developer.authorize.net developer.cybersource.com
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a question

no security hash in AIM transactions

View the SolutionThis topic has been marked as solved.

I was caught off guard by the retirement of the md5 hash. I'm trying to fix some legacy code to keep our legacy site limping along until we can get the rebuilt site out -- THE LEGACY SERVER CANNOT RUN the latest SDK so please do not suggest that in response to this question.

 

In trying to fix this legacy code, I cannot get the test transactions (or even a couple of transactions run on the production system) to supply the HMAC-SHA512 hash promised in the Aim Guide in the section titled "Authenticating the Response."

 

Here's a sample raw response from an AIM transaction with some values changed for privacy:

"1"|"1"|"1"|"This transaction has been approved."|"52R4QE"|"Y"|"40034138508"|"2019-07-0269072"|"Purchase Description Blah Blah Blah"|"99.95"|"CC"|"auth_capture"|"3"|"Joe"|"Test"|"n/a"|"123 Main St."|"Los Angeles"|"CA"|"90026"|"US"|""|""|"joe.test@example.com"|""|""|""|""|""|""|""|""|""|""|""|""|""|""|"P"|"2"|""|""|""|""|""|""|""|""|""|""|"XXXX1111"|"Visa"|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""

 

According to the AIM Guide, "The last field in the response contains the HMAC-SHA512 hash that Authorize.Net generated for the transaction, which can be used to authenticate the response. To use it, construct an HMAC-SHA512 hash..."

 

This does not appear to be the case at all. Is this HMAC only present for certain types of transacations? Is it not provided by the sandbox gateway? What's the deal?

sneakyimp
Contributor

‎07-02-2019 11:38 PM

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

View the SolutionThis topic has been marked as solved.
@sneakyimp

You have 3 API credentials, the login, the transaction key, and the signature key. Up to this point you’ve never had to use a signature key which means that you probably have never generated one. Go to your sandbox interface and generate a signature key and see what happens. You will not get a hash without one. AIM direct responses should have a hash.

View solution in original post

Renaissance
All Star

‎07-02-2019 11:52 PM

4 REPLIES 4

View the SolutionThis topic has been marked as solved.
@sneakyimp

You have 3 API credentials, the login, the transaction key, and the signature key. Up to this point you’ve never had to use a signature key which means that you probably have never generated one. Go to your sandbox interface and generate a signature key and see what happens. You will not get a hash without one. AIM direct responses should have a hash.
Renaissance
All Star

‎07-02-2019 11:52 PM

View the SolutionThis topic has been marked as solved.

Thanks for your response. It stands to reason that the gateway cannot provide a hash until you define the signature key used to generate that hash. I added a signature key to the account(s) and I now see the signature.

 

 

sneakyimp
Contributor
In response to Renaissance

‎07-03-2019 11:45 AM

View the SolutionThis topic has been marked as solved.
@sneakyimp

You are quite welcome my friend. Now search for my thread “working PHP hash verification” for sample code. The first post has the code that should work for AIM. It uses the same formula as modern API. I’ve tested on modern API and it works. Also tested my SIM/DPM code on SIM and DPM and it works. You’ll have to do some adjusting to get the hash and other elements. Will probably have to sort using a numeric array. Luckily the calculation is simple, with few elements. Let me know if it works, as I am not sure I’ve had users test my code on AIM.
Renaissance
All Star
In response to sneakyimp

‎07-03-2019 12:20 PM

View the SolutionThis topic has been marked as solved.

Thanks for the additional detail. I had managed to locate all that and things seem to be working. I found this code snippet to be especially useful:

https://github.com/AuthorizeNet/sample-code-php/blob/master/Sha512/compute_trans_hashSHA2.php

sneakyimp
Contributor
In response to Renaissance

‎07-03-2019 12:25 PM

0 Kudos
Copyright © 2024 Khoros, LLC