Reply
Highlighted
Member
Posts: 2
Registered: ‎06-29-2015
Accepted Solution

Validating the MD5 Hash response in classic ASP

Transactions are all running fine in the Sandbox using ASP and the SIM interface - but I can't validate the MD5 Hash that is returned by authorize.net.

 

I notice in the doc and the sample code that the fingerprint (used when sending a transaction) is built using the "^" character (keyboard: Shift 6) as a separator.

The doc doesn't mention that separator when building an MD5 validaton string to check the response.  I have tried both with and without the separator. Either way I can build a successfu MD5 Hash using the HMAC() function... but neither value matches the value in the Response form (ie: x_MD5_Hash).

 

I have my "MD5 Hash Value" set appropriately in my Sandobx account.

 

Any ideas?  Thanks!

 


Accepted Solutions
Highlighted
Solution
Accepted by topic author krowden
‎08-21-2015 01:58 AM
Moderator
Posts: 590
Registered: ‎08-21-2009

Re: Validating the MD5 Hash response in classic ASP

The hash that is returned with the transaction result actually is not using the same HMAC function that is used for authentication, it is just a basic md5. The inputs for the hash are also different from the SIM authentication fingerprint, they consist of:

  • Secret - The shared secret that you have specified in the md5 seciton of your account settings.
  • API Login
  • Transaction ID - This is the ID returned in the response itself
  • Amount

There is no concatenating character required such as the ^. The precise input should look something like this

md5( [Secret] + [API Login] + [Transaction ID] + [Amount])

 

Our hashes are also returned in all caps, so you may need to convert your string to upper case for the sake of comparison.

View solution in original post

Highlighted
Solution
Accepted by topic author krowden
‎08-21-2015 01:58 AM
Member
Posts: 2
Registered: ‎06-29-2015

Re: Validating the MD5 Hash response in classic ASP

Trevor, thank you very much! That was very helpful.

 

I had all my parameters correct (including the secret key) - and I was not using the ^ character... but I was incorrect in using the HMAC function (as you pointed out).  

 

I looked at the source for the MD5 functions and found the best function to use was:  

 

  hexMD5( [Secret] + [API Login] + [Transaction ID] + [Amount])

 

Along with your suggestion for converting the result to UPPER case, everything worked just fine.

 

Thank you again!  I know classic ASP is not the road to the future but perhaps the above info could be incorporated into the classic ASP sample code. It would, perhaps, save someone else some frustration.

 

-Kim

View solution in original post


All Replies
Highlighted
Solution
Accepted by topic author krowden
‎08-21-2015 01:58 AM
Moderator
Posts: 590
Registered: ‎08-21-2009

Re: Validating the MD5 Hash response in classic ASP

The hash that is returned with the transaction result actually is not using the same HMAC function that is used for authentication, it is just a basic md5. The inputs for the hash are also different from the SIM authentication fingerprint, they consist of:

  • Secret - The shared secret that you have specified in the md5 seciton of your account settings.
  • API Login
  • Transaction ID - This is the ID returned in the response itself
  • Amount

There is no concatenating character required such as the ^. The precise input should look something like this

md5( [Secret] + [API Login] + [Transaction ID] + [Amount])

 

Our hashes are also returned in all caps, so you may need to convert your string to upper case for the sake of comparison.

Highlighted
Solution
Accepted by topic author krowden
‎08-21-2015 01:58 AM
Member
Posts: 2
Registered: ‎06-29-2015

Re: Validating the MD5 Hash response in classic ASP

Trevor, thank you very much! That was very helpful.

 

I had all my parameters correct (including the secret key) - and I was not using the ^ character... but I was incorrect in using the HMAC function (as you pointed out).  

 

I looked at the source for the MD5 functions and found the best function to use was:  

 

  hexMD5( [Secret] + [API Login] + [Transaction ID] + [Amount])

 

Along with your suggestion for converting the result to UPPER case, everything worked just fine.

 

Thank you again!  I know classic ASP is not the road to the future but perhaps the above info could be incorporated into the classic ASP sample code. It would, perhaps, save someone else some frustration.

 

-Kim