Reply
Highlighted
Member
Posts: 4
Registered: ‎02-26-2019
Accepted Solution

Upgrading SIM from MD5 to SHA512

 

I have reviewed the MD5 Hash End of Life, and I looked at the sample code.   The sample code differs from the SIM guide on page 29 under submitting transactions.  When I read this piece it appears that I could change the MD5 had to the SHA512 hash, generate the same x_fp_hash and pass that to Authorize.net.  I tried this and I get a 99 status error.

 

Even the sample code, does not show how to call the API.  Thus, I'm confused if I'm totally switching to a new version of the SIM API or can I stay on the old version just changing the hash algorithm.  

 

I found this article in the community help, and it appears to suggest that we need to create the SHA512 has for the signature key, apilogin, transid, and amount, and then compare it to the Hash in the Relay Response.  I'm not sure I understand the Relay Response piece.  Do I need to both send the x_fp_hash and then compare it to the Relay Response. 

 

I would think that I could post to Authorize.net first, receive the checkout page, and then upon completion of the transaction be submitted back to the Relay Response page.  I'm not sure I had this in the previous version of the API.  I passed x_receipt_link_method, x_receipt_link_text, and x_receipt_link_url to the API and then expected the end user to click the link from the receipt page.  This is how my training videos are created.

 

As you can imagine, there is several articles and it is difficult to decipher. Thus, my ask is.  Do I need a relay response?  Can i continue having the end user click the link.  According to the SIM guide, I think the answer is yes.  

 

Is there an example of calling the API.  I'm still confused if I need to use the Signature Key and SHA512 just passiing it into x_fp_hash or do I need to use x_SHA2_Hash. 

 

 

Thanks for your help.  

 

Jason


Accepted Solutions
Highlighted
Solution
Accepted by topic author jasoncoe2
‎02-26-2019 07:04 PM
Member
Posts: 4
Registered: ‎02-26-2019

Re: Upgrading SIM from MD5 to SHA512

I have been able to solve this riddle.  

 

In the Sample Code, the call for the SHA512 looks as follows, and I had followed this standard.

HMACSHA512(key, "^"+ apiLogin+"^"+ transId +"^"+ amount+"^")

 

However, if you read this Post, there is one line of code that shows as below.  It uses the signature Key, but then has the APILoginID, Sequence, TimeStamp, and Amount.

 

GetAuthorizeNetHMACSHA512(anSignatureKey, anAPILoginID & "^" & Sequence & "^" & TimeStamp & "^" & Total.ToString("0.##") & "^USD")

 

Once I update my code to use the SHA512, Signature Key and the correct values to be Hashed (APILoginID, Sequence, TimeStamp, and Amount), I was able to generate the proper fingerprint and receive the Authorize.net Payment Form.

 

The SIM User Guide on Page 31 Example 3 is also confusing because it shows the values backwards.  It has the Key being passed second, but the key should be the first parameter.  I'm still using the code in the Sample Code to do the Hash Value, so the SIM Guide needs to be updated.

 

I hope this helps others.

 

Jason

 

View solution in original post


All Replies
Highlighted
Posts: 2,765
Topics: 57
Kudos: 248
Blog Posts: 67
Registered: ‎12-05-2011

Re: Upgrading SIM from MD5 to SHA512

Hello @jasoncoe2 

 

The format for submitting transactions using SIM is not changing, they will continue to work as is.

 

However, if you wish to validate responses and are using the MD5 hash, you'll need to upgrade your integration to support the Signature Key and SHA512.

 

Richard

Highlighted
Member
Posts: 4
Registered: ‎02-26-2019

Re: Upgrading SIM from MD5 to SHA512

Hi @RichardH thank you for the response.  I don't think I'm validating a response. I'm simply passing the x_receipt_link_url and instructing end users to click the link to return to my application.  

 

Are you saying that MD5 will continue to work on the Post to Authorize.net?  Is it only the response relay that must be changed to SHA512?  Is it possible to update the Post to Authorize.net to SHA512?

 

Jason

Highlighted
Solution
Accepted by topic author jasoncoe2
‎02-26-2019 07:04 PM
Member
Posts: 4
Registered: ‎02-26-2019

Re: Upgrading SIM from MD5 to SHA512

I have been able to solve this riddle.  

 

In the Sample Code, the call for the SHA512 looks as follows, and I had followed this standard.

HMACSHA512(key, "^"+ apiLogin+"^"+ transId +"^"+ amount+"^")

 

However, if you read this Post, there is one line of code that shows as below.  It uses the signature Key, but then has the APILoginID, Sequence, TimeStamp, and Amount.

 

GetAuthorizeNetHMACSHA512(anSignatureKey, anAPILoginID & "^" & Sequence & "^" & TimeStamp & "^" & Total.ToString("0.##") & "^USD")

 

Once I update my code to use the SHA512, Signature Key and the correct values to be Hashed (APILoginID, Sequence, TimeStamp, and Amount), I was able to generate the proper fingerprint and receive the Authorize.net Payment Form.

 

The SIM User Guide on Page 31 Example 3 is also confusing because it shows the values backwards.  It has the Key being passed second, but the key should be the first parameter.  I'm still using the code in the Sample Code to do the Hash Value, so the SIM Guide needs to be updated.

 

I hope this helps others.

 

Jason

 

Highlighted
Contributor
Posts: 15
Registered: ‎01-10-2018

Re: Upgrading SIM from MD5 to SHA512

I am getting different hash after payment is done usin Authorizenet DPM. It was working before but from last1-2 days it is not working. I am using following function to generate Fingerprint for x_hp_hash -

$signature_key = hex2bin($signature_key);

if (function_exists('hash_hmac')) {

return hash_hmac("sha512", $api_login_id . "^" . $fp_sequence . "^" .

 $fp_timestamp . "^" . $amount . "^", $signature_key); 

}

return bin2hex(mhash(MHASH_SHA512, $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $signature_key));

and hash compare after payment -

$hashFields =  [                $_POST['x_trans_id'],                $_POST['x_test_request'],                $_POST['x_response_code'],                $_POST['x_auth_code'],                $_POST['x_cvv2_resp_code'],                $_POST['x_cavv_response'],                $_POST['x_avs_code'],                $_POST['x_method'],                $_POST['x_account_number'],                $_POST['x_amount'],                $_POST['x_company'],                $_POST['x_first_name'],                $_POST['x_last_name'],                $_POST['x_address'],                $_POST['x_city'],                $_POST['x_state'],                $_POST['x_zip'],                $_POST['x_country'],                $_POST['x_phone'],                $_POST['x_fax'],                $_POST['x_email'],                $_POST['x_ship_to_company'],                $_POST['x_ship_to_first_name'],                $_POST['x_ship_to_last_name'],                $_POST['x_ship_to_address'],                $_POST['x_ship_to_city'],                $_POST['x_ship_to_state'],                $_POST['x_ship_to_zip'],                $_POST['x_ship_to_country'],                $_POST['x_invoice_num'],
            ];  $hashString = '^'.implode('^', $hashFields).'^';  $generatedhash = strtoupper(HASH_HMAC('sha512', $hashString, hex2bin($signature_key)));

  if (function_exists('hash_equals')) {      $equals = hash_equals($_POST['x_SHA2_Hash'], $generatedhash);
  } else {      $equals = $_POST['x_SHA2_Hash'] === $generatedhash;
  }
  if($equals) {
      //valid
  } else{
      //not valid
  }

Always giving not valid. IT was working before. I did update this code in Starting of Jan-2019 and it worked since then. Please help me out as the issue on production and I cant bear pain of the payment issue.