Cybersource Developer Community Cybersource Developer Community

qoregexp · ‎03-12-2019

I'm another confused person and it's only getting worse. I have read a lot of posts on this topic, including an example from @Renaissance and one from @jasoncoe2 that says the signature key should precede the ^-separated fields to hash, and tried many combinations of things but I just can't get this to work.

1. The SIM documentation says to use SHA512 for the x_fp_hash, showing 3 values to be hashed instead of the 5 I was using with MD5. When I do that I get (99) This transaction cannot be accepted. It seems only to work with an MD5 hash (length issue?). Is this a problem in itself? What is the relationship of the fingerprint to the x_SHA2_Hash value that is returned to the silent post?

2. The SIM documentation also says the time must be UTC. That's probably not new but I never converted my local time before. Changing to UTC has not gotten the hashes to match although I probably haven't tried it in combination with every other thing I've tried.

This is what I'm posting to https://test.authorize.net/gateway/transact.dll:

This is how I'm generating the fingerprint:

hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key);

and this is how I generate the hash to compare in the silent post:

$utc = $ordertime + 5*60*60;
$texttohash = $cc_login . '^' . $ordnum . '^' . $utc . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", hex2bin($cc_signature_key), $texttohash ));

but as noted I have also tried it with the $texttohash preceding the signature key.

I also saw a php example on github that only used 3 values in the hash, login, transaction id, and amount, and that didn't work either. Maybe it was for a different method but I don't understand why there would be different fields.

Can anyone spot my doubtless numerous mistakes? Thank you.

Renaissance · ‎03-13-2019

@qoregexp

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m...

Message 58 out of 58 has 100% tested and working SIM code for fingerprint and verification. All you need is a signature key and a form like you just posted. Plug your values for signature, login, etc.

I think your utc value may be throwing you off. Try setting the default time zone like I do in that sample code, and follow it exactly. If the suggested default time zone causes problems for your app, after you’ve got the hash working you can do some research on php DateTime objects, set a different default time zone and then manipulate the time zone inside the script.

View solution in original post

jasoncoe2 · ‎03-12-2019

Hi, I can't speak to the silent post as I don't have that in my application. However, for the fingerprint in my application, it is different than yours. Mine is also C#.

Instead of:

hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key);

Try:

hash_hmac($transaction_key, $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^");

The transaction key has to be generated inside the authorize.net sandbox or portal. Account > API Credentials and Keys.

I see you still reference md5, but I'm assuming you have the SHA512 code from Authorize.net, and this is what you are callin as hash_hmac.

I hope it helps. Jason

qoregexp · ‎03-13-2019

Thank you for reply. I have always had the transaction key as the 3rd argument, but I tried it 2nd (I assume you meant to have "md5" as the first argument) and it produces a 99 error. I did use the fingerprint validator here https://developer.authorize.net/api/reference/responseCode99.html and verified that it is producing an md5 fingerprint. I don't know if that's intentional or if they just haven't updated it.

I can't get an sha512 fingerprint to be accepted under any circumstances, and the documentation says md5 is still OK for the fingerprint. I am thinking now the fingerprint is unrelated to the hash that authorize.net sends back -- I think the fingerprint confirms that the transaction is coming from me, and the sha512 hash that they return is supposed to confirm that the response is really coming from them.

I just still can't get a hash that I generate to match theirs. I now have

$texttohash = $login . '^' . $sequence . '^' . $time . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", $texttohash, hex2bin($cc_signature_key)));

and I have tried modifying the time going forwards and backwards 23 hours to see if it's just a time problem but none of the values I generated matched theirs.

Renaissance · ‎03-13-2019

@qoregexp

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m...

Message 58 out of 58 has 100% tested and working SIM code for fingerprint and verification. All you need is a signature key and a form like you just posted. Plug your values for signature, login, etc.

I think your utc value may be throwing you off. Try setting the default time zone like I do in that sample code, and follow it exactly. If the suggested default time zone causes problems for your app, after you’ve got the hash working you can do some research on php DateTime objects, set a different default time zone and then manipulate the time zone inside the script.

Renaissance · ‎03-13-2019

And sorry been a long day. For 100% sure the fingerprint and response are totally different. You use sha512 for both of them but the string is different.

Renaissance · ‎03-13-2019

The github example is for a different integration. It is similar to message 1 on the link I shared.

qoregexp · ‎03-14-2019

@Renaissance that message 58 out of 58 was the one I was working from, but I was reading it wrong somehow. I didn't understand that 30 fields went into the hash to compare with x_SHA2_Hash. I was using the fields in the fingerprint code. IT WORKS NOW! Thank you so, so much.

Cybersource Developer Community Cybersource Developer Community

MD5 to SHA512 with SIM and silent post with php