Reply
Highlighted
Contributor
Posts: 36
Registered: ‎02-23-2012
Accepted Solution

no security hash in AIM transactions

I was caught off guard by the retirement of the md5 hash. I'm trying to fix some legacy code to keep our legacy site limping along until we can get the rebuilt site out -- THE LEGACY SERVER CANNOT RUN the latest SDK so please do not suggest that in response to this question.

 

In trying to fix this legacy code, I cannot get the test transactions (or even a couple of transactions run on the production system) to supply the HMAC-SHA512 hash promised in the Aim Guide in the section titled "Authenticating the Response."

 

Here's a sample raw response from an AIM transaction with some values changed for privacy:

"1"|"1"|"1"|"This transaction has been approved."|"52R4QE"|"Y"|"40034138508"|"2019-07-0269072"|"Purchase Description Blah Blah Blah"|"99.95"|"CC"|"auth_capture"|"3"|"Joe"|"Test"|"n/a"|"123 Main St."|"Los Angeles"|"CA"|"90026"|"US"|""|""|"joe.test@example.com"|""|""|""|""|""|""|""|""|""|""|""|""|""|""|"P"|"2"|""|""|""|""|""|""|""|""|""|""|"XXXX1111"|"Visa"|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""

 

According to the AIM Guide, "The last field in the response contains the HMAC-SHA512 hash that Authorize.Net generated for the transaction, which can be used to authenticate the response. To use it, construct an HMAC-SHA512 hash..."

 

This does not appear to be the case at all. Is this HMAC only present for certain types of transacations? Is it not provided by the sandbox gateway? What's the deal?


Accepted Solutions
Solution
Accepted by topic author sneakyimp
‎07-03-2019 11:43 AM
All Star
Posts: 664
Registered: ‎11-05-2018

Re: no security hash in AIM transactions

@sneakyimp

You have 3 API credentials, the login, the transaction key, and the signature key. Up to this point you’ve never had to use a signature key which means that you probably have never generated one. Go to your sandbox interface and generate a signature key and see what happens. You will not get a hash without one. AIM direct responses should have a hash.

View solution in original post


All Replies
Solution
Accepted by topic author sneakyimp
‎07-03-2019 11:43 AM
All Star
Posts: 664
Registered: ‎11-05-2018

Re: no security hash in AIM transactions

@sneakyimp

You have 3 API credentials, the login, the transaction key, and the signature key. Up to this point you’ve never had to use a signature key which means that you probably have never generated one. Go to your sandbox interface and generate a signature key and see what happens. You will not get a hash without one. AIM direct responses should have a hash.
Contributor
Posts: 36
Registered: ‎02-23-2012

Re: no security hash in AIM transactions

Thanks for your response. It stands to reason that the gateway cannot provide a hash until you define the signature key used to generate that hash. I added a signature key to the account(s) and I now see the signature.

 

 

All Star
Posts: 664
Registered: ‎11-05-2018

Re: no security hash in AIM transactions

@sneakyimp

You are quite welcome my friend. Now search for my thread “working PHP hash verification” for sample code. The first post has the code that should work for AIM. It uses the same formula as modern API. I’ve tested on modern API and it works. Also tested my SIM/DPM code on SIM and DPM and it works. You’ll have to do some adjusting to get the hash and other elements. Will probably have to sort using a numeric array. Luckily the calculation is simple, with few elements. Let me know if it works, as I am not sure I’ve had users test my code on AIM.
Contributor
Posts: 36
Registered: ‎02-23-2012

Re: no security hash in AIM transactions

Thanks for the additional detail. I had managed to locate all that and things seem to be working. I found this code snippet to be especially useful:

https://github.com/AuthorizeNet/sample-code-php/blob/master/Sha512/compute_trans_hashSHA2.php