In an attempt to upgrade from MD5 to SHA-512 based transHashSHA2 I have created a test transaction using my sandbox account and have used the c# sample code to verify the output of the hash matches the x_SHA2_Hash that comes back in the silent post back for the transaction, but I have not been able to generate a matching hash.
Steps followed from upgrade guide:
Step 1. Generate a Signature Key and store it in a secure location on your serve
Step 2. Convert the Signature Key into a byte array.
Step 3. Create a message string that starts with a caret ("^"), followed by the following three fields delimited by carets, and terminated with another caret:
• The API Login ID that you send in createTransactionRequest in the name element.
• The transaction ID that we send in createTransactionResponse in the transId element.
• The transaction amount that we send in createTransactionResponse in the amount element.
For example, if your API Login ID is "ANet123", the value of transId is "20987654321", and the value of amount is "9.99", the message string would look like this:
^ANet123^20987654321^9.99^
Step 4. Use HMAC-SHA512 to hash the byte array form of the Signature Key from Step 2 with the message string from Step 3.
Step 5. Compare the value of transHashSHA2 with the output from the HMAC-SHA512 hash mentioned in Step 4.
If my signature key is "828BB6EDE1959" and my API login ID is ABC123, my transaction id is 0 (because test transactions do not have a trans id in the sandbox), and the amount of the payment was $75.00 using the sample code provided in the upgrade guide I could pass in the value generated in step 3 "^ABC123^0^75.00^" and my signature key in to HMACSHA512("828BB6EDE1959", "^ABC123^0^75.00^") and my output should match the underlined value below, correct?
Array ( [x_response_code] => 1 [x_response_reason_code] => 1 [x_response_reason_text] => (TESTMODE) This transaction has been approved. [x_avs_code] => P [x_auth_code] => 000000 [x_trans_id] => 0 [x_method] => CC [x_card_type] => Visa [x_account_number] => XXXX1111 [x_first_name] => [x_last_name] => [x_company] => [x_address] => [x_city] => [x_state] => [x_zip] => [x_country] => [x_phone] => [x_fax] => [x_email] => [x_invoice_num] => 237 [x_description] => [x_type] => auth_capture [x_cust_id] => GPE6178NY [x_ship_to_first_name] => [x_ship_to_last_name] => [x_ship_to_company] => [x_ship_to_address] => [x_ship_to_city] => [x_ship_to_state] => [x_ship_to_zip] => [x_ship_to_country] => [x_amount] => 75.00 [x_tax] => 0.00 [x_duty] => 0.00 [x_freight] => 0.00 [x_tax_exempt] => FALSE [x_po_num] => [x_MD5_Hash] => C13380CAE7E8D7DB47BEAEDE98A5867A [x_SHA2_Hash] => 3732810865C43409F22EB2078D3C292FB284A5AAF587F8E091E93D97672F874EDAC7D3D526324E204EA6EFA2506E831FE3BEE7FB6D78113A3F2757C58EAEF0BB [x_cvv2_resp_code] => [x_cavv_response] => [x_test_request] => true [signature_key] => 828BB6EDE1959 [ref1type1] => [ref1val1] => l [payment_type] => AUTHORIZE_NET [email] => )
01-16-2019 11:23 AM
Who the fck knows at this point. Even the Admins dont understand their own software.
That's the parameter I've been using. It's the same length as it should be. The old MD5 is much shorter. I'm at the point where I am brute forcing in a loop different methods until I get what matches in the request.
So far no combination of encodings, algorithms, or hashes are working for me..
I have my test mode off though so I do get a transaction ID.
This has literally been my whole day, at work, just GUESSING at how their API works when they could just fcking tell us.
Where did that admin go that came in and ignored all of us and answered that stupid question only one person cared about?
01-16-2019 12:00 PM - edited 01-16-2019 12:09 PM
I tried this out and it works for me:
SIM Guidebook
https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf
Page 73
The message format in the upgrade guide is wrong it says to hash 3 values, what works is hashing the 30 values in the guide book.
^x_trans_id^x_test_request^x_response_code^x_auth_code^x_cvv2_resp_code^x_cavv_response^x_avs_code^x_method^x_account_number^x_amount^x_company^x_first_name^x_last_name^x_address^x_city^x_state^x_zip^x_country^x_phone^x_fax^x_email^x_ship_to_company^x_ship_to_first_name^x_ship_to_last_name^x_ship_to_address^x_ship_to_city^x_ship_to_state^x_ship_to_zip^x_ship_to_country^x_invoice_num^
01-16-2019 12:13 PM - last edited on 01-16-2019 02:04 PM by RichardH
I've been working on this since Monday, I am SO far behind on work now.
01-16-2019 12:14 PM
See I'm using that 30 values hash and it's still not matching. What language are you doing this in?
Could you post your code?
[2019-01-16 15:40:21,407] [ERROR] HASH FROM AUTHNET: [ADFF7886B744A98CD885C6A4C9CCB86883D6CFF56C906D1DAB7ECA2CA6BA0D881B21724074CD0E12D742F2CF2364A2C1D25B1F2F0B4B134ACFEF9A6160D1E894]
[2019-01-16 15:40:21,409] [DEBUG] Attempting to hash string [^40024018324^false^1^29TOL3^P^2^Y^CC^XXXX2222^0.20^^^^^^^^^^^^^^^^^^^^^] with SecretKey [BF99E1A8A726AD3789D4E15F6041F65F8438055880DFE7DBF4B82819B0355BF815E425202397F3FF78A4D2BD6F8DC3998168D294A3416C0C00DA399A1203052A] with Algorithm [HmacSHA512] [2019-01-16 15:40:21,409] [ERROR] Encoding [ASCII] Algorithm [HmacSHA512] Hash[^40024018324^false^1^29TOL3^P^2^Y^CC^XXXX2222^0.20^^^^^^^^^^^^^^^^^^^^^] Result: [F420E686C636534A1CB1494F6EB3B2C036F4B986ADE8F09D01C86B46FB84F589CB99041726084A6ED182D7F1BDE4B2B110FD05F4C3A2153903EBC72238679C97]
01-16-2019 12:45 PM
The link to the SIM guide resolves to 404.
I tried hashing the 30 values but not getting the correct match.
Also, what should be including intead of "x_fp_hash" in the POST call to redirect to Hosted payment page? or should we still be sending "x_fp_hash" value but HmacSHA512 instead of HmacMD5 using the same format : x_login^x_fp_sequence^x_fp_timestamp^x_amount^
01-16-2019 01:57 PM
The guide is back. There must be so many people resorting to a deprecated guide because the staff are useless.
But just in case, save the PDF to your desktop.
01-16-2019 02:08 PM
We edited the post to removed some extra characters in the URL and added a link to #page=73
Richard
01-16-2019 05:08 PM
What post?
What link?
Could you explain what you exactly changed instead of just saying "I changed something, go find it"?
Page 73 of the SIM guide still looks the same and says last edited in September 2017.
01-17-2019 06:25 AM
@lightwave365 PHP
<?PHP //Step 1. Generate a Signature Key and store it in a secure location on your server. $key = '1111111'; //Step 2. Convert the Signature Key into a byte array. $key = hex2bin($key); //Step 3. Create a message string that starts with a caret ("^"), followed by the following three fields delimited by carets, and terminated with another caret: //• The API Login ID that you send in createTransactionRequest in the name element. //• The transaction ID that we send in createTransactionResponse in the transId element. //• The transaction amount that we send in createTransactionResponse in the amount element. // Ref to page #73 SIM Guidebook ^x_trans_id^x_test_request^x_response_code^x_auth_code^x_cvv2_resp_code^x_cavv_response^x_avs_code^x_method^x_account_number^x_amount^x_company^x_first_name^x_last_name^x_address^x_city^x_state^x_zip^x_country^x_phone^x_fax^x_email^x_ship_to_company^x_ship_to_first_name^x_ship_to_last_name^x_ship_to_address^x_ship_to_city^x_ship_to_state^x_ship_to_zip^x_ship_to_country^x_invoice_num^ //EX: ^0^true^1^000000^^^P^CC^XXXX1111^75.00^^^^^^^^^^^^^^^^^^^^237^ $message .= '^' . $_REQUEST('x_trans_id') . '^' . $_REQUEST('x_test_request') . '^' . $_REQUEST('x_response_code') . '^' . $_REQUEST('x_auth_code') . '^' . $_REQUEST('x_cvv2_resp_code') . '^' . $_REQUEST('x_cavv_response') . '^' . $_REQUEST('x_avs_code') . '^' . $_REQUEST('x_method') . '^' . $_REQUEST('x_account_number') . '^' . $_REQUEST('x_amount') . '^' . $_REQUEST('x_company') . '^' . $_REQUEST('x_first_name') . '^' . $_REQUEST('x_last_name') . '^' . $_REQUEST('x_address') . '^' . $_REQUEST('x_city') . '^' . $_REQUEST('x_state') . '^' . $_REQUEST('x_zip') . '^' . $_REQUEST('x_country') . '^' . $_REQUEST('x_phone') . '^' . $_REQUEST('x_fax') . '^' . $_REQUEST('x_email') . '^' . $_REQUEST('x_ship_to_company') . '^' . $_REQUEST('x_ship_to_first_name') . '^' . $_REQUEST('x_ship_to_last_name') . '^' . $_REQUEST('x_ship_to_address') . '^' . $_REQUEST('x_ship_to_city') . '^' . $_REQUEST('x_ship_to_state') . '^' . $_REQUEST('x_ship_to_zip') . '^' . $_REQUEST('x_ship_to_country') . '^' . $_REQUEST('x_invoice_num') . '^'; //Step 4. Use HMAC-SHA512 to hash the byte array form of the Signature Key from Step 2 with the message string from Step 3. $hashed_value = strtoupper(hash_hmac('sha512',$message, $new_key)); //Step 5. Compare the value of transHashSHA2 with the output from the HMAC-SHA512 hash mentioned in Step 4. if(strtoupper($_REQUEST('x_SHA2_Hash')) != strtoupper(hash_hmac("sha512", $signature_key_hash, hex2bin($signature_key))))
For the FP: @Manu
protected function CalculateFP($x_login, $x_amount, $x_fp_sequence, $x_fp_timestamp, $x_currency_code = "", $signature_key) { $data_to_hash = $x_login . "^" . $x_fp_sequence . "^" . $x_fp_timestamp . "^" . $x_amount . "^" . $x_currency_code; return hash_hmac('sha512', $data_to_hash, hex2bin($signature_key)); }
01-17-2019 06:42 AM