Search

OUR API

API Developer Guides API Reference Sample Code [on GitHub]
SDKs [on GitHub] API Change Log System Change Log
Upgrade Guide

Hello World

Get Started Common Setup Questions How Payments Work
Testing Guide Go-Live Checklist

Support

Get Support News and Announcements Forums
Authorize.Net on GitHub Authorize.Net on Stack Overflow Developer Blog
Response (Error) Codes FAQs Knowledge Base

Sign In

Sandbox Affiliate

Search Developer Site

Integration and Testing

Authorize.Net API questions and help with your payment integration.

Reply
Member
qoregexp
Posts: 3
Registered: ‎12-07-2015
Accepted Solution

MD5 to SHA512 with SIM and silent post with php

‎03-12-2019 05:53 PM

I'm another confused person and it's only getting worse.  I have read a lot of posts on this topic, including an example from @Renaissance and one from @jasoncoe2 that says the signature key should precede the ^-separated fields to hash, and tried many combinations of things but I just can't get this to work.

 

1.  The SIM documentation says to use SHA512 for the x_fp_hash, showing 3 values to be hashed instead of the 5 I was using with MD5.  When I do that I get  (99) This transaction cannot be accepted.  It seems only to work with an MD5 hash (length issue?).  Is this a problem in itself?  What is the relationship of the fingerprint to the x_SHA2_Hash value that is returned to the silent post?

 

2.  The SIM documentation also says the time must be UTC.  That's probably not new but I never converted my local time before.  Changing to UTC has not gotten the hashes to match although I probably haven't tried it in combination with every other thing I've tried.  

 

This is what I'm posting to https://test.authorize.net/gateway/transact.dll:

<input type="hidden" name="x_login" value="3yh8HYWK4ju">

<input type="hidden" name="x_type" value="AUTH_CAPTURE">

<input type="hidden" name="x_fp_hash" value="f7fccf6ecf84d7a55cf7c47b5802ec00">

<input type="hidden" name="x_fp_sequence" value="13067697">

<input type="hidden" name="x_fp_timestamp" value="1552437235">

<input type="hidden" name="x_amount" value="26.35">

<input type="hidden" name="x_show_form" value="PAYMENT_FORM">

<input type="hidden" name="x_version" value="3.1">

<input type="hidden" name="x_invoice_num" value="13067697">

<input type="hidden" name="x_description" value="Order Total">

<input type="hidden" name="x_first_name" value="Me">

<input type="hidden" name="x_last_name" value="AlsoMe">

<input type="hidden" name="x_company" value="">

<input type="hidden" name="x_address" value="addr">

<input type="hidden" name="x_city" value="city">

<input type="hidden" name="x_state" value="state">

<input type="hidden" name="x_zip" value="zip">

<input type="hidden" name="x_country" value="United States">

<input type="hidden" name="x_phone" value="5125551212">

<input type="hidden" name="x_email" value="me@gmail.com">  

 

This is how I'm generating the fingerprint:

hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key); 

 

and this is how I generate the hash to compare in the silent post:

$utc = $ordertime + 5*60*60;
$texttohash = $cc_login . '^' . $ordnum . '^' . $utc . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", hex2bin($cc_signature_key), $texttohash ));

 

but as noted I have also tried it with the $texttohash preceding the signature key. 

 

I also saw a php example on github that only used 3 values in the hash, login, transaction id, and amount, and that didn't work either.  Maybe it was for a different method but I don't understand why there would be different fields.

 

Can anyone spot my doubtless numerous mistakes?  Thank you.

 

Message 1 of 7 (33,188 Views)
Reply
0 Kudos

Accepted Solutions
Solution
Accepted by topic author qoregexp
‎03-14-2019 10:55 AM
All Star
Renaissance
Posts: 733
Registered: ‎11-05-2018

Re: MD5 to SHA512 with SIM and silent post with php

‎03-13-2019 09:03 PM

@qoregexp

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m...

Message 58 out of 58 has 100% tested and working SIM code for fingerprint and verification. All you need is a signature key and a form like you just posted. Plug your values for signature, login, etc.

I think your utc value may be throwing you off. Try setting the default time zone like I do in that sample code, and follow it exactly. If the suggested default time zone causes problems for your app, after you’ve got the hash working you can do some research on php DateTime objects, set a different default time zone and then manipulate the time zone inside the script.

View solution in original post

Message 4 of 7 (32,894 Views)
Reply

All Replies
Highlighted
Member
jasoncoe2
Posts: 4
Registered: ‎02-26-2019

Re: MD5 to SHA512 with SIM and silent post with php

‎03-12-2019 06:08 PM

Hi,  I can't speak to the silent post as I don't have that in my application.  However, for the fingerprint in my application, it is different than yours.  Mine is also C#.

 

Instead of:

hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key); 

Try:

 

hash_hmac($transaction_key, $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^"); 

 

The transaction key has to be generated inside the authorize.net sandbox or portal.  Account > API Credentials and Keys.  

 

I see you still reference md5, but I'm assuming you have the SHA512 code from Authorize.net, and this is what you are callin as hash_hmac.

 

I hope it helps.  Jason

Message 2 of 7 (33,183 Views)
Reply
0 Kudos
Member
qoregexp
Posts: 3
Registered: ‎12-07-2015

Re: MD5 to SHA512 with SIM and silent post with php

‎03-13-2019 01:07 PM

Thank you for reply.  I have always had the transaction key as the 3rd argument, but I tried it 2nd (I assume you meant to have "md5" as the first argument) and it produces a 99 error.  I did use the fingerprint validator here https://developer.authorize.net/api/reference/responseCode99.html and verified that it is producing an md5 fingerprint.  I don't know if that's intentional or if they just haven't updated it. 

 

I can't get an sha512 fingerprint to be accepted under any circumstances, and the documentation says md5 is still OK for the fingerprint.  I am thinking now the fingerprint is unrelated to the hash that authorize.net sends back -- I think the fingerprint confirms that the transaction is coming from me, and the sha512 hash that they return is supposed to confirm that the response is really coming from them.  

 

I just still can't get a hash that I generate to match theirs.  I now have

 

$texttohash = $login . '^' . $sequence . '^' . $time . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", $texttohash, hex2bin($cc_signature_key)));

 

and I have tried modifying the time going forwards and backwards 23 hours to see if it's just a time problem but none of the values I generated matched theirs.  

Message 3 of 7 (32,992 Views)
Reply
0 Kudos
Solution
Accepted by topic author qoregexp
‎03-14-2019 10:55 AM
All Star
Renaissance
Posts: 733
Registered: ‎11-05-2018

Re: MD5 to SHA512 with SIM and silent post with php

‎03-13-2019 09:03 PM

@qoregexp

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m...

Message 58 out of 58 has 100% tested and working SIM code for fingerprint and verification. All you need is a signature key and a form like you just posted. Plug your values for signature, login, etc.

I think your utc value may be throwing you off. Try setting the default time zone like I do in that sample code, and follow it exactly. If the suggested default time zone causes problems for your app, after you’ve got the hash working you can do some research on php DateTime objects, set a different default time zone and then manipulate the time zone inside the script.

Message 4 of 7 (32,895 Views)
Reply
All Star
Renaissance
Posts: 733
Registered: ‎11-05-2018

Re: MD5 to SHA512 with SIM and silent post with php

‎03-13-2019 09:05 PM

And sorry been a long day. For 100% sure the fingerprint and response are totally different. You use sha512 for both of them but the string is different.
Message 5 of 7 (32,889 Views)
Reply
0 Kudos
All Star
Renaissance
Posts: 733
Registered: ‎11-05-2018

Re: MD5 to SHA512 with SIM and silent post with php

‎03-13-2019 09:07 PM

The github example is for a different integration. It is similar to message 1 on the link I shared.
Message 6 of 7 (32,888 Views)
Reply
0 Kudos
Member
qoregexp
Posts: 3
Registered: ‎12-07-2015

Re: MD5 to SHA512 with SIM and silent post with php

‎03-14-2019 10:55 AM

@Renaissance that message 58 out of 58 was the one I was working from, but I was reading it wrong somehow.  I didn't understand that 30 fields went into the hash to compare with x_SHA2_Hash.  I was using the fields in the fingerprint code.   IT WORKS NOW!  Thank you so, so much.  

Message 7 of 7 (32,556 Views)
Reply