cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

MD5 to SHA512 with SIM and silent post with php

I'm another confused person and it's only getting worse.  I have read a lot of posts on this topic, including an example from @Renaissance and one from @jasoncoe2 that says the signature key should precede the ^-separated fields to hash, and tried many combinations of things but I just can't get this to work.

 

1.  The SIM documentation says to use SHA512 for the x_fp_hash, showing 3 values to be hashed instead of the 5 I was using with MD5.  When I do that I get  (99) This transaction cannot be accepted.  It seems only to work with an MD5 hash (length issue?).  Is this a problem in itself?  What is the relationship of the fingerprint to the x_SHA2_Hash value that is returned to the silent post?

 

2.  The SIM documentation also says the time must be UTC.  That's probably not new but I never converted my local time before.  Changing to UTC has not gotten the hashes to match although I probably haven't tried it in combination with every other thing I've tried.  

 

This is what I'm posting to https://test.authorize.net/gateway/transact.dll:

<input type="hidden" name="x_login" value="3yh8HYWK4ju">

<input type="hidden" name="x_type" value="AUTH_CAPTURE">

<input type="hidden" name="x_fp_hash" value="f7fccf6ecf84d7a55cf7c47b5802ec00">

<input type="hidden" name="x_fp_sequence" value="13067697">

<input type="hidden" name="x_fp_timestamp" value="1552437235">

<input type="hidden" name="x_amount" value="26.35">

<input type="hidden" name="x_show_form" value="PAYMENT_FORM">

<input type="hidden" name="x_version" value="3.1">

<input type="hidden" name="x_invoice_num" value="13067697">

<input type="hidden" name="x_description" value="Order Total">

<input type="hidden" name="x_first_name" value="Me">

<input type="hidden" name="x_last_name" value="AlsoMe">

<input type="hidden" name="x_company" value="">

<input type="hidden" name="x_address" value="addr">

<input type="hidden" name="x_city" value="city">

<input type="hidden" name="x_state" value="state">

<input type="hidden" name="x_zip" value="zip">

<input type="hidden" name="x_country" value="United States">

<input type="hidden" name="x_phone" value="5125551212">

<input type="hidden" name="x_email" value="me@gmail.com">  

 

This is how I'm generating the fingerprint:

hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key); 

 

and this is how I generate the hash to compare in the silent post:

$utc = $ordertime + 5*60*60;
$texttohash = $cc_login . '^' . $ordnum . '^' . $utc . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", hex2bin($cc_signature_key), $texttohash ));

 

but as noted I have also tried it with the $texttohash preceding the signature key. 

 

I also saw a php example on github that only used 3 values in the hash, login, transaction id, and amount, and that didn't work either.  Maybe it was for a different method but I don't understand why there would be different fields.

 

Can anyone spot my doubtless numerous mistakes?  Thank you.

 

qoregexp
Member
1 ACCEPTED SOLUTION

Accepted Solutions
@qoregexp

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m...

Message 58 out of 58 has 100% tested and working SIM code for fingerprint and verification. All you need is a signature key and a form like you just posted. Plug your values for signature, login, etc.

I think your utc value may be throwing you off. Try setting the default time zone like I do in that sample code, and follow it exactly. If the suggested default time zone causes problems for your app, after youโ€™ve got the hash working you can do some research on php DateTime objects, set a different default time zone and then manipulate the time zone inside the script.

View solution in original post

6 REPLIES 6

Hi,  I can't speak to the silent post as I don't have that in my application.  However, for the fingerprint in my application, it is different than yours.  Mine is also C#.

 

Instead of:

hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key); 

Try:

 

hash_hmac($transaction_key, $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^"); 

 

The transaction key has to be generated inside the authorize.net sandbox or portal.  Account > API Credentials and Keys.  

 

I see you still reference md5, but I'm assuming you have the SHA512 code from Authorize.net, and this is what you are callin as hash_hmac.

 

I hope it helps.  Jason

jasoncoe2
Member

Thank you for reply.  I have always had the transaction key as the 3rd argument, but I tried it 2nd (I assume you meant to have "md5" as the first argument) and it produces a 99 error.  I did use the fingerprint validator here https://developer.authorize.net/api/reference/responseCode99.html and verified that it is producing an md5 fingerprint.  I don't know if that's intentional or if they just haven't updated it. 

 

I can't get an sha512 fingerprint to be accepted under any circumstances, and the documentation says md5 is still OK for the fingerprint.  I am thinking now the fingerprint is unrelated to the hash that authorize.net sends back -- I think the fingerprint confirms that the transaction is coming from me, and the sha512 hash that they return is supposed to confirm that the response is really coming from them.  

 

I just still can't get a hash that I generate to match theirs.  I now have

 

$texttohash = $login . '^' . $sequence . '^' . $time . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", $texttohash, hex2bin($cc_signature_key)));

 

and I have tried modifying the time going forwards and backwards 23 hours to see if it's just a time problem but none of the values I generated matched theirs.  

@qoregexp

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m...

Message 58 out of 58 has 100% tested and working SIM code for fingerprint and verification. All you need is a signature key and a form like you just posted. Plug your values for signature, login, etc.

I think your utc value may be throwing you off. Try setting the default time zone like I do in that sample code, and follow it exactly. If the suggested default time zone causes problems for your app, after youโ€™ve got the hash working you can do some research on php DateTime objects, set a different default time zone and then manipulate the time zone inside the script.

And sorry been a long day. For 100% sure the fingerprint and response are totally different. You use sha512 for both of them but the string is different.
The github example is for a different integration. It is similar to message 1 on the link I shared.

@Renaissance that message 58 out of 58 was the one I was working from, but I was reading it wrong somehow.  I didn't understand that 30 fields went into the hash to compare with x_SHA2_Hash.  I was using the fields in the fingerprint code.   IT WORKS NOW!  Thank you so, so much.