I've created a Signature Key but there is no data in x_SHA2_Hash when using Silent Post.
What is required to get the x_SHA2_Hash field to be populated?
โ02-01-2019 10:48 AM
โ02-26-2019 03:24 PM
I completely agree with the fix will need to be done for the finger print post to them but since I can see their hash data with the silent post back I was starting there, when I get that to work I was moving to fix the finger print that I post to them. I know this is a bit backwards but I hate the 99 error code messages with no details to even look at as to why it errored.
โ02-26-2019 03:32 PM
โ02-26-2019 08:16 PM
Thank you! I'd love some. Mostly just to confirm what that hashed string is since if I know that is right then I focus on my server side scripting (coldfusion) on what it's doing wrong.
โ02-27-2019 05:35 AM
Here it is:
Your string is all of those 30 values in the response, enclosed in carets. Here is the php list that I used. In this exact order (reading left to right, top to bottom) my hash matches. Note that this is just a piece of the code I used and at this point I had not attached response values to them. You can ignore the =>' ' as this is php syntax for empty array values (later on in my code I add the values to each key, i.e. 'x_amount' => '80.00'). You can cross reference my list of fields with yours if that is helpful. I haven't compared what I have, line by line, with what you have. This will get you the verification piece.
$response = array( 'x_trans_id'=>'','x_test_request'=>'','x_response_code'=>'', 'x_auth_code'=>'','x_cvv2_resp_code'=>'', 'x_cavv_response'=>'', 'x_avs_code'=>'','x_method'=>'','x_account_number'=>'','x_amount'=>'', 'x_company'=>'','x_first_name'=>'','x_last_name'=>'','x_address'=>'', 'x_city'=>'','x_state'=>'','x_zip'=>'','x_country'=>'','x_phone'=>'', 'x_fax'=>'','x_email'=>'','x_ship_to_company'=>'', 'x_ship_to_first_name'=>'','x_ship_to_last_name'=>'', 'x_ship_to_address'=>'','x_ship_to_city'=>'', 'x_ship_to_state'=>'', 'x_ship_to_zip'=>'','x_ship_to_country'=>'', 'x_invoice_num'=>'');
I ran the following from your post (didn't use currency on the verification test)
<form action="https://test.authorize.net/gateway/transact.dll" method="post"> <input type="HIDDEN" name="x_fp_sequence" value="123"> <input type="HIDDEN" name="x_fp_timestamp" value="<?=$timeStamp;?>"> <input type="HIDDEN" name="x_fp_hash" value="<?=$digest;?>"> <input type="HIDDEN" name="x_login" value="<?=$login;?>"> <input type="HIDDEN" name="x_show_form" value="PAYMENT_FORM"> <input type="HIDDEN" name="x_amount" value="<?=$amount;?>"> <input type="HIDDEN" name="x_method" value="CC"> <input type="HIDDEN" name="x_type" value="AUTH_CAPTURE"> <input type="HIDDEN" name="x_invoice_num" value="28897"> <input type="HIDDEN" name="x_description" value="this is a test"> <input type="HIDDEN" name="x_cust_id" value="12234"> <input type="HIDDEN" name="x_company" value="Testing"> <input type="HIDDEN" name="x_first_name" value="tfn"> <input type="HIDDEN" name="x_last_name" value="fln"> <input type="HIDDEN" name="x_address" value="123 test"> <input type="HIDDEN" name="x_city" value="somewhere"> <input type="HIDDEN" name="x_state" value="mn"> <input type="HIDDEN" name="x_zip" value="55744"> <input type="HIDDEN" name="x_phone" value="111-111-1111"> <input type="HIDDEN" name="x_email" value="test@testing.com"> <input type="HIDDEN" name="x_po_num" value=""> <input type="HIDDEN" name="x_duplicate_window" value="28800"> <input type="HIDDEN" name="x_country" value="US"> <input type="HIDDEN" name="x_header_html_payment_form" value=""> <input type="HIDDEN" name="x_footer_html_payment_form" value="If you have any difficulty or questions please call customer support at "> <input type="HIDDEN" name="x_customer_ip" value="10.1.1.136"> <input type="HIDDEN" name="header_html" value=""> <input type="HIDDEN" name="return_url" value=""> <input type="hidden" name="x_test_request" value="TRUE"> <input type="SUBMIT" value="Click here to pay with a credit card securely on-line"> </form>
The html value attributes enclosed in < and ? are php variables. You can insert your own values there, for login, timestamp, etc. I changed sequence to 123. On my dummy hosted form, I clicked the box to add the billing info to the shipping info. Here is the resulting string:
^0^true^1^000000^^^P^CC^XXXX1111^80.00^Testing^tfn^fln^123test^somewhere^mn^55744^US^111-111-1111^^test@testing.com^Testing^tfn^fln^123 test^somewhere^mn^55744^US^28897^
For the fingerprint piece, this is the correct string:
"$login^$sequence^$timeStamp^$amount^$currency"; //or if you don't use currency $string = "$login^$sequence^$timeStamp^$amount^";
all of these strings have been tested and work. The double quotes " " that enclose the variables are php syntax to indicate the value is to be passed as a string. You will use the equivalent in coldfusion. The printed string is this: 9785858855^123^1551233723^80.00^USD, where you replace 9785858855 with your API login, and you replace 1551233723 with your timestamp.
This should get you there. If you follow this and have problems, you want to look two places, 1: your hashing function, and 2: your signature key. The strings have been tested and will work in any language, assuming you use the proper syntax for that language. sha512 is sha512, independent of any programming language. For your signature key, it is a little tricky. You have to convert to binary, and in some languages, you have to convert to a byte array. In php the byte array step isn't necessary. To the best of my knowledge you have to convert to binary in any language you use.
I think this will solve your issue. Good luck to you. I'll be on later tonight or tomorrrow.
โ02-27-2019 02:16 PM
Good Evening @Renaissance
I am happy to report that my signiture to auth.net is working great! Which that is a simple string BUT I still can't get it to match what I get back from sandbox silent post. I even go so far as to clear all the customer names, addresses on the payment for so the only data is x_trans_id, x_test_request, X_AUTH_CODE, x_account_number, x_amount, and x_invoice_num which results in a string that looks like
^0^true^1^000000^^^p^CC^XXXX0027^0.01^^^^^^^^^^^^^^^^^^^^28903^
hash that with my sandbox secret key 3C1EB299A018A14705F20F658AB976B54C2AB964C97D7B8B131D1A94DE56BBF746E6DEC29208E774AAA92BAC77386EDA45078C491A96A251E89929BB8D2DC07B
and get
BFC242C18923FEA47E715981638A7F6109B31D9E2FA7CE74E0D315396781B123A9ECA8FD8B97DD419AB24A63C4AAE90220D47B898D9354066C473B251943D78B
and I've tried
^0^false^1^000000^^^p^CC^XXXX0027^0.01^^^^^^^^^^^^^^^^^^^^28903^ just in case the x_test_request data was the problem
resulting in
2AB9245D8A278AE91DC6A6D0ECAE093C792A535E54E3AEA2453398B994D5629C85023B7A1AA7718CE38E64F87EE0D0E93CB0401ACB2C711BE573CC023CA64475
however sandbox auth.net post to us
21735240CE6E81C9BFF7FF16980B7A6974B15BF0CA9608A35892F237A1812B02E9A152630201D055361569EB4F28015CB58A8671875FEF4DFF4F69826CC0F35B
which clearly doesn't match either option,
โ02-27-2019 03:07 PM - edited โ02-27-2019 03:17 PM
Are you manually constructing this string, based on what you send in the request? What you want to do is have it done dynamically based on the response. So the response comes in, you capture it with a programming script and then your programming script constructs the string and performs the hash validation. So the logic (not the actual programming script) would go like this-
-You capture the response.
-The relevant values are extracted and used to construct the string.
-You perform the hash using the string and signature key
-You compare your hash to the auth.net hash
-If the hash matches, you do one thing say for instance mark an order as paid, record transId, etc.
-If the hash doesn't match you don't mark the order as paid bc the response wasn't from auth.net. You may choose to have a db table where the ip address of the unverified entity posting to your url is stored.
The reason I ask is it looks to me like you're plugging your own values in. If you take the ^p^ from your string and make it ^P^ you will get the exact same hash. I just did on my first try. If you automate things you have no risk of the string being constructed differing from the string used to perform the hash given in the response. Any difference whatsoever will cause your entire hash not to match. P to p will make every single character different.
โ02-27-2019 05:41 PM
Good Morning @Renaissance
LOL aah no it's created based on the post back data I've recieve from auth.net. I've been a systems developer for over 20 years working with AWS (s3 especially), auth.net, and even developed many APIs my self..I'm very fluent in hashed signatures and how they work. in my test file I just output my string that I am hashing that I copy pasted.
soo if I hear what your saying is they convert the data to upper case THEN hash. Okay let me try that.
โ02-28-2019 04:53 AM
โ02-28-2019 06:56 AM
I am having exactly the same problem. I use SIM/Silent Post method. I have no problem creating a fingerprint, but when AuthorizeNet performing a silent post x_SHA2_Hash supplied by AuthorizeNet does not match the hash I generate. I generate the hash exactly the same way as described by Xero here (https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/t...).
Here is my prehash text:
^0^true^1^000000^^^P^CC^XXXX1111^150.00^^Tom^^^^^^^^^^^^^^^^^^^
Here is my hash key (aka signature key)
68893D1ADBE8C4BB224E669277FDAC633764FAC718CD52191B00FEDBEEFDBD10A4B439833B820E83F30D543B00E3CEED179816EEC49059D4558225542656EE3E
Here is hash I generated using signature key and prehashed text
301A8B576EF13ED93F361F58F13892210025FD8B91173523165BCED70D132FE63EAC597C873EAE38AEE1512BEDDB275DC098280FDC0AC8A644F81C8E5BD8CEDB
and here is what AuthorizeNet supplies in x_SHA2_Hash
A0766F9B5248395D86566359EC8B1629268DB026D17D16252287F2169B735AEA2ADA557B733E88F0C53D9F38F278DE6F2BAD4550CE72F8A5E06ACA7B30925DF6
What am I missing?
โ02-28-2019 08:41 AM