I am trying to upgrade from MD5 to the new hash method as described here:- https://developer.authorize.net/support/hash_upgrade
We are using SIM still do in addition I read the guide at https://support.authorize.net/s/article/Do-I-need-to-upgrade-my-transaction-fingerprint-from-HMAC-MD.... This second link seems to talk about generating the fingerprint with more values than the first link above does, more similar to how wo do MD5 currently.
I’m having trouble validating matching the value I submit to what is returned in the response. Note: We need this to work with SIM as we can’t upgrade to the new API currently.
I am creating the hash using the new method and submitting it to the x_fp_hash during the post. I assume my x_fp_hash is correct because I was previously getting error 99’s which is a fingerprint error, but no longer do.
The response comes back after doing the payment in the x_SHA2_Hash field. It doesn't compare to x_fp_hash. So I thought there is more to this. Looking in the SIM guide, on page 73 at https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf it mentions generating a hash from 30 fields.
I've done this and it still doesn't compare to x_SHA2_Hash. So I assume I am doing something wrong, but not sure. The documentation doesn't really give any examples of how to do this so I am uncertain what my issue is.
Solved! Go to Solution.
01-14-2019 03:58 AM
01-22-2019 09:29 AM
For our DPM website, we used @stw's solution, instead of @Renaissance's, because Renaissance's requires the latest AuthorizeNet PHP library, which requires PHP version 5.6, which would require re-writing our entire website.
In step 1, stw's solution calls the PHP function base_convert, which did not work for us. Both hex2bin and pack worked. We used pack because hex2bin isn't available in our version of PHP.
Note that @stw's solution will fail in "2-3 months" because AuthorizeNet plans to stop sending the MD5 Hash in the API response:
https://support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement
So we don't do this part of @stw's solution:
$response = new AuthorizeNetSIM($apiLoginID, $md5Setting);
Instead, we simply check if the transaction was approved, x_response_code === '1'.
Unfortunately, this exposes us to the risk of an imposter posing as AuthorizeNet.
So, to make the site a little harder to hack, we added a our own hash to an HTML hidden field, and check the value when it comes back in the AuthorizeNet API response. So while we can't be sure the response came from AuthorizeNet, we'll know if the custom hash came from our server.
01-22-2019 12:16 PM
01-22-2019 12:28 PM
Thanks @Renaissance, but it took @cwdsl so long to figure out that solution, and it's so complicated, it scared me off. It took me a few days just to get @stw's far simpler solution to work :-(
01-22-2019 03:11 PM
@capturewiz, my implementation only took a little while because I was incorrectly reading in the 30 values that need to be compared for the x_SHA2_hash. Overall the VB.NET sample for the SIM integration I did was relatively simple to do once I gathered information together. Hopefully the sample I posted will help others, although I have no knowledge of PHP so can't help any further in that regard.
01-23-2019 01:21 AM
Thank you very much! I attempted to upgrade SIM for SHA512 by simple modifications to my old, working MD5 code, but got code 99 errors. The fact that SIM documentation and upgrade documentation are inconsistent added to my consternation. I adopted your code and now things are working as expected, at least in the sandbox.
I would add kudos if I could find a way to do that in this message window.
02-13-2019 10:09 AM
holy sh*tballs! thank you @stw ... your code got me going again!
I had to use pack() instead.. but I only needed this to work for like 1 more month! lol
Wish Authorize had waited till May to switch :)
03-06-2019 05:18 PM
Has anyone actually tested calculating the response hash where some of the fileds contain none ASCII characters?
For example in one the address fields I have
Sãu Paulo
When calculating the hash it never matches.
However my hash matches when the fields contain ASCII characters only.
How do I get round this issue? Our intergation is written in PHP.
03-08-2019 06:54 AM
@staopix, the same happens for me with my VB.NET solution.
When I look at the value for x_city by returning Request.Params("x_city") it outputs...
S�u Paulo
So the fact it is returning the ? character I don't actually know how we'd know what character was there.
03-08-2019 07:21 AM
Based off there example C# in the PDF they reference the ASCII encoding class. Whcih can be found here: https://docs.microsoft.com/en-us/dotnet/api/system.text.asciiencoding?view=netframework-4.7.2
based of the example in that documentation the soloution seems to be that if the character cannot be represented in ASCII the a ? will be used. Which is what you are seeing. However I have tried to do this in PHP and cannot get it to work.
And the response from the API has the correct encoding too. I think their hash algorithm on their server side is doing something unexpected to the multibyte chars and its a case of us trying to second guess it.
03-08-2019 07:26 AM - edited 03-08-2019 07:41 AM