cancel
Showing results for 
Search instead for 
Did you mean: 

SHA-512 in Perl

Our authorize.net processing is done in some OLD perl cgi code - any perl programmers out there?

 

We are trying to convert to the SHA-512 hashing.  Our current processing uses MD5, via the perl module Digest::MD5.

I use LWP::UserAgent to POST directly to the secure.authorize.net gateway transact dll URL.

What I get returned is an array of values. The MD5 hash is currently in the 38th array element. Authorize.net has been unable to tell me where I can find the returned SHA-512 hash value to compare to what I am generating in the program.

 

For my test:

I changed it to use Digest::SHA for the hashing. I generated the signature key and have it stored in hex in our database.  

 

 

my $sha512_string = '^' . $auth_net_login_id . '^' . $tranid . '^' . $grandtotal . '^';


my $key = pack 'H*', $sig_key;  ##to convert the store hex value to binary - as recommended here


my $sha512 = Digest::SHA->new;
my $sent_sha512_hash = $sha512->hmac_sha512($sha512_string, $key);

 

When I display that value, it just shows a bunch of weird characters on the screen - I don't know if that's expected or not. I am only displaying it to compare to what comes from authorize.net.

 

When the values are returned from Authorize.net (in the array), I display all the elements. There is a value in element 68 that looks like a hex value but that isn't what is in the hash that I generated.

 

So, isn't the hash returned from Authorize.net in the array? If not, then how do I obtain it using the methods we currently have in place? I don't consider this as using the API.   Or is the problem that I am hashing it wrong on my end?

 

I obtained the perl code for our current processing via Authorize.net MANY years ago from one of their perl customers. It has worked fine ever since. I do not have the knowledge, experience or brain power to change the whole process, unless someone could provide all the perl code (I know that's asking a lot). I also have a general knowlege of php but unfortunately the examples on this forum are too different from our perl process to be able to correlate the two.

 

I hope someone can help!   Thanks in advance!

 

smorrow123
Contributor
76 REPLIES 76

Hey my friend. Send me a message if you want some help. I am a php programmer and not well versed in Perl Syntax. However if you know the syntax working together I am confident we can make it work.

Here is my solution. I'm posting this again. Did not see me first post. Sorry if I didn't post correctly (newbie).

 

Here are the changes I made when posting to authorize.net:

 

 #use Digest::HMAC_MD5 qw(hmac_md5_hex);           # commented out
 use Digest::SHA qw(hmac_sha512_hex);              # added this line
 $hmac_data = $x_login."^".$x_fp_sequence."^".$x_fp_timestamp."^".$x_amount."^";   # no change
 ### assigned my new transaction key from authorize.net to $transaction_key here
 $transaction_key = pack("H*", $transaction_key);            # added this line  
 # $x_fp_hash = hmac_md5_hex($hmac_data, $transaction_key);  # commented out MD5 hash
 $x_fp_hash = hmac_sha512_hex($hmac_data,$transaction_key);  # added this line

 

Processing response from authorize.net:

 

I Did not change the following method of processing variables:

 

 read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});  ### Note: do not load "use CGI"
 @pairs = split(/&/, $buffer);
 %response=();
 $x=0;
 foreach $pair (@pairs) {
   ($name, $value) = split(/=/, $pair);
   $value =~ tr/+/ /;
   $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
   $response{$name}=$value;
 }

Commented out the following old md5 lines below...

 

 # use Digest::MD5 qw(md5 md5_hex md5_base64);
 # $data = $md5_key.$api_login_id.$response{x_trans_id}.$response{x_amount};
 # $loc_MD5_hash = md5_hex($data);
 # $loc_MD5_hash = uc($loc_MD5_hash);

Added the following...

 

 use Digest::SHA qw(hmac_sha512_hex);
 # assigned my new transaction key from authorize.net to $transaction_key here
 $keyx = pack("H*", $transaction_key);
 $data=qq~^$response{x_trans_id}^$response{x_test_request}^$response{x_response_code}^$response{x_auth_code}^$response{x_cvv2_resp_code}^$response{x_cavv_response}^$response{x_avs_code}^$response{x_method}^$response{x_account_number}^$response{x_amount}^$response{x_company}^$response{x_first_name}^$response{x_last_name}^$response{x_address}^$response{x_city}^$response{x_state}^$response{x_zip}^$response{x_country}^$response{x_phone}^$response{x_fax}^$response{x_email}^$response{x_ship_to_company}^$response{x_ship_to_first_name}^$response{x_ship_to_last_name}^$response{x_ship_to_address}^$response{x_ship_to_city}^$response{x_ship_to_state}^$response{x_ship_to_zip}^$response{x_ship_to_country}^$response{x_invoice_num}^~;
 $hash = hmac_sha512_hex($data,$transaction_key);
 $hash = uc($hash);

Finished processing as before...

 

Hope this helps.

@Renaissance

I am just now starting to work on it after taking the weekend off.

I am trying to determine how to access the specific field names/values that are needed for hashing - since the current script accesses them as an array. Since I don't know where all the hashing fields are located within the array, I have to figure out how to access them another way. I'm not sure I have access to them as a params, when using the LWP::UserAgent that's in my script. I'm just not familiar enough with how all of this works, having gotten that code from someone else many moons ago.

But I'm plugging along, playing around with different ways of obtaining the values and just displaying them on the screen to try to figure this out. Right now I'm trying to deal with the dreaded 500 Internal Server error so am investigating in the error log to find out why.

I'll let you know if I need more help. Thanks for checking in!

 

@smorrow123

 

If you want to try it without LWP (using raw processing) try this test script as your  "x_relay_response_url" :

 

Note: You do not need or want to use "use CGI" in the same script with this method

 

#!/usr/bin/perl

MAIN:
{
 #
 # Read all responses from authorize.net
 #
 read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
 @pairs = split(/&/, $buffer);
 %response = ();
 $x = 0;
 foreach $pair (@pairs) {
   ($name, $value) = split(/=/, $pair);
   $value =~ tr/+/ /;
   $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
   $response{$name}=$value;
 }
 #
 # create a string of all required variables for the hash
 #
 $data = qq~^$response{x_trans_id}^$response{x_test_request}^$response{x_response_code}^$response{x_auth_code}^$response{x_cvv2_resp_code}^$response{x_cavv_response}^$response{x_avs_code}^$response{x_method}^$response{x_account_number}^$response{x_amount}^$response{x_company}^$response{x_first_name}^$response{x_last_name}^$response{x_address}^$response{x_city}^$response{x_state}^$response{x_zip}^$response{x_country}^$response{x_phone}^$response{x_fax}^$response{x_email}^$response{x_ship_to_company}^$response{x_ship_to_first_name}^$response{x_ship_to_last_name}^$response{x_ship_to_address}^$response{x_ship_to_city}^$response{x_ship_to_state}^$response{x_ship_to_zip}^$response{x_ship_to_country}^$response{x_invoice_num}^~;
 #
 # Display results
 #
 print qq~Content-type: text/html\n\n
<html>$data</html>~;
 exit;
}

Thanks @airman81, but this is a bit greek to me and I AM using CGI in the same script, since it's used for the entire payment process, not just the authorization piece.

I am getting a response back, but can't figure out how to reference the field names and values. Here's the code I have:

 

my $useragent  = LWP::UserAgent->new( protocols_allowed => ["https"] );
 my $url = $merchant->{Payment_URL};  #secure.authorize.net/gateway/transact.dll

 my $request  = POST( $url, $request_values );  

#request values above is the name/value pairs being sent TO authorize.net


 my $response  = $useragent->request( $request );
 
 my @responses  = split( /\Q|/, $response->content );

if( $response->is_success )
{
  
       $apiresponse = $response->content;  
       foreach $pair(@responses)
       {
              # The next statement splits based on the pipe character: |
              # not sure what this accomplishes since it isn't referenced by name or val
              ($name,$val) = split(/\Q|/,$pair);
   
        }
        # split the words using the pipe character (|) as the delimiter.
       @words = split /\Q|/, $apiresponse;
        $response_code = $words[0];

        #additional processing; check response code, hashing, checking hash, etc.


}

 

The code (written by someone else) uses the @words array to find the values by element number. The documentation I found says not to do it that way because the order can change. So, I would like to reference them by name "x_trans_id", "x_SHA2_hash", etc. I just don't know HOW to do that. There is no $Query->param to work with.  So, the names are probably in $responses or $apiresponses or SOMEWHERE. This is what I can't figure out - where/how do I access the field names and get the values - what syntax do I use?  

It's been way too long since I've worked on these scripts!!!

@ePayGov,

Shoot me a message if you want help. We can make this work if the code posted thus far isn’t getting you what you need.

@smorrow123sounds like you’re on the case. One way would be to run a test transaction and input the values blatantly. So for instance if your hash uses the company value, type the name of the company in your dummy transaction as “company”, and do the same for the rest of them so that the value of the array item matches the actual value you’re trying to pull and use for your hash. If there was a way to loopt through the array and output the keys, as there is in php that would make life easier. But this is a good workaround if that can’t be done.

@smorrow123 the $name,$value may be what you need. I think $name may be the key. But I’m a little lost on what you’re doing. There are 2 separate pieces to this hash. One is the fingerprint and the other is the verification. So on this it looks like you’re doing the verification. When you say that they are in a different order, you mean after you convert to a numeric array? I would imagine that authorize sends them to you in the same order every time.

If you try to print $name inside that loop, or however it is in Perl that you output array items in a browser that may be just what you are looking for.

@smorrow123

 

If your just running test payments consider the following.

 

A way to debug is to insert the follwoing code and have the script just exit/abort while at the same time showing the results of what is assigned to $debug.

 

print qq~Content-type: text/html\n\n
<html>$debug</html>~;
exit;

After you place the above code into a test location of your choice just run a test payment and see what prints out.

 

example1:

 

       foreach $pair(@responses)
       {
              # The next statement splits based on the pipe character: |
              # not sure what this accomplishes since it isn't referenced by name or val
              ($name,$val) = split(/\Q|/,$pair);
$debug.="$name = $val<br>"; ### See what each name=val is
        }
print qq~Content-type: text/html\n\n
<html>$debug</html>~;
exit;
        # split the words using the pipe character (|) as the delimiter.

example2:

 

       @words = split /\Q|/, $apiresponse;
        $response_code = $words[0];

foreach (@words) { $debug.= "$_<br>"; } ### See what is in @words
print qq~Content-type: text/html\n\n
<html>$debug</html>~;
exit;

example3:

 

       foreach $pair(@responses)
       {
              # The next statement splits based on the pipe character: |
              # not sure what this accomplishes since it isn't referenced by name or val
              ($name,$val) = split(/\Q|/,$pair);

              $namedresponses{$name}=$val; ### Place values into a hash which you can reference by name
        }
while (($k,$d) = each(%namedresponses)) { $debug.="$k = $d<br>"; }
print qq~Content-type: text/html\n\n
<html>$debug</html>~;
exit;
        # split the words using the pipe character (|) as the delimiter.

I think the name, value is what I need, too, but the code that's there doesn't even USE those fields! I have no idea what it's doing. And it's splitting the individual pairs by using the pipe character rather than the equals. Should I expect an equals sign?  I think the name/value pairs are separated by pipes but within each pair is there an equals sign that I should be splitting on?

 

All I'm doing at this point (I'm not even AT the point of creating the hash to compare to the one they're sending) is trying to figure out how I can access the individual values that have been returned by specific name.   The existing code is just pulling out the values, and turning them into an array, then certain fields used later are extracted based on array element number. But the instructions for creating this hash says that they have to be in this specific order to generate the hash. I don't know where all those values ARE in the array.

 

So, I'm back to needing to figure out how to get the value associated with a specific field name x_trans_id, etc. I've got some other responses - so I'll check them and see where they take me and also check to see if splitting on the equals sign would help with the name/value pairs.

 

Sorry I'm not explaining myself very well. I've been away from serious programming for long enough that I can't "talk the language" anymore!!

 

Thanks.

I already have the program displaying test values and then exiting - and I just keep going back and forth to try different things. I LOVE the idea of creating the hash and then referencing them that way. I will probably try that.

HOWEVER, as I alluded in my other post - my code splits the response using the pipe character to get the separate name/value pairs, and then for whatever reason, splits the name from the value also using a pipe value. I previously tried to print out a value based on "if $name eq 'x_response_code'" but it didn't find that. SO, should I be splitting on the equals sign? I'm going to give it a try - but our error log is so huge and my speed is so slow, if I get a 500 internal server error, it takes me 15 minutes to download the error log to see what happened!

Thanks for sticking with me. Really appreciate it!!