Reply
Highlighted
Solution
Accepted by topic author mojenals
‎02-25-2019 05:48 PM
Regular Contributor
Posts: 63
Registered: ‎05-29-2015

Re: Coldfusion SIM HMAC-SHA512 Update

Here is code that works in CF/Lucee.

authSignature = the signature key

message = Built message from API, CIM, AIM or whatever.

key=binaryDecode(authSignature, "hex" );
hashResult = hmac(message, key, 'HMACSHA512');
Highlighted
Member
Posts: 7
Registered: ‎01-14-2015

Re: Coldfusion SIM HMAC-SHA512 Update

Not sure if you still need this, but I was able to get this to work. The signature key is in a hex format and the toBinary function is expecting base64 data. The binaryDecode function though allows you to specify that the data is hex. So your HMAC script should look like this:

 

<cfset authNetHexSignatureKey = "REMOVED_FROM_CODE" />
<cfset authNetBinarySignatureKey = binaryDecode(authNetHexSignatureKey, "hex") />
<cfset digest=HMAC("#authNetLogin#^#sequence#^#fp_timestamp#^#x_amount#^","#authNetBinarySignatureKey#","HMACSHA512")>

 

This worked for me.

Highlighted
Member
Posts: 7
Registered: ‎01-23-2019

Re: Coldfusion SIM HMAC-SHA512 Update

[ Edited ]

I appreciate your help @kabutotx and @deanlaw.

 

@kabutotx , the use of binaryDecode() was the solution.

@deanlaw , thank you for pointing out the difference between binaryDecode() and toBinary()

 

I have updated our CF code and successfully removed the PHP script.

 

Thanks!

 

Highlighted
Contributor
Posts: 24
Registered: ‎02-26-2019

Re: Coldfusion SIM HMAC-SHA512 Update

Hi @deanlaw 

 

What version of CF are you using?  I'm attempting to get this working also and so far no go with CF 10 BUT

 

I'm using Auth.net sandbox

I'm also just using what is called the Silent Post Url which means auth.net posts data to my site and so I'm attempting to generate this hashed string and compare that to the value from Auth.net form field X_SHA2_HASH.

 

It's not very clear what the hashed sting should be but I believe it needs to be constructed of the 30 form fields separated by ^ and maybe a trailing ^ or prepended ^ or both..i've tried all 4 options and so far my result doesn't match but no clue if the problem is CF10 or auth.net sandbox or me.  So any clues would be appreciated.

Highlighted
Regular Contributor
Posts: 63
Registered: ‎05-29-2015

Re: Coldfusion SIM HMAC-SHA512 Update

It should work with CF 10+.  The hmac function is the newset and CF 10+. 
(There is a CF_HMAC addon available that might work for older CF) I see you are following the other thread on the Silent Post URL.  I am using the API version for CF.  Each API builds a different message, so check with that API.

Highlighted
Member
Posts: 7
Registered: ‎01-14-2015

Re: Coldfusion SIM HMAC-SHA512 Update

@MinneSnowtainI am using ACF 2016. I also have ACF 11 running on another server, which I have not tested yet, but it should work the same.

 

If you look at this guide, SIM Guide, starting at the bottom of page 29, it outlines what the fingerprint is comprised of. "x_login^x_fp_sequence^x_fp_timestamp^x_amount^". There is also a 5th field that you can use, which is for currency, which looks like this: "x_login^x_fp_sequence^x_fp_timestamp^x_amount^US" (notice, no trailing carat). You can see this in example 2 on page 30. You would then use your binary converted Session Key (not your Transaction Key) to generate the SHA512 hash.

 

<cfset authNetHexSignatureKey = "REMOVED_FROM_CODE" />
<cfset authNetBinarySignatureKey = binaryDecode(authNetHexSignatureKey, "hex") />
<cfset digest=HMAC("#x_login#^#x_fp_sequence#^#fp_timestamp#^#x_amount#^","#authNetBinarySignatureKey#","HMACSHA512")>

 

Also, after generating the digest variable above, I submit it using the x_fp_hash field. I don't know if this is different using the Silent Post feature.

 

Hope this helps.

Highlighted
Contributor
Posts: 24
Registered: ‎02-26-2019

Re: Coldfusion SIM HMAC-SHA512 Update

[ Edited ]

Thank you @deanlaw  and @kabutotx 

 

So @kabutotx did you try using CF10? or are you just guessing that it should work?

 

Unfortunately I'm not using the API and I'm not sending this hashed result but comparing my hash result with what I get posted (just a regular ole form post) from auth.net.  Unfortunately the string that Auth.net uses to hash is a bit of a mystery to me which makes this harder yet.

Highlighted
Regular Contributor
Posts: 63
Registered: ‎05-29-2015

Re: Coldfusion SIM HMAC-SHA512 Update

Didn't try CF 10 but hmac builtin function was added to CF at that version.

I assume you are using the old SIM API, so follow @deanlaw posted above.

Highlighted
Contributor
Posts: 24
Registered: ‎02-26-2019

Re: Coldfusion SIM HMAC-SHA512 Update

I am happy to report that my posted signature TO auth.net is valid using:

 

<cfset authNetBinarySignatureKey = binaryDecode(x_secret_key,"hex") />
<cfset x_fp_hash=HMAC("#x_login#^#x_fp_sequence#^#x_fp_timestamp#^#x_amount#^#x_currency_code#","#authNetBinarySignatureKey#","HMACSHA512")>

 

Now if only I could validate what sandbox returns back to me via the silent post.

 

This now confirms there is something wrong with the string I create that is hashed.

 

So far this is what I've tried

<cfset stringToHash="">
<cfset stringToHash="#stringToHash##form.x_trans_id#">
<cfset stringToHash="#stringToHash#^#form.x_test_request#">
<cfset stringToHash="#stringToHash#^#form.x_response_code#">
<cfset stringToHash="#stringToHash#^#form.x_auth_code#">
<cfset stringToHash="#stringToHash#^#form.x_cvv2_resp_code#">
<cfset stringToHash="#stringToHash#^#form.x_cavv_response#">
<cfset stringToHash="#stringToHash#^#form.x_avs_code#">
<cfset stringToHash="#stringToHash#^#form.x_method#">
<cfset stringToHash="#stringToHash#^#form.x_account_number#">
<cfset stringToHash="#stringToHash#^#form.x_amount#">
<cfset stringToHash="#stringToHash#^#form.x_company#">
<cfset stringToHash="#stringToHash#^#form.x_first_name#">
<cfset stringToHash="#stringToHash#^#form.x_last_name#">
<cfset stringToHash="#stringToHash#^#form.x_address#">
<cfset stringToHash="#stringToHash#^#form.x_city#">
<cfset stringToHash="#stringToHash#^#form.x_state#">
<cfset stringToHash="#stringToHash#^#form.x_zip#">
<cfset stringToHash="#stringToHash#^#form.x_country#">
<cfset stringToHash="#stringToHash#^#form.x_phone#">
<cfset stringToHash="#stringToHash#^#form.x_fax#">
<cfset stringToHash="#stringToHash#^#form.x_email#">
<cfset stringToHash="#stringToHash#^#form.x_ship_to_company#">
<cfset stringToHash="#stringToHash#^#form.x_ship_to_first_name#">
<cfset stringToHash="#stringToHash#^#form.x_ship_to_last_name#">
<cfset stringToHash="#stringToHash#^#form.x_ship_to_address#">
<cfset stringToHash="#stringToHash#^#form.x_ship_to_city#">
<cfset stringToHash="#stringToHash#^#form.x_ship_to_state#">
<cfset stringToHash="#stringToHash#^#form.x_ship_to_zip#">
<cfset stringToHash="#stringToHash#^#form.x_ship_to_country#">
<cfset stringToHash="#stringToHash#^#form.x_invoice_num#">

 

that string did not result is a match

 

same string as above but added

<cfset stringToHash="#orgstringToHash#^">

it did not match

 

same as orignal string but added

<cfset stringToHash="^#orgstringToHash#">

it did not match

 

same as orignal string but added

<cfset stringToHash="^#orgstringToHash#^">

it did not match

 

 

 

 

Highlighted
Regular Contributor
Posts: 63
Registered: ‎05-29-2015

Re: Coldfusion SIM HMAC-SHA512 Update

[ Edited ]

Per page 73 It is ^field and an ending ^.  So each of your form. field should start with a ^ and then the data and the whole thing (string of all form fields) should end with a ^.