    [x_avs_code] => P
    [x_auth_code] => 000000
    [x_trans_id] => 0
    [x_method] => CC
    [x_card_type] => Visa
    [x_account_number] => XXXX1111
    [x_first_name] => 
    [x_last_name] => 
    [x_company] => 
    [x_address] => 
    [x_city] => 
    [x_state] => 
    [x_zip] => 
    [x_country] => 
    [x_phone] => 
    [x_fax] => 
    [x_email] => 
    [x_invoice_num] => 237
    [x_description] => 
    [x_type] => auth_capture
    [x_cust_id] => GPE6178NY
    [x_ship_to_first_name] => 
    [x_ship_to_last_name] => 
    [x_ship_to_company] => 
    [x_ship_to_address] => 
    [x_ship_to_city] => 
    [x_ship_to_state] => 
    [x_ship_to_zip] => 
    [x_ship_to_country] => 
    [x_amount] => 75.00
    [x_tax] => 0.00
    [x_duty] => 0.00
    [x_freight] => 0.00
    [x_tax_exempt] => FALSE
    [x_po_num] => 
    [x_MD5_Hash] => C13380CAE7E8D7DB47BEAEDE98A5867A
    [x_SHA2_Hash] => 3732810865C43409F22EB2078D3C292FB284A5AAF587F8E091E93D97672F874EDAC7D3D526324E204EA6EFA2506E831FE3BEE7FB6D78113A3F2757C58EAEF0BB    [x_cvv2_resp_code] => 
    [x_cavv_response] => 
    [x_test_request] => true
    [signature_key] => 828BB6EDE1959
    [ref1type1] => 
    [ref1val1] => l
    [payment_type] => AUTHORIZE_NET
    [email] => 
)

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

lightwave365 — Wed, 16 Jan 2019 20:09:25 GMT

Who the fck knows at this point. Even the Admins dont understand their own software.

That's the parameter I've been using. It's the same length as it should be. The old MD5 is much shorter. I'm at the point where I am brute forcing in a loop different methods until I get what matches in the request.

So far no combination of encodings, algorithms, or hashes are working for me..

I have my test mode off though so I do get a transaction ID.

This has literally been my whole day, at work, just GUESSING at how their API works when they could just fcking tell us.

Where did that admin go that came in and ignored all of us and answered that stupid question only one person cared about?

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

Alicia05 — Wed, 16 Jan 2019 22:04:43 GMT

I tried this out and it works for me:

SIM Guidebook

https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf

Page 73

The message format in the upgrade guide is wrong it says to hash 3 values, what works is hashing the 30 values in the guide book.

^x_trans_id^x_test_request^x_response_code^x_auth_code^x_cvv2_resp_code^x_cavv_response^x_avs_code^x_method^x_account_number^x_amount^x_company^x_first_name^x_last_name^x_address^x_city^x_state^x_zip^x_country^x_phone^x_fax^x_email^x_ship_to_company^x_ship_to_first_name^x_ship_to_last_name^x_ship_to_address^x_ship_to_city^x_ship_to_state^x_ship_to_zip^x_ship_to_country^x_invoice_num^

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

Alicia05 — Wed, 16 Jan 2019 20:14:26 GMT

I've been working on this since Monday, I am SO far behind on work now.

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

lightwave365 — Wed, 16 Jan 2019 20:45:41 GMT

See I'm using that 30 values hash and it's still not matching. What language are you doing this in?

Could you post your code?

[2019-01-16 15:40:21,407] [ERROR] HASH FROM AUTHNET: [ADFF7886B744A98CD885C6A4C9CCB86883D6CFF56C906D1DAB7ECA2CA6BA0D881B21724074CD0E12D742F2CF2364A2C1D25B1F2F0B4B134ACFEF9A6160D1E894]
 
[2019-01-16 15:40:21,409] [DEBUG] Attempting to hash string [^40024018324^false^1^29TOL3^P^2^Y^CC^XXXX2222^0.20^^^^^^^^^^^^^^^^^^^^^] with SecretKey [BF99E1A8A726AD3789D4E15F6041F65F8438055880DFE7DBF4B82819B0355BF815E425202397F3FF78A4D2BD6F8DC3998168D294A3416C0C00DA399A1203052A] with Algorithm [HmacSHA512] 
[2019-01-16 15:40:21,409] [ERROR] 

Encoding [ASCII] Algorithm [HmacSHA512] Hash[^40024018324^false^1^29TOL3^P^2^Y^CC^XXXX2222^0.20^^^^^^^^^^^^^^^^^^^^^]
Result: [F420E686C636534A1CB1494F6EB3B2C036F4B986ADE8F09D01C86B46FB84F589CB99041726084A6ED182D7F1BDE4B2B110FD05F4C3A2153903EBC72238679C97]

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

Manu — Wed, 16 Jan 2019 21:57:59 GMT

The link to the SIM guide resolves to 404.

I tried hashing the 30 values but not getting the correct match.

Also, what should be including intead of "x_fp_hash" in the POST call to redirect to Hosted payment page? or should we still be sending "x_fp_hash" value but HmacSHA512 instead of HmacMD5 using the same format : x_login^x_fp_sequence^x_fp_timestamp^x_amount^

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

lightwave365 — Wed, 16 Jan 2019 22:08:10 GMT

The guide is back. There must be so many people resorting to a deprecated guide because the staff are useless.

But just in case, save the PDF to your desktop.

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

RichardH — Thu, 17 Jan 2019 01:08:31 GMT

@lightwave365 @Alicia05 @Manu

We edited the post to removed some extra characters in the URL and added a link to #page=73

Richard

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

lightwave365 — Thu, 17 Jan 2019 14:25:37 GMT

What post?

What link?

Could you explain what you exactly changed instead of just saying "I changed something, go find it"?

Page 73 of the SIM guide still looks the same and says last edited in September 2017.

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

Alicia05 — Thu, 17 Jan 2019 14:42:12 GMT

@lightwave365 PHP

<?PHP

//Step 1. Generate a Signature Key and store it in a secure location on your server.
$key = '1111111';

//Step 2. Convert the Signature Key into a byte array.
$key = hex2bin($key);

//Step 3. Create a message string that starts with a caret ("^"), followed by the following three fields delimited by carets, and terminated with another caret:
//•    The API Login ID that you send in createTransactionRequest in the name element.
//•    The transaction ID that we send in createTransactionResponse in the transId element.
//•    The transaction amount that we send in createTransactionResponse in the amount element.
// Ref to page #73 SIM Guidebook ^x_trans_id^x_test_request^x_response_code^x_auth_code^x_cvv2_resp_code^x_cavv_response^x_avs_code^x_method^x_account_number^x_amount^x_company^x_first_name^x_last_name^x_address^x_city^x_state^x_zip^x_country^x_phone^x_fax^x_email^x_ship_to_company^x_ship_to_first_name^x_ship_to_last_name^x_ship_to_address^x_ship_to_city^x_ship_to_state^x_ship_to_zip^x_ship_to_country^x_invoice_num^
//EX: ^0^true^1^000000^^^P^CC^XXXX1111^75.00^^^^^^^^^^^^^^^^^^^^237^
$message .= '^' .
                $_REQUEST('x_trans_id') . '^' .
                $_REQUEST('x_test_request') . '^' .
                $_REQUEST('x_response_code') . '^' .
                $_REQUEST('x_auth_code') . '^' .
                $_REQUEST('x_cvv2_resp_code') . '^' .
                $_REQUEST('x_cavv_response') . '^' .
                $_REQUEST('x_avs_code') . '^' .
                $_REQUEST('x_method') . '^' .
                $_REQUEST('x_account_number') . '^' .
                $_REQUEST('x_amount') . '^' .
                $_REQUEST('x_company') . '^' .
                $_REQUEST('x_first_name') . '^' .
                $_REQUEST('x_last_name') . '^' .
                $_REQUEST('x_address') . '^' .
                $_REQUEST('x_city') . '^' .
                $_REQUEST('x_state') . '^' .
                $_REQUEST('x_zip') . '^' .
                $_REQUEST('x_country') . '^' .
                $_REQUEST('x_phone') . '^' .
                $_REQUEST('x_fax') . '^' .
                $_REQUEST('x_email') . '^' .
                $_REQUEST('x_ship_to_company') . '^' .
                $_REQUEST('x_ship_to_first_name') . '^' .
                $_REQUEST('x_ship_to_last_name') . '^' .
                $_REQUEST('x_ship_to_address') . '^' .
                $_REQUEST('x_ship_to_city') . '^' .
                $_REQUEST('x_ship_to_state') . '^' .
                $_REQUEST('x_ship_to_zip') . '^' .
                $_REQUEST('x_ship_to_country') . '^' .
                $_REQUEST('x_invoice_num') . '^';
   
//Step 4. Use HMAC-SHA512 to hash the byte array form of the Signature Key from Step 2 with the message string from Step 3.
$hashed_value = strtoupper(hash_hmac('sha512',$message, $new_key));

//Step 5. Compare the value of transHashSHA2 with the output from the HMAC-SHA512 hash mentioned in Step 4.
if(strtoupper($_REQUEST('x_SHA2_Hash')) != strtoupper(hash_hmac("sha512", $signature_key_hash, hex2bin($signature_key))))

For the FP: @Manu

protected function CalculateFP($x_login, $x_amount, $x_fp_sequence, $x_fp_timestamp, $x_currency_code = "", $signature_key)
    {
        $data_to_hash = $x_login . "^" . $x_fp_sequence . "^" . $x_fp_timestamp . "^" . $x_amount . "^" . $x_currency_code;
        return hash_hmac('sha512', $data_to_hash, hex2bin($signature_key));
    }

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

Manu — Thu, 17 Jan 2019 21:06:11 GMT

Thanks @Alicia05.

I am successfully abled to create a valid fingerprint.

But x_SHA2_Hash in the response still not matching the one I am generating even though I refer to Page 73 to create a $messageToHash with 30 values separated by "^".

Can you please do a favor and test if your shas512Hash value is matching the one I am generating using the signature key and messageToHash below:

$signatureKey = "9C5A4D2AFE1D1D5DB3A8FC4C95CDCF49E2B052B4220D0624C54C1C662194BDEF8FE0EA27B313FA62328D9500D123B9DD3CE06644508803ACD04DAEDB24C5D122";

$messageToHash = "^0^false^3^^^^P^^^1.99^^^^^^^^^^^^^^^^^^^^^";

// Hmac SHA-512 hash value I am gettings is:
$hmacSHA512Hash = "4038397293CE5DBBFD5AD21B2F96FF5B6E32EA9F56D310AA95D1D091EBEAD1C35FE5AF96111D7911B2816FCE0DBA2D41A5BD268F766183DC8F3B750B22F68E16";

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

HuyenNguyen — Wed, 30 Jan 2019 05:13:12 GMT

I can't verify your sha with 2 tickets:

1. https://developer.authorize.net/support/hash_upgrade/

2. https://support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement?utm_campaign=19Q2+MD5+Hash+EOL+Developer&utm_medium=email&utm_source=Eloqua

Here is a silent post:

$_POST=array (
'x_response_code' => '1',
'x_response_reason_code' => '1',
'x_response_reason_text' => 'This transaction has been approved.',
'x_avs_code' => 'Y',
'x_auth_code' => 'Q835SS',
'x_trans_id' => '40024516943',
'x_method' => 'CC',
'x_card_type' => 'Visa',
'x_account_number' => 'XXXX1111',
'x_first_name' => 'Phuong',
'x_last_name' => 'Nguyen',
'x_company' => '',
'x_address' => '123 Main Street',
'x_city' => 'Springfield',
'x_state' => 'IL',
'x_zip' => '60012',
'x_country' => 'US',
'x_phone' => '',
'x_fax' => '',
'x_email' => '',
'x_invoice_num' => '',
'x_description' => '',
'x_type' => 'auth_capture',
'x_cust_id' => '11281',
'x_ship_to_first_name' => '',
'x_ship_to_last_name' => '',
'x_ship_to_company' => '',
'x_ship_to_address' => '',
'x_ship_to_city' => '',
'x_ship_to_state' => '',
'x_ship_to_zip' => '',
'x_ship_to_country' => '',
'x_amount' => '199.00',
'x_tax' => '0.00',
'x_duty' => '0.00',
'x_freight' => '0.00',
'x_tax_exempt' => 'FALSE',
'x_po_num' => '',
'x_MD5_Hash' => '44239291E7A6D292C83360138503A159',
'x_SHA2_Hash' => '780F3D60E752D83D811CD2600E7D316B074EFC31C16AF22F64A44814483E465BA36C037CF006C166D5D1AADF0C0BDD711C509ACB9C49060791F900691E01E08E',
'x_cvv2_resp_code' => 'P',
'x_cavv_response' => '2',
'x_test_request' => 'false',
)

2019/01/29 09:47:47 [info] [payment] [3hk07t692o82c700nmjmopehf0][Guest][] array
(
'x_response_code' => '1'
'x_response_reason_code' => '1'
'x_response_reason_text' => 'This transaction has been approved.'
'x_avs_code' => 'Y'
'x_auth_code' => 'Q835SS'
'x_trans_id' => '40024516943'
'x_method' => 'CC'
'x_card_type' => 'Visa'
'x_account_number' => 'XXXX1111'
'x_first_name' => 'Phuong'
'x_last_name' => 'Nguyen'
'x_company' => ''
'x_address' => '123 Main Street'
'x_city' => 'Springfield'
'x_state' => 'IL'
'x_zip' => '60012'
'x_country' => 'US'
'x_phone' => ''
'x_fax' => ''
'x_email' => ''
'x_invoice_num' => ''
'x_description' => ''
'x_type' => 'auth_capture'
'x_cust_id' => '11281'
'x_ship_to_first_name' => ''
'x_ship_to_last_name' => ''
'x_ship_to_company' => ''
'x_ship_to_address' => ''
'x_ship_to_city' => ''
'x_ship_to_state' => ''
'x_ship_to_zip' => ''
'x_ship_to_country' => ''
'x_amount' => '199.00'
'x_tax' => '0.00'
'x_duty' => '0.00'
'x_freight' => '0.00'
'x_tax_exempt' => 'FALSE'
'x_po_num' => ''
'x_MD5_Hash' => '44239291E7A6D292C83360138503A159'
'x_SHA2_Hash' => '780F3D60E752D83D811CD2600E7D316B074EFC31C16AF22F64A44814483E465BA36C037CF006C166D5D1AADF0C0BDD711C509ACB9C49060791F900691E01E08E'
'x_cvv2_resp_code' => 'P'
'x_cavv_response' => '2'
'x_test_request' => 'false'
)
Here is my code:

- For verify at #1: 079F5B818BCBF7287DF241BEFAD592D26D8580115086A831F786225EFF02FF0F9B22DBC755F38C39D56B3DAD0A18E447F26469776747B998D7DE651C6E9D5068

$string = '^'.AUTHORIZENET_API_LOGIN_ID.'^'.$_POST['x_trans_id'].'^'.$_POST['x_amount'].'^';

$signatureKey = Yii::app()->params['anet_hash'];
$signatureKey = hex2bin($signatureKey);

$digest = strtoupper(hash_hmac('sha512',$string,$signatureKey));
return hash_equals($digest,$hash);

- For verify at #2:
$arrayHash = [
$_POST['x_trans_id'],
$_POST['x_test_request'],
$_POST['x_response_code '],
$_POST['x_auth_code'],
$_POST['x_cvv2_resp_code'],
$_POST['x_cavv_response'],
$_POST['x_avs_code'],
$_POST['x_method'],
$_POST['x_account_number'],
$_POST['x_amount'],
$_POST['x_company'],
$_POST['x_first_name'],
$_POST['x_last_name'],
$_POST['x_address'],
$_POST['x_city'],
$_POST['x_state'],
$_POST['x_zip'],
$_POST['x_country'],
$_POST['x_phone'],
$_POST['x_fax'],
$_POST['x_email'],
$_POST['x_ship_to_company'],
$_POST['x_ship_to_first_name'],
$_POST['x_ship_to_last_name'],
$_POST['x_ship_to_address'],
$_POST['x_ship_to_city'],
$_POST['x_ship_to_state'],
$_POST['x_ship_to_zip'],
$_POST['x_ship_to_country'],
$_POST['x_invoice_num'],
];

$string = '^'.implode('^', $arrayHash).'^';

$signatureKey = Yii::app()->params['anet_hash'];
$signatureKey = hex2bin($signatureKey);

$digest = strtoupper(hash_hmac('sha512',$string,$signatureKey));
return hash_equals($digest,$hash);

==> result for my sha: 5873397FD4FBAEAB591B6CE3A3BADEBE2997A07583AD4742674C77602685F8D30ECF86931323543CA1B2AB49F18CE4B898CD5B07DA1406903B686CD08AB2DD03

Could you help me? Many thanks!

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

HuyenNguyen — Fri, 01 Feb 2019 03:03:53 GMT

Hi Dev Support,

I dont' see any support for my problem. Can you help?

Re: Using Transaction Hash Upgrade Guide x_SHA2_Hash does not match output from sample code

kabutotx — Wed, 27 Feb 2019 04:25:17 GMT

If you are using SIM/AIM etc API it uses a different fingerprint than the current API.

SIM uses "x_login^x_fp_sequence^x_fp_timestamp^x_amount^"