cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

SHA-512 in Perl

Our authorize.net processing is done in some OLD perl cgi code - any perl programmers out there?

 

We are trying to convert to the SHA-512 hashing.  Our current processing uses MD5, via the perl module Digest::MD5.

I use LWP::UserAgent to POST directly to the secure.authorize.net gateway transact dll URL.

What I get returned is an array of values. The MD5 hash is currently in the 38th array element. Authorize.net has been unable to tell me where I can find the returned SHA-512 hash value to compare to what I am generating in the program.

 

For my test:

I changed it to use Digest::SHA for the hashing. I generated the signature key and have it stored in hex in our database.  

 

 

my $sha512_string = '^' . $auth_net_login_id . '^' . $tranid . '^' . $grandtotal . '^';


my $key = pack 'H*', $sig_key;  ##to convert the store hex value to binary - as recommended here


my $sha512 = Digest::SHA->new;
my $sent_sha512_hash = $sha512->hmac_sha512($sha512_string, $key);

 

When I display that value, it just shows a bunch of weird characters on the screen - I don't know if that's expected or not. I am only displaying it to compare to what comes from authorize.net.

 

When the values are returned from Authorize.net (in the array), I display all the elements. There is a value in element 68 that looks like a hex value but that isn't what is in the hash that I generated.

 

So, isn't the hash returned from Authorize.net in the array? If not, then how do I obtain it using the methods we currently have in place? I don't consider this as using the API.   Or is the problem that I am hashing it wrong on my end?

 

I obtained the perl code for our current processing via Authorize.net MANY years ago from one of their perl customers. It has worked fine ever since. I do not have the knowledge, experience or brain power to change the whole process, unless someone could provide all the perl code (I know that's asking a lot). I also have a general knowlege of php but unfortunately the examples on this forum are too different from our perl process to be able to correlate the two.

 

I hope someone can help!   Thanks in advance!

 

smorrow123
Contributor
76 REPLIES 76

@smorrow123

 

I'm not the expert here or do I know what the rest of your code is doing.

 

However, if you find that you want to try the CGI example I would just leave the LWP as is and see if the CGI test results are somthing that you could then use, just for processing the name/vaules, while leaving the rest of your script alone. Others on here may be able to better help with the use of LWP or even counter my CGI code.

@airman81 @Renaissance @jgoebel

Thanks. I'm now to the point where I'm just building the hash with array element numbers of the response returned to me (based on the order of response fields in the AIM Developer Guide), plus for some, I'm just using the values that I sent in the first place. Regardless, in checking, I am using the right fields according to the the HMAC SHA512 Hash feature from the SIM developer guide.

 

I have that coded and tested and STILL can't match the SHA-512 hash that they're sending back. I've checked and re-checked and I'm hashing the correct fields in the correct order.

The only other thing I can think of is that I'm using the wrong hashing method.

Since the hash they are returning (returned in element 68) is a hex value, I am generating mine as a hex hash.

After I build the SHA hash string which looks like this:

 

^0^TRUE^1^000000^^^P^CC^XXXX0002^39.00^^Sharon^SHAtest^123 Somewhere Street^
 Anywhere^PA^19666^US^6109876543^^sharon.test@test.com^^^^^^^^^8479^

 

I convert the stored signature key from hex to binary:

my $key = pack 'H*', $sig_key;

 

then I hash it using Digest::SHA using the hmac_sha512_hex method (I also uppercase it since that's what is in the hash they send back to me).


my $sha512 = Digest::SHA->new;
my $sent_sha512_hash = uc($sha512->hmac_sha512_hex($sha512_string, $key));

 

I print out the hash I generated and the one they sent to me - and no match.

 

Any other suggestions? I have to stop in a bit, so I may not response to your posts on a timely basis. But I appreciate ANY and ALL help.

 

@smorrow123,

I am interested in talking to your employers about their integration. Message me if you would.

As it relates to this hash, I can solve this for you. Hereโ€™s what we need-

-first, prelim just to make sure that we are on the same page. You have went into your merchant interface and generated a signature key, correct? And you are using that to hash? Below is an explanation of how that works.

You have 3 API credentials, transaction key, login, and signature key. The trans key and login you have had to use for everything youโ€™ve ever done. This may be the first time you have had to use a signature key. The signature key has nothing to do with what you used to put in the interface for MD5. It is a key that is generated in you merchant interface.

-assuming you have a signature key, if you are comfortable doing the following I can almost certainly give you the correct delimited string. Disable it immediately in your interface, then send it to me in a private
message. Disabling it will stop it from ever working again, and you will have to generate a new one.

I can use the disabled key you send me in a hash function in php and get it to match what is being returned to you in your post from 1/21. Then I will send you the string.

This assumes this is not against your policy and you feel safe doing it. Iโ€™m a volunteer on this forum and obviously mean no one no harm. The reason I offer is I can see you are struggling with this and have been for days. Itโ€™s getting painful for you at this point, and I could do this very efficiently if I cut out the middleman. Our process right now is for iteration after iteration to be attempted, followed by feedback on what happened, with successive iterations continuing on. On my end Iโ€™m pretty darn good with this and can iterate rapidly and quite possibly have this done very fast.

Totally your choice and itโ€™s an offer.

@Renaissance

Yes, I generated the signature key online and saved it in our database. That part I'm sure I got ok.

Then I use the pack statement to convert it to binary and use it as the $key in my prior code. I'm pretty sure that's ok, too, since the pack was recommended by several different people (on this forum and elsewhere).  

 

I send through the string that I provided and the binary key and hash it using the perl module Digest::SHA.

 

The old MD5 method (still implemented in live version) does it a little differently, and uses Digest::MD5. It started out with a straight ASCII hash value for the md5-hash. It builds a string:

my $md5_string = $md5_hash . $auth_net_login_id . $tranid . $grandtotal;

then:

my $md5 = Digest::MD5->new;
$md5->add($md5_string);
my $sent_md5_hash = uc($md5->hexdigest); #this is what was compared to what they sent.

 

But the SHA method is a little different. I don't know if I'm doing that wrong - but it uses a string and a key so it's a bit different from MD5. 

 

To be honest, I'm not sure that having you do this on your end is going to help. If it's the data, maybe so - but if it's the hashing method, then your PHP code will do it completely differently and I won't be able to correlate it to what I'm using.

So, I guess what I need is someone who is possibly using the Digest::SHA module in their perl program and can tell me if I'm doing this wrong. OR a perl programmer who can share how they calculated the hash value if using something other than Digest::SHA. I'm open to all suggestions.

 

I have to stop for now. My brain is fried after 6 hours of solid coding/testing without a break. Thanks.

 

 

 

 

Okay, forget that entire last bit.

AIM doesnโ€™t use those 30 fields. You need to go to my post โ€œworking php hashโ€ and make a Perl parallel to that. You need login, transactionkey, and amount.
The sha2 hash has nothing to do with what language you use. It is based on the sha512 algorithm. It is no more different from one language to the next than numbers are. Just like 2 + 2 will output 4 in Perl an php and java, so with sha512 hashes spit out the exact same thing.

Good news is your life just got easier. You need three variables in your delimited string and they all come from you. Transkey, Login, and Amount. The exact string I put in my post about php will work for you. You can do whatever it is you need to to make it Perl syntax.

@Renaissance

This is getting crazy!!! Everything I read said that the 3 fields that Authorize.net said to use (if you were using the API) would not work - that I needed all 30 fields as is done with SIM!!

I will try it - but it will have to wait until tomorrow at the earliest.

The wheels just keep spinning and spinning and spinning and I'm getting nowhere!! .....

 

 

And transkey was a typo. Itโ€™s transid. So it looks like your very first post was correct. Per the new documentation released today. Why that didnโ€™t match after converting the signature key to binary I do not know.
Yeah no one knew what integration method you were using and the AIM documentation says nothing about this. You had said that you were using a post method with LWP and I thought that sounded like maybe direct post. From there everyone took off with the assumption that you were using direct post but we never confirmed if that was in fact the case. The AIM method was just documented today in that link. Up to this point everything involving AIM was a stab in the dark. So even if we knew you were on AIM we would have had to flip a coin on what string we use.

For some mysterious reason your first string didnโ€™t work. It looks exactly correct per the docs.