For those who use Chase paymentech hosted payment gateway might have gone through a rare error senario.
Here the user was shown a warning message and an email was also sent to user with error details.
-------------
Error in form submission
An error page was displayed to the customer.
x_fp_hash : Could not validate the integrity of the payment from the transaction
-------------
on the submission page to paymentech there is a field "x_fp_hash", the value in this field is a hash value which is generated using a combination of transaction key, x_fp_hash, x_fp_sequence, x_fp_timestamp, x_amount, and x_currency_code values of the request. This field values are passed through a PHP HASH_HMAC function.
The value of the x_fp_hash is cross checked with the hash string on paymentech side, if a match is found, the transaction is accepted, else the user is warned with a "x_fp_hash : Could not validate the integrity of the payment from the transaction" message.
Sometimes a hosting provider doesn't provide access to the Hash extension so the HASH_HMAC function may return a null value. So during submission the "x_fp_hash" field is empty, it will cause the above mention error.
Here is a clone of the hash_hmac function you can use in the event you need an HMAC generator and Hash is not available. It's only usable with MD5 and SHA1 encryption algorithms, but its output is identical to the official hash_hmac function
Usage:
The following script will check whether the php built in HMAC hash generator return a hash key, else the custome function is called
-----use in paymentech script ------------------
--------------------------------
References:
hash_hmac — Generate a keyed hash value using the HMAC method
refer : http://php.net/manual/en/function.hash-hmac.php
*HMAC : hash message authentication code (HMAC)
refer: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
Hope this helps :)
Here the user was shown a warning message and an email was also sent to user with error details.
-------------
Error in form submission
An error page was displayed to the customer.
x_fp_hash : Could not validate the integrity of the payment from the transaction
-------------
on the submission page to paymentech there is a field "x_fp_hash", the value in this field is a hash value which is generated using a combination of transaction key, x_fp_hash, x_fp_sequence, x_fp_timestamp, x_amount, and x_currency_code values of the request. This field values are passed through a PHP HASH_HMAC function.
The value of the x_fp_hash is cross checked with the hash string on paymentech side, if a match is found, the transaction is accepted, else the user is warned with a "x_fp_hash : Could not validate the integrity of the payment from the transaction" message.
Sometimes a hosting provider doesn't provide access to the Hash extension so the HASH_HMAC function may return a null value. So during submission the "x_fp_hash" field is empty, it will cause the above mention error.
Here is a clone of the hash_hmac function you can use in the event you need an HMAC generator and Hash is not available. It's only usable with MD5 and SHA1 encryption algorithms, but its output is identical to the official hash_hmac function
function custom_hmac($algo, $data, $key, $raw_output = false)
{
$algo = strtolower($algo);
$pack = 'H'.strlen($algo('TEST_CODE'));
$size = 64;
$opad = str_repeat(chr(0x5C), $size);
$ipad = str_repeat(chr(0x36), $size);
if (strlen($key) > $size) {
$key = str_pad(pack($pack, $algo($key)), $size, chr(0x00));
} else {
$key = str_pad($key, $size, chr(0x00));
}
for ($i = 0; $i < strlen($key) - 1; $i++) { $opad[$i] = $opad[$i] ^ $key[$i]; $ipad[$i] = $ipad[$i] ^ $key[$i]; } $output = $algo($opad.pack($pack, $algo($ipad.$data))); return ($raw_output) ? pack($pack, $output) : $output; }
{
$algo = strtolower($algo);
$pack = 'H'.strlen($algo('TEST_CODE'));
$size = 64;
$opad = str_repeat(chr(0x5C), $size);
$ipad = str_repeat(chr(0x36), $size);
if (strlen($key) > $size) {
$key = str_pad(pack($pack, $algo($key)), $size, chr(0x00));
} else {
$key = str_pad($key, $size, chr(0x00));
}
for ($i = 0; $i < strlen($key) - 1; $i++) { $opad[$i] = $opad[$i] ^ $key[$i]; $ipad[$i] = $ipad[$i] ^ $key[$i]; } $output = $algo($opad.pack($pack, $algo($ipad.$data))); return ($raw_output) ? pack($pack, $output) : $output; }
Usage:
custom_hmac('md5', 'TEST STRING', 'SECRET_KEY', true);
custom_hmac('md5', 'TEST STRING', 'SECRET_KEY');
custom_hmac('md5', 'TEST STRING', 'SECRET_KEY');
The following script will check whether the php built in HMAC hash generator return a hash key, else the custome function is called
-----use in paymentech script ------------------
// Generation of hash string for security check
$hashstr="$x_login^$x_fp_sequence^$x_fp_timestamp^$x_amount^$x_currency_code";
$x_fp_hash= hash_hmac('md5', $hashstr, $trans_key);
// if hash_hmac fails call custom hmac hash generator
if( $x_fp_hash == "" )
$x_fp_hash= trim( custom_hmac('md5', $hashstr, $trans_key) );
// assign the value of variable $x_fp_hash to "x_fp_hash" field of submission form.
$hashstr="$x_login^$x_fp_sequence^$x_fp_timestamp^$x_amount^$x_currency_code";
$x_fp_hash= hash_hmac('md5', $hashstr, $trans_key);
// if hash_hmac fails call custom hmac hash generator
if( $x_fp_hash == "" )
$x_fp_hash= trim( custom_hmac('md5', $hashstr, $trans_key) );
// assign the value of variable $x_fp_hash to "x_fp_hash" field of submission form.
--------------------------------
References:
hash_hmac — Generate a keyed hash value using the HMAC method
refer : http://php.net/manual/en/function.hash-hmac.php
*HMAC : hash message authentication code (HMAC)
refer: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
Hope this helps :)
Comments
Post a Comment