Hi,
I am helping someone with a SIM integration. I am upgrading them from md5 to sha512. The response validation needs to be updated within 10 days, but per this post-
The fingerprint also needs updated, although no end of life is explicitly given. I am prioritizing my work, and would like to know if the md5 fingerprint will still be accepted until at least 4/30/2019.
Can someone on the authorize.net team answer with a quick yes/no?
Thank you very much for your excellent products and support.
Solved! Go to Solution.
03-04-2019 12:11 AM
Hello @Renaissance
We would of course prefer that merchants upgrade from SIM to Accept Hosted. That said, we're not currently aware of any plans to require HMAC-SHA512 at this time.
Authorize.Net recommends the HMAC-SHA512 hashing algorithm for constructing the fingerprint. HMAC-MD5 is still supported but not recommended.
Richard
03-05-2019 07:43 AM
I'm in the same boat and can't find a clear answer for this either. We have some products that can still use SIM hosted forms, but it doesn't say anywhere if the changes to the transaction fingerprint will cut over at the same time as the changes to the relay response (Mar 28, 2019 as I write this). The closest thing I can find is on page 28 of the current SIM guide, which says this:
Authorize.Net recommends the HMAC-SHA512 hashing algorithm for constructing the fingerprint. HMAC-MD5 is still supported but not recommended.
If that's true, it would appear that MD5 will still continue to work for the transaction fingerprint in SIM forms for the time being. But it would be nice to hear for sure from someone at Authorize.net.
03-04-2019 06:49 AM
03-05-2019 03:21 AM
Hello @Renaissance
We would of course prefer that merchants upgrade from SIM to Accept Hosted. That said, we're not currently aware of any plans to require HMAC-SHA512 at this time.
Authorize.Net recommends the HMAC-SHA512 hashing algorithm for constructing the fingerprint. HMAC-MD5 is still supported but not recommended.
Richard
03-05-2019 07:43 AM
03-05-2019 05:50 PM
Has anyone actually tested calculating the response hash where some of the fileds contain none ASCII characters?
For example in one the address fields I have
Sãu Paulo
When calculating the hash it never matches.
However my hash matches when the fields contain ASCII characters only.
How do I get round this issue? Our intergation is written in PHP.
03-08-2019 06:40 AM - edited 03-08-2019 06:49 AM
03-08-2019 07:09 AM - edited 03-08-2019 07:21 AM
Based off there example C# in the PDF they reference the ASCII encoding class. Whcih can be found here: https://docs.microsoft.com/en-us/dotnet/api/system.text.asciiencoding?view=netframework-4.7.2
based of the example in that documentation the soloution seems to be that if the character cannot be represented in ASCII the a ? will be used. Which is what I am seeing. However I have tried to do this in PHP and cannot get it to work.
And the response from the API has the correct encoding too. I think their hash algorithm on their server side is doing something unexpected to the multibyte chars and its a case of us trying to second guess it.
03-08-2019 07:41 AM - edited 03-08-2019 07:41 AM
03-08-2019 09:24 AM
I just validated a sample API call with the address you listed. It is an encoding issue. If you find my post "Working php hash verification" and go to the last post on page 6, I post working SIM/DPM code. If you amend that code to use this line:
$responseCheck = str_replace('%E3','ã',$anetResponse);
$responseCheck = explode('&',$responseCheck);
It will work for your example. You want to take out the non ASCII encoding before you explode into an array is the idea. Double check me on the syntax and variable names, as I cannot recall by memory my exact code but this should get you on your way.
The next, and probably a lot harder, step is to build a library of all the non ASCII characters being used and develop similar decoding/sanitization processes for them. May want to build a custom function if you have more than a few.
03-08-2019 09:58 AM