Cybersource Developer Community Cybersource Developer Community

smorrow123 · ‎01-16-2019

Our authorize.net processing is done in some OLD perl cgi code - any perl programmers out there?

We are trying to convert to the SHA-512 hashing. Our current processing uses MD5, via the perl module Digest::MD5.

I use LWP::UserAgent to POST directly to the secure.authorize.net gateway transact dll URL.

What I get returned is an array of values. The MD5 hash is currently in the 38th array element. Authorize.net has been unable to tell me where I can find the returned SHA-512 hash value to compare to what I am generating in the program.

For my test:

I changed it to use Digest::SHA for the hashing. I generated the signature key and have it stored in hex in our database.

my $sha512_string = '^' . $auth_net_login_id . '^' . $tranid . '^' . $grandtotal . '^';

my $key = pack 'H*', $sig_key; ##to convert the store hex value to binary - as recommended here

my $sha512 = Digest::SHA->new;
my $sent_sha512_hash = $sha512->hmac_sha512($sha512_string, $key);

When I display that value, it just shows a bunch of weird characters on the screen - I don't know if that's expected or not. I am only displaying it to compare to what comes from authorize.net.

When the values are returned from Authorize.net (in the array), I display all the elements. There is a value in element 68 that looks like a hex value but that isn't what is in the hash that I generated.

So, isn't the hash returned from Authorize.net in the array? If not, then how do I obtain it using the methods we currently have in place? I don't consider this as using the API. Or is the problem that I am hashing it wrong on my end?

I obtained the perl code for our current processing via Authorize.net MANY years ago from one of their perl customers. It has worked fine ever since. I do not have the knowledge, experience or brain power to change the whole process, unless someone could provide all the perl code (I know that's asking a lot). I also have a general knowlege of php but unfortunately the examples on this forum are too different from our perl process to be able to correlate the two.

I hope someone can help! Thanks in advance!

jgoebel · ‎01-23-2019

I don't want to discourage you form implementing a security feature you think is needed. However, take a look a https://support.authorize.net/s/article/What-is-the-MD5-Hash-Security-feature-and-how-does-it-work - even authorize.net doesn't think it's needed for AIM

If you are indeed using AIM, you may be spending a lot of time on something not really needed, you could probably just comment out the part of your code that validates the hash.

If you are using AIM the path forward, as others have said, is to move to a more up to date API. Althought this is perhaps not the forum to say it, there are other companies with secure APIs that are much easier to use, and offer better support. 70 plus posts, mostly of people exchanging their ignorance, and not a single post from authorize.net says it all.

View solution in original post

Renaissance · ‎01-16-2019

What product do you use? Sorry, not familiar with LWP. If you use DPM you need to use a different string. I just posted some code that may work. In regards to those strange characters that is most likely due to your hash function outputting raw binary. For that, try putting ($sha512_string, $key,false) and see what happens. The output of your hash should be a series of plan English letters and numbers.

I do not know a thing about Perl but it’s worth a try. For finding out where the sha512 is at in your array, does Perl have a function where you can loop through it and output the keys? Again just something to try.

tmnejp · ‎01-17-2019

@smorrow123 The bunch of weird characters in the key are expected, you've taken a string of hex characters (ex. A4F1...etc) and packed their binary values in a variable. When perl tries to inerpret these as a string it results in "random" characters.

The solution to your problem is probably needing $sha512_string to be the 30 value thing described here:

https://community.developer.authorize.net/t5/Integration-and-Testing/Upgrading-MD5-to-new-hash-SIM/m...

I used the CGI perl module which allows parameters to be accessed in a named format (like 'x_SHA2_Hash') this might be very difficult to figure out which parameter is which if all you have is an array of values. Using CGI my solution is:

my $QUERY = new CGI; # This would be definied somewhere else
my $x_SHA2_hash = $QUERY->param('x_SHA2_Hash');
my @keys = ( 'x_trans_id', 'x_test_request', 'x_response_code', 
    'x_auth_code', 'x_cvv2_resp_code', 'x_cavv_response',
    'x_avs_code', 'x_method', 'x_account_number', 'x_amount', 'x_company', 
    'x_first_name', 'x_last_name', 'x_address',
    'x_city', 'x_state', 'x_zip', 'x_country', 'x_phone', 'x_fax', 'x_email', 
    'x_ship_to_company', 'x_ship_to_first_name',
    'x_ship_to_last_name', 'x_ship_to_address', 'x_ship_to_city', 
    'x_ship_to_state', 'x_ship_to_zip', 'x_ship_to_country', 'x_invoice_num' );
my $key;
my $plain_text = "^";
foreach $key ( @keys ) {
    $plain_text .= $QUERY->param($key)."^";
}

$key = pack 'H*', $signature_key;
$hash_val = hmac_sha512_hex( $plain_text, $key );

if ( defined($x_SHA2_hash) && $x_SHA2_hash ne '' &&
    lc($hash_val) eq lc($x_SHA2_hash) ) {
    $authorized = 1;
}

smorrow123 · ‎01-17-2019

Renaissance -

After my first post, I changed the hashing to hex (they don’t tell you that, but the old MD5 hash was done in hex, so I thought this one might be, too), and then had a result which looked more like what I needed it to be. But it still didn’t match what was in the 68th element of the returned array. The way you suggested is exactly what I did in my test. I displayed all the values individually for each array element returned. And that 68th element is the one that looked like it might be a hex hash value. Like I said, Authorize.net can’t tell me how the hashed value is returned or how I access it. So, all I have to go by is visual confirmation. And what’s in the 68th element doesn’t match what is in my hex-hashed value.

I use the LWP perl module to access the AuthorizeNet URL directly. I don’t know what DPM is. You said you “posted some code that may work”. Where is that? I’m a newbie on the forum.

Thanks!

smorrow123 · ‎01-17-2019

Tmnejp-

I changed my hashing to hex, and that value made a lot more sense, so that’s what I’m working with now.

I don’t understand why Authorize.net specifically said to hash the 3 items along with the sig-key, but you’re saying we need to go with 30 of them. I’m not using SIM - are you? And if not, are you still using this method successfully?

I’m willing to try anything, but now I need to understand what 30 items you’re using. The post you linked to said 30 fields, but the example only had 15. Exactly what fields are those? Are they what you prepared to send TO authorize.net OR are they what authorize.net returned after authorization? It looks like what authorize.net returned but I have more than 30 elements in the returned array! There are some that I specifically use, so I know where they are, but to match what you have here, I’d have to get the other ones defined. I no longer have any documentation for this.

This has me SO aggravated!! Why can’t authorize.net tell us the correct information??

I won’t be able to work on this for a few days - but I’ll monitor responses and give it a try when I can.

Thanks for your help!

Renaissance · ‎01-17-2019

@smorrow123

The code is in php, but may give you a better idea of what to use in the hash. DPM stands for direct post method. It is an integration that is before my time as I’ve only been a web developer for 2 years and only been programming for a year and a half.

The hashing is done differently depending on what method you used. I posted working code for my method a few days ago, and then it came to my attention that DPM and SIM use a different method, so I pulled those docs and did my best to come up with some code for those folks.

So ignore that first block of code cause it’s not working for you. Use the block of code that is near the end of the thread. I would work on getting your fingerprint working first, and then tackle the verification on your end, because that has the appearance of being a little more complicated.

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/t...

And if you have a large hexidecimal value in your array, that’s the hash I am pretty sure. This is my new hobby since November for when I’m waiting at restaurants or too tired to do anything else. I know nothing of Perl but I will see what I can do to get you up and running.

Renaissance · ‎01-17-2019

@smorrow123,

The 3 values on the main webpage are what is used for the recent API integration methods. DPM and SIM are deprecated and I think that’s why their methods are nowhere to be found on the main website, but only in the SIM/DPM guide. Towards the end of the thread I linked I give a summary of how this seems to work. Sounds like you’re using DPM, so your fingerprint will be one thing and if you choose to verify on your end you will have a different string.

smorrow123 · ‎01-18-2019

@Renaissance Is there a way to get a copy of the SIM/DPM documentation? Does it include information for SHA-512? The old MD5 method only uses 3 fields along with the MD5 hash, and the Authorize.net rep I talked to said it would be very similar to the MD5 implementation.

Won’t be working on this again until next week, but I’d like to get my ducks in a row in the meantime. Thx.

Renaissance · ‎01-18-2019

Yes sir! https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf

ePayGov · ‎01-20-2019

Hey,

I use LWP too using Perl and MySQL. You are using DPM which uses the POST METHOD.

An also stuck, nothing worked. I used MySQL SHA2 Function and the HEX AND UNHEX function

to no avail. I have over 100+ counties and municipalities and these governments account resist changes the same way they resist a plague.

Am willing to pay anyone who can help with the code.

Thx

Cybersource Developer Community Cybersource Developer Community

SHA-512 in Perl