Authorize.net MD5 Hash Change

  • Resolved ecogmedia

    (@ecogmedia)


    6 years, 2 months ago

    We got a notice from Authorize.net that there is going to be a MD5 hash change and that our system apparently is using it, is this something that will be taken care of with the plugin or something we need to update?

Viewing 3 replies - 1 through 3 (of 3 total)

  • I received the same notice. I opened up a trouble ticket to WPGIVE asking if this is anything we need to be concerned about. Being today is a Saturday (01/12), I am not expecting a response until Monday. We have some time since the elimination of MD5 support does not terminate until the end of January.

    To add more detail for WPGIVE Support Team, here is the full email instructions:
    To use the Signature Key to validate the value of transHashSHA2:

    Step 1. Generate a Signature Key and store it in a secure location on your server.

    Step 2. Convert the Signature Key into a byte array.

    Step 3. Create a message string that starts with a caret (“^”), followed by the following three fields delimited by carets, and terminated with another caret:

    ? The API Login ID that you send in createTransactionRequest in the name element.

    ? The transaction ID that we send in createTransactionResponse in the transId element.

    ? The transaction amount that we send in createTransactionResponse in the amount element.

    For example, if your API Login ID is “ANet123”, the value of transId is “20987654321”, and the value of amount is “9.99”, the message string would look like this:

    ^ANet123^20987654321^9.99^

    Step 4. Use HMAC-SHA512 to hash the byte array form of the Signature Key from Step 2 with the message string from Step 3.

    Step 5. Compare the value of transHashSHA2 with the output from the HMAC-SHA512 hash mentioned in Step 4.

    For C# users, Authorize.Net provides the following code for converting the Signature Key into a byte array and calculating the HMAC-SHA512 hash.

    public string HMACSHA512(string key, string textToHash)
    {
    if (string.IsNullOrEmpty(key))
    throw new ArgumentNullException(“HMACSHA512: key”, “Parameter cannot be empty.”);
    if (string.IsNullOrEmpty(textToHash))
    throw new ArgumentNullException(“HMACSHA512: textToHash”, “Parameter cannot be empty.”);
    if (key.Length % 2 != 0 || key.Trim().Length < 2)
    {
    throw new ArgumentNullException(“HMACSHA512: key”, “Parameter cannot be odd or less than 2 characters.”);
    }
    try
    {
    byte[] k = Enumerable.Range(0, key.Length)
    .Where(x => x % 2 == 0)
    .Select(x => Convert.ToByte(key.Substring(x, 2), 16))
    .ToArray();
    HMACSHA512 hmac = new HMACSHA512(k);
    byte[] HashedValue = hmac.ComputeHash((new System.Text.ASCIIEncoding()).GetBytes(textToHash));
    return BitConverter.ToString(HashedValue).Replace(“-“, string.Empty);
    }
    catch (Exception ex)
    {
    throw new Exception(“HMACSHA512: ” + ex.Message);
    }
    }

    The details can be found at: https://developer.authorize.net/support/hash_upgrade/?utm_campaign=19Q2%20MD5%20Hash%20EOL%20Merchant&utm_medium=email&utm_source=Eloqua

    Plugin Author Matt Cromwell

    (@webdevmattcrom)

    Hi there,

    This question is regarding one of our paid add-ons. The moderators of this forum require that all inquiries about paid products happen elsewhere. Please use our Priority Support page for your inquiry and we’ll get back to you very soon:
    https://givewp.com/priority-support

    But… we reviewed our addon, and we use a trimmed down version of the Authorize.net SDK (because theirs is 40mb+ large!), and we already use webhooks instead of the old md5hash method. So you should be good to go.

    If you have additional questions, please reach out via Priority Support.

    Thanks!

    Thread Starter ecogmedia

    (@ecogmedia)

    Thank you for following up on that.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Authorize.net MD5 Hash Change’ is closed to new replies.