cancel
Showing results for 
Search instead for 
Did you mean: 

no data in x_SHA2_Hash when using Silent Post

I've created a Signature Key but there is no data in x_SHA2_Hash when using Silent Post.

 

What is required to get the x_SHA2_Hash field to be populated?

desiminr61
Member
57 REPLIES 57
@MinneSnowtain

You are welcome. If I were you I would put the verification on the backburner and work on the fingerprint. If I understand correctly, you can receive and process the response without a verification. You will not be able to submit transactions without the sha512 fingerprint at some point. The response field is getting axed early next month. So if we assume that the md5 hash fingerprint also has the same end of life, within a few weeks your app is going to break and transactions will not process.

The sandbox is separate from your integration. You are using SIM/DPM. One of those. They both have the same hash fingerprint process. I do believe that you will be able to get both the fingerprint and the verification working in time, but just in case I would prioritize the fingerprint.

@Renaissance 

 

I completely agree with the fix will need to be done for the finger print post to them but since I can see their hash data with the silent post back I was starting there, when I get that to work I was moving to fix the finger print that I post to them.  I know this is a bit backwards but I hate the 99 error code messages with no details to even look at as to why it errored.

@MinneSnowtain

I did an experiment with a SIM form. You are using SIM by the way, after looking at the docs again. I was able to get the hash value for the fingerprint and also for the verification. If you’re still stuck let me know and I will help you.

@Renaissance   

 

Thank you!  I'd love some.  Mostly just to confirm what that hashed string is since if I know that is right then I focus on my server side scripting (coldfusion) on what it's doing wrong.

@MinneSnowtain 

 

Here it is: 

 

Your string is all of those 30 values in the response, enclosed in carets.  Here is the php list that I used. In this exact order (reading left to right, top to bottom) my hash matches. Note that this is just a piece of the code I used and at this point I had not attached response values to them. You can ignore the =>' ' as this is php syntax for empty array values (later on in my code I add the values to each key, i.e. 'x_amount' => '80.00').   You can cross reference my list of fields with yours if that is helpful. I haven't compared what I have, line by line, with what you have.  This will get you the verification piece. 

 

$response = array(
    
'x_trans_id'=>'','x_test_request'=>'','x_response_code'=>'', 
'x_auth_code'=>'','x_cvv2_resp_code'=>'', 'x_cavv_response'=>'',
'x_avs_code'=>'','x_method'=>'','x_account_number'=>'','x_amount'=>'',
'x_company'=>'','x_first_name'=>'','x_last_name'=>'','x_address'=>'',
'x_city'=>'','x_state'=>'','x_zip'=>'','x_country'=>'','x_phone'=>'',
'x_fax'=>'','x_email'=>'','x_ship_to_company'=>'',
'x_ship_to_first_name'=>'','x_ship_to_last_name'=>'',
'x_ship_to_address'=>'','x_ship_to_city'=>'',  
'x_ship_to_state'=>'',  'x_ship_to_zip'=>'','x_ship_to_country'=>'', 
'x_invoice_num'=>'');


 

I ran the following from your post (didn't use currency on the verification test)

 

 

<form action="https://test.authorize.net/gateway/transact.dll" method="post">
<input type="HIDDEN" name="x_fp_sequence" value="123">
<input type="HIDDEN" name="x_fp_timestamp" value="<?=$timeStamp;?>">
<input type="HIDDEN" name="x_fp_hash" value="<?=$digest;?>">
<input type="HIDDEN" name="x_login" value="<?=$login;?>">
<input type="HIDDEN" name="x_show_form" value="PAYMENT_FORM">
<input type="HIDDEN" name="x_amount" value="<?=$amount;?>">
<input type="HIDDEN" name="x_method" value="CC">
<input type="HIDDEN" name="x_type" value="AUTH_CAPTURE">
<input type="HIDDEN" name="x_invoice_num" value="28897">
<input type="HIDDEN" name="x_description" value="this is a test">
<input type="HIDDEN" name="x_cust_id" value="12234">
<input type="HIDDEN" name="x_company" value="Testing">
<input type="HIDDEN" name="x_first_name" value="tfn">
<input type="HIDDEN" name="x_last_name" value="fln">
<input type="HIDDEN" name="x_address" value="123 test">
<input type="HIDDEN" name="x_city" value="somewhere">
<input type="HIDDEN" name="x_state" value="mn">
<input type="HIDDEN" name="x_zip" value="55744">
<input type="HIDDEN" name="x_phone" value="111-111-1111">
<input type="HIDDEN" name="x_email" value="test@testing.com">
<input type="HIDDEN" name="x_po_num" value="">
<input type="HIDDEN" name="x_duplicate_window" value="28800">
<input type="HIDDEN" name="x_country" value="US">
<input type="HIDDEN" name="x_header_html_payment_form" value="">
<input type="HIDDEN" name="x_footer_html_payment_form" value="If you have any difficulty or questions please call customer support at ">
<input type="HIDDEN" name="x_customer_ip" value="10.1.1.136">
<input type="HIDDEN" name="header_html" value="">
<input type="HIDDEN" name="return_url" value="">
<input type="hidden" name="x_test_request" value="TRUE">
<input type="SUBMIT" value="Click here to pay with a credit card securely on-line">
</form>

 

 

The html value attributes enclosed in < and ? are php variables. You can insert your own values there, for login, timestamp, etc. I changed sequence to 123.  On my dummy hosted form, I clicked the box to add the billing info to the shipping info.  Here is the resulting string:

 

 

^0^true^1^000000^^^P^CC^XXXX1111^80.00^Testing^tfn^fln^123test^somewhere^mn^55744^US^111-111-1111^^test@testing.com^Testing^tfn^fln^123 test^somewhere^mn^55744^US^28897^

 

For the fingerprint piece, this is the correct string:

 

"$login^$sequence^$timeStamp^$amount^$currency";

//or if you don't use currency

$string = "$login^$sequence^$timeStamp^$amount^"; 

all of these strings have been tested and work. The double quotes " " that enclose the variables are php syntax to indicate the value is to be passed as a string. You will use the equivalent in coldfusion. The printed string is this:  9785858855^123^1551233723^80.00^USD, where you replace 9785858855 with your API login, and you replace 1551233723 with your timestamp. 

 

This should get you there. If you follow this and have problems, you want to look two places, 1: your hashing function, and 2: your signature key. The strings have been tested and will work in any language, assuming you use the proper syntax for that language.   sha512 is sha512, independent of any programming language. For your signature key, it is a little tricky. You have to convert to binary, and in some languages, you have to convert to a byte array. In php the byte array step isn't necessary. To the best of my knowledge you have to convert to binary in any language you use. 

 

I think this will solve your issue. Good luck to you. I'll be on later tonight or tomorrrow. 

 

 

Good Evening @Renaissance 

 

I am happy to report that my signiture to auth.net is working great! Which that is a simple string BUT I still can't get it to match what I get back from sandbox silent post. I even go so far as to clear all the customer names, addresses on the payment for so the only data is x_trans_id, x_test_request, X_AUTH_CODE,  x_account_number, x_amount, and x_invoice_num which results in a string that looks like 

^0^true^1^000000^^^p^CC^XXXX0027^0.01^^^^^^^^^^^^^^^^^^^^28903^

 

 

hash that with my sandbox secret key 3C1EB299A018A14705F20F658AB976B54C2AB964C97D7B8B131D1A94DE56BBF746E6DEC29208E774AAA92BAC77386EDA45078C491A96A251E89929BB8D2DC07B

and get 

BFC242C18923FEA47E715981638A7F6109B31D9E2FA7CE74E0D315396781B123A9ECA8FD8B97DD419AB24A63C4AAE90220D47B898D9354066C473B251943D78B 

 

and I've tried 

 

^0^false^1^000000^^^p^CC^XXXX0027^0.01^^^^^^^^^^^^^^^^^^^^28903^ just in case the x_test_request data was the problem 

resulting in 

2AB9245D8A278AE91DC6A6D0ECAE093C792A535E54E3AEA2453398B994D5629C85023B7A1AA7718CE38E64F87EE0D0E93CB0401ACB2C711BE573CC023CA64475 

 

however sandbox auth.net post to us

21735240CE6E81C9BFF7FF16980B7A6974B15BF0CA9608A35892F237A1812B02E9A152630201D055361569EB4F28015CB58A8671875FEF4DFF4F69826CC0F35B

 

which clearly doesn't match either option,

 

@MinneSnowtain 

 

Are you manually constructing this string, based on what you send in the request? What you want to do is have it done dynamically based on the response. So the response comes in, you capture it with a programming script and then your programming script constructs the string and  performs the hash validation. So the logic (not the actual programming script) would go like this-

 

-You capture the response.

-The relevant values are extracted and used to construct the string.

-You perform the hash using the string and signature key

-You compare your hash to the auth.net hash

-If the hash matches, you do one thing say for instance mark an order as paid, record transId, etc.

-If the hash doesn't match you don't mark the order as paid bc the response wasn't from auth.net. You may choose to have a db table where the ip address of the unverified entity posting to your url is stored. 

 

The reason I ask is it looks to me like you're plugging your own values in. If you take the ^p^ from your string and make it ^P^ you will get the exact same hash. I just did on my first try.  If you automate things you have no risk of the string being constructed differing from the string used to perform the hash given in the response.  Any difference whatsoever will cause your entire hash not to match. P to p will make every single character different.  

Good Morning @Renaissance   

 

LOL aah no it's created based on the post back data I've recieve from auth.net.  I've been a systems developer for over 20 years working with AWS (s3 especially), auth.net, and even developed many APIs my self..I'm very fluent in hashed signatures and how they work.  in my test file I just output my string that I am hashing that I copy pasted.  

 

soo if I hear what your saying is they convert the data to upper case THEN hash.  Okay let me try that.

@MinneSnowtain

AWS is my preferred solution. Nice skill set you’ve got there. All you do is change the lowercase p to an uppercase P. You don’t change the whole string. And my apologies. It appears that auth.net has sent you erroneous data. Their hash is based on the upper case P but they for some reason returned you a lowercase p.

So maybe after verifying this one with the string, run another one and see if they return it back to you the same way.

I am having exactly the same problem. I use SIM/Silent Post method. I have no problem creating a fingerprint, but when AuthorizeNet performing a silent post x_SHA2_Hash supplied by AuthorizeNet does not match the hash I generate. I generate the hash exactly the same way as described by Xero here (https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/t...).

 

Here is my prehash text:

 

^0^true^1^000000^^^P^CC^XXXX1111^150.00^^Tom^^^^^^^^^^^^^^^^^^^

 

Here is my hash key (aka signature key)

 

68893D1ADBE8C4BB224E669277FDAC633764FAC718CD52191B00FEDBEEFDBD10A4B439833B820E83F30D543B00E3CEED179816EEC49059D4558225542656EE3E

 

Here is hash I generated using signature key and prehashed text

 

301A8B576EF13ED93F361F58F13892210025FD8B91173523165BCED70D132FE63EAC597C873EAE38AEE1512BEDDB275DC098280FDC0AC8A644F81C8E5BD8CEDB

 

and here is what AuthorizeNet supplies in x_SHA2_Hash

 

A0766F9B5248395D86566359EC8B1629268DB026D17D16252287F2169B735AEA2ADA557B733E88F0C53D9F38F278DE6F2BAD4550CE72F8A5E06ACA7B30925DF6

 

What am I missing?