I'm another confused person and it's only getting worse. I have read a lot of posts on this topic, including an example from @Renaissance and one from @jasoncoe2 that says the signature key should precede the ^-separated fields to hash, and tried many combinations of things but I just can't get this to work.
1. The SIM documentation says to use SHA512 for the x_fp_hash, showing 3 values to be hashed instead of the 5 I was using with MD5. When I do that I get (99) This transaction cannot be accepted. It seems only to work with an MD5 hash (length issue?). Is this a problem in itself? What is the relationship of the fingerprint to the x_SHA2_Hash value that is returned to the silent post?
2. The SIM documentation also says the time must be UTC. That's probably not new but I never converted my local time before. Changing to UTC has not gotten the hashes to match although I probably haven't tried it in combination with every other thing I've tried.
This is what I'm posting to https://test.authorize.net/gateway/transact.dll:
<input type="hidden" name="x_login" value="3yh8HYWK4ju">
<input type="hidden" name="x_type" value="AUTH_CAPTURE">
<input type="hidden" name="x_fp_hash" value="f7fccf6ecf84d7a55cf7c47b5802ec00">
<input type="hidden" name="x_fp_sequence" value="13067697">
<input type="hidden" name="x_fp_timestamp" value="1552437235">
<input type="hidden" name="x_amount" value="26.35">
<input type="hidden" name="x_show_form" value="PAYMENT_FORM">
<input type="hidden" name="x_version" value="3.1">
<input type="hidden" name="x_invoice_num" value="13067697">
<input type="hidden" name="x_description" value="Order Total">
<input type="hidden" name="x_first_name" value="Me">
<input type="hidden" name="x_last_name" value="AlsoMe">
<input type="hidden" name="x_company" value="">
<input type="hidden" name="x_address" value="addr">
<input type="hidden" name="x_city" value="city">
<input type="hidden" name="x_state" value="state">
<input type="hidden" name="x_zip" value="zip">
<input type="hidden" name="x_country" value="United States">
<input type="hidden" name="x_phone" value="5125551212">
<input type="hidden" name="x_email" value="me@gmail.com">
This is how I'm generating the fingerprint:
hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key);
and this is how I generate the hash to compare in the silent post:
$utc = $ordertime + 5*60*60;
$texttohash = $cc_login . '^' . $ordnum . '^' . $utc . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", hex2bin($cc_signature_key), $texttohash ));
but as noted I have also tried it with the $texttohash preceding the signature key.
I also saw a php example on github that only used 3 values in the hash, login, transaction id, and amount, and that didn't work either. Maybe it was for a different method but I don't understand why there would be different fields.
Can anyone spot my doubtless numerous mistakes? Thank you.
Solved! Go to Solution.
โ03-12-2019 05:53 PM
โ03-13-2019 09:03 PM
Hi, I can't speak to the silent post as I don't have that in my application. However, for the fingerprint in my application, it is different than yours. Mine is also C#.
Instead of:
hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key);
Try:
hash_hmac($transaction_key, $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^");
The transaction key has to be generated inside the authorize.net sandbox or portal. Account > API Credentials and Keys.
I see you still reference md5, but I'm assuming you have the SHA512 code from Authorize.net, and this is what you are callin as hash_hmac.
I hope it helps. Jason
โ03-12-2019 06:08 PM
Thank you for reply. I have always had the transaction key as the 3rd argument, but I tried it 2nd (I assume you meant to have "md5" as the first argument) and it produces a 99 error. I did use the fingerprint validator here https://developer.authorize.net/api/reference/responseCode99.html and verified that it is producing an md5 fingerprint. I don't know if that's intentional or if they just haven't updated it.
I can't get an sha512 fingerprint to be accepted under any circumstances, and the documentation says md5 is still OK for the fingerprint. I am thinking now the fingerprint is unrelated to the hash that authorize.net sends back -- I think the fingerprint confirms that the transaction is coming from me, and the sha512 hash that they return is supposed to confirm that the response is really coming from them.
I just still can't get a hash that I generate to match theirs. I now have
$texttohash = $login . '^' . $sequence . '^' . $time . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", $texttohash, hex2bin($cc_signature_key)));
and I have tried modifying the time going forwards and backwards 23 hours to see if it's just a time problem but none of the values I generated matched theirs.
โ03-13-2019 01:07 PM
โ03-13-2019 09:03 PM
โ03-13-2019 09:05 PM
โ03-13-2019 09:07 PM
@Renaissance that message 58 out of 58 was the one I was working from, but I was reading it wrong somehow. I didn't understand that 30 fields went into the hash to compare with x_SHA2_Hash. I was using the fields in the fingerprint code. IT WORKS NOW! Thank you so, so much.
โ03-14-2019 10:55 AM