Reply
Member
Posts: 3
Registered: ‎12-07-2015
Accepted Solution

MD5 to SHA512 with SIM and silent post with php

I'm another confused person and it's only getting worse.  I have read a lot of posts on this topic, including an example from @Renaissance and one from @jasoncoe2 that says the signature key should precede the ^-separated fields to hash, and tried many combinations of things but I just can't get this to work.

 

1.  The SIM documentation says to use SHA512 for the x_fp_hash, showing 3 values to be hashed instead of the 5 I was using with MD5.  When I do that I get  (99) This transaction cannot be accepted.  It seems only to work with an MD5 hash (length issue?).  Is this a problem in itself?  What is the relationship of the fingerprint to the x_SHA2_Hash value that is returned to the silent post?

 

2.  The SIM documentation also says the time must be UTC.  That's probably not new but I never converted my local time before.  Changing to UTC has not gotten the hashes to match although I probably haven't tried it in combination with every other thing I've tried.  

 

This is what I'm posting to https://test.authorize.net/gateway/transact.dll:

<input type="hidden" name="x_login" value="3yh8HYWK4ju">

<input type="hidden" name="x_type" value="AUTH_CAPTURE">

<input type="hidden" name="x_fp_hash" value="f7fccf6ecf84d7a55cf7c47b5802ec00">

<input type="hidden" name="x_fp_sequence" value="13067697">

<input type="hidden" name="x_fp_timestamp" value="1552437235">

<input type="hidden" name="x_amount" value="26.35">

<input type="hidden" name="x_show_form" value="PAYMENT_FORM">

<input type="hidden" name="x_version" value="3.1">

<input type="hidden" name="x_invoice_num" value="13067697">

<input type="hidden" name="x_description" value="Order Total">

<input type="hidden" name="x_first_name" value="Me">

<input type="hidden" name="x_last_name" value="AlsoMe">

<input type="hidden" name="x_company" value="">

<input type="hidden" name="x_address" value="addr">

<input type="hidden" name="x_city" value="city">

<input type="hidden" name="x_state" value="state">

<input type="hidden" name="x_zip" value="zip">

<input type="hidden" name="x_country" value="United States">

<input type="hidden" name="x_phone" value="5125551212">

<input type="hidden" name="x_email" value="me@gmail.com">  

 

This is how I'm generating the fingerprint:

hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key); 

 

and this is how I generate the hash to compare in the silent post:

$utc = $ordertime + 5*60*60;
$texttohash = $cc_login . '^' . $ordnum . '^' . $utc . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", hex2bin($cc_signature_key), $texttohash ));

 

but as noted I have also tried it with the $texttohash preceding the signature key. 

 

I also saw a php example on github that only used 3 values in the hash, login, transaction id, and amount, and that didn't work either.  Maybe it was for a different method but I don't understand why there would be different fields.

 

Can anyone spot my doubtless numerous mistakes?  Thank you.

 


Accepted Solutions
Solution
Accepted by topic author qoregexp
‎03-14-2019 10:55 AM
All Star
Posts: 662
Registered: ‎11-05-2018

Re: MD5 to SHA512 with SIM and silent post with php

@qoregexp

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m...

Message 58 out of 58 has 100% tested and working SIM code for fingerprint and verification. All you need is a signature key and a form like you just posted. Plug your values for signature, login, etc.

I think your utc value may be throwing you off. Try setting the default time zone like I do in that sample code, and follow it exactly. If the suggested default time zone causes problems for your app, after you’ve got the hash working you can do some research on php DateTime objects, set a different default time zone and then manipulate the time zone inside the script.

View solution in original post


All Replies
Member
Posts: 4
Registered: ‎02-26-2019

Re: MD5 to SHA512 with SIM and silent post with php

Hi,  I can't speak to the silent post as I don't have that in my application.  However, for the fingerprint in my application, it is different than yours.  Mine is also C#.

 

Instead of:

hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key); 

Try:

 

hash_hmac($transaction_key, $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^"); 

 

The transaction key has to be generated inside the authorize.net sandbox or portal.  Account > API Credentials and Keys.  

 

I see you still reference md5, but I'm assuming you have the SHA512 code from Authorize.net, and this is what you are callin as hash_hmac.

 

I hope it helps.  Jason

Member
Posts: 3
Registered: ‎12-07-2015

Re: MD5 to SHA512 with SIM and silent post with php

Thank you for reply.  I have always had the transaction key as the 3rd argument, but I tried it 2nd (I assume you meant to have "md5" as the first argument) and it produces a 99 error.  I did use the fingerprint validator here https://developer.authorize.net/api/reference/responseCode99.html and verified that it is producing an md5 fingerprint.  I don't know if that's intentional or if they just haven't updated it. 

 

I can't get an sha512 fingerprint to be accepted under any circumstances, and the documentation says md5 is still OK for the fingerprint.  I am thinking now the fingerprint is unrelated to the hash that authorize.net sends back -- I think the fingerprint confirms that the transaction is coming from me, and the sha512 hash that they return is supposed to confirm that the response is really coming from them.  

 

I just still can't get a hash that I generate to match theirs.  I now have

 

$texttohash = $login . '^' . $sequence . '^' . $time . '^' . $amount . '^';
$hash = strtoupper(hash_hmac("sha512", $texttohash, hex2bin($cc_signature_key)));

 

and I have tried modifying the time going forwards and backwards 23 hours to see if it's just a time problem but none of the values I generated matched theirs.  

Solution
Accepted by topic author qoregexp
‎03-14-2019 10:55 AM
All Star
Posts: 662
Registered: ‎11-05-2018

Re: MD5 to SHA512 with SIM and silent post with php

@qoregexp

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m...

Message 58 out of 58 has 100% tested and working SIM code for fingerprint and verification. All you need is a signature key and a form like you just posted. Plug your values for signature, login, etc.

I think your utc value may be throwing you off. Try setting the default time zone like I do in that sample code, and follow it exactly. If the suggested default time zone causes problems for your app, after you’ve got the hash working you can do some research on php DateTime objects, set a different default time zone and then manipulate the time zone inside the script.

All Star
Posts: 662
Registered: ‎11-05-2018

Re: MD5 to SHA512 with SIM and silent post with php

And sorry been a long day. For 100% sure the fingerprint and response are totally different. You use sha512 for both of them but the string is different.
All Star
Posts: 662
Registered: ‎11-05-2018

Re: MD5 to SHA512 with SIM and silent post with php

The github example is for a different integration. It is similar to message 1 on the link I shared.
Member
Posts: 3
Registered: ‎12-07-2015

Re: MD5 to SHA512 with SIM and silent post with php

@Renaissance that message 58 out of 58 was the one I was working from, but I was reading it wrong somehow.  I didn't understand that 30 fields went into the hash to compare with x_SHA2_Hash.  I was using the fields in the fingerprint code.   IT WORKS NOW!  Thank you so, so much.