I'm another confused person and it's only getting worse. I have read a lot of posts on this topic, including an example from @Renaissance and one from @jasoncoe2 that says the signature key should precede the ^-separated fields to hash, and tried many combinations of things but I just can't get this to work.
1. The SIM documentation says to use SHA512 for the x_fp_hash, showing 3 values to be hashed instead of the 5 I was using with MD5. When I do that I get (99) This transaction cannot be accepted. It seems only to work with an MD5 hash (length issue?). Is this a problem in itself? What is the relationship of the fingerprint to the x_SHA2_Hash value that is returned to the silent post?
2. The SIM documentation also says the time must be UTC. That's probably not new but I never converted my local time before. Changing to UTC has not gotten the hashes to match although I probably haven't tried it in combination with every other thing I've tried.
This is what I'm posting to https://test.authorize.net/gateway/transact.dll:
<input type="hidden" name="x_login" value="3yh8HYWK4ju">
<input type="hidden" name="x_type" value="AUTH_CAPTURE">
<input type="hidden" name="x_fp_hash" value="f7fccf6ecf84d7a55cf7c47b5802ec00">
<input type="hidden" name="x_fp_sequence" value="13067697">
<input type="hidden" name="x_fp_timestamp" value="1552437235">
<input type="hidden" name="x_amount" value="26.35">
<input type="hidden" name="x_show_form" value="PAYMENT_FORM">
<input type="hidden" name="x_version" value="3.1">
<input type="hidden" name="x_invoice_num" value="13067697">
<input type="hidden" name="x_description" value="Order Total">
<input type="hidden" name="x_first_name" value="Me">
<input type="hidden" name="x_last_name" value="AlsoMe">
<input type="hidden" name="x_company" value="">
<input type="hidden" name="x_address" value="addr">
<input type="hidden" name="x_city" value="city">
<input type="hidden" name="x_state" value="state">
<input type="hidden" name="x_zip" value="zip">
<input type="hidden" name="x_country" value="United States">
<input type="hidden" name="x_phone" value="5125551212">
<input type="hidden" name="x_email" value="me@gmail.com">
This is how I'm generating the fingerprint:
hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key);
and this is how I generate the hash to compare in the silent post:
$utc = $ordertime + 5*60*60;
$texttohash = $cc_login . '^' . $ordnum . '^' . $utc . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", hex2bin($cc_signature_key), $texttohash ));
but as noted I have also tried it with the $texttohash preceding the signature key.
I also saw a php example on github that only used 3 values in the hash, login, transaction id, and amount, and that didn't work either. Maybe it was for a different method but I don't understand why there would be different fields.
Can anyone spot my doubtless numerous mistakes? Thank you.