MIGS Online Payments SHA256 HMAC Error

Question

I've been told by Bendigo Bank that we need to change md5 to SHA256. I've followed their instructions and I am getting this error:

HTTP Status - 400
E5000: Cannot form a matching secure hash based on the merchant's request using either of the two merchant's secrets

Their example code is this:

<?php foreach($_POST as $key => $value) {
    if (strlen($value) > 0) { ?>
            <input type="hidden" name="<?php echo($key); ?>" value="<?php echo($value); ?>"/><br>
    <?php           
        if ((strlen($value) > 0) && ((substr($key, 0,4)=="vpc_") || (substr($key,0,5) =="user_"))) {
            $hashinput .= $key . "=" . $value . "&";
        }
    }
}
$hashinput = rtrim($hashinput,"&");
?>
<!-- attach SecureHash -->
<input type="hidden" name="vpc_SecureHash" value="<?php echo(strtoupper(hash_hmac('SHA256', $hashinput, pack('H*',$securesecret)))); ?>"/>
<input type="hidden" name="vpc_SecureHashType" value="SHA256">

And this is my post:

Array (
    [AgainLink] => http://fallscreekcountryclub.com.au/make-a-booking/submit-booking.html
    [b_terms] => 1
    [chargetypeid] => 33
    [deposit] => 580.00
    [notes] => 4 Nights - 26/11/2016 to 30/11/2016
    [propertyid] => 2
    [total] => 580.00
    [vpc_AccessCode] => 903876BC
    [vpc_Amount] => 58000
    [vpc_Command] => pay
    [vpc_Locale] => en
    [vpc_MerchTxnRef] => 1479746896
    [vpc_Merchant] => BBL5800396
    [vpc_OrderInfo] => Studio Deluxe
    [vpc_ReturnURL] => http://fallscreekcountryclub.com.au/make-a-booking/booking-complete.html
    [vpc_Version] => 1
)

And this is my code:

        $appendAmp = 0;
        $isencoded = '';
        $notencoded = '';
        foreach($_POST as $key => $value) {
            if (strlen($value) > 0) {
                if ($appendAmp == 0) :
                    $notencoded     .= $key . '=' . $value;
                    $isencoded      .= urlencode($key) . '=' . urlencode($value);
                    $appendAmp       = 1;
                else :
                    $notencoded     .= '&' . $key . '=' . $value;
                    $isencoded      .= '&' . urlencode($key) . '=' . urlencode($value);
                endif;
            }
        }

        if (strlen($SECURE_SECRET) > 0) {
            #$vpcURL .= "&vpc_SecureHash=" . strtoupper(md5($md5HashData));
            $SecureHash     = strtoupper(hash_hmac('SHA256',$notencoded,pack('H*',$SECURE_SECRET)));
            $SecureHashType = 'SHA256';
        }
        $vpcURL .= $notencoded.'&vpc_SecureHash='.$SecureHash.'&vpc_SecureHashType='.$SecureHashType;

I have "isencoded" and "notencoded" because I've seen people say to not urlencode the string for vpc_ReturnURL until I build the vpcURL, but neither works.

The urlencoded version of the vpcURL is:

https://migs.mastercard.com.au/vpcpay?AgainLink=http%3A%2F%2Ffallscreekcountryclub.com.au%2Fmake-a-booking%2Fsubmit-booking.html&b_terms=1&chargetypeid=33&deposit=580.00&notes=4+Nights+-+26%2F11%2F2016+to+30%2F11%2F2016&propertyid=2&total=580.00&vpc_AccessCode=903876BC&vpc_Amount=58000&vpc_Command=pay&vpc_Locale=en&vpc_MerchTxnRef=1479746896&vpc_Merchant=BBL5800396&vpc_OrderInfo=Studio+Deluxe&vpc_ReturnURL=http%3A%2F%2Ffallscreekcountryclub.com.au%2Fmake-a-booking%2Fbooking-complete.html&vpc_Version=1&vpc_SecureHash=A5BA6503FC7A169A90C9AAC7039878F45D761180D874789172EB5A58298022E4&vpc_SecureHashType=SHA256 

And the non urlencoded version is:

https://migs.mastercard.com.au/vpcpay?AgainLink=http://fallscreekcountryclub.com.au/make-a-booking/submit-booking.html&b_terms=1&chargetypeid=33&deposit=580.00&notes=4 Nights - 26/11/2016 to 30/11/2016&propertyid=2&total=580.00&vpc_AccessCode=903876BC&vpc_Amount=58000&vpc_Command=pay&vpc_Locale=en&vpc_MerchTxnRef=1479746896&vpc_Merchant=BBL5800396&vpc_OrderInfo=Studio Deluxe&vpc_ReturnURL=http://fallscreekcountryclub.com.au/make-a-booking/booking-complete.html&vpc_Version=1&vpc_SecureHash=A5BA6503FC7A169A90C9AAC7039878F45D761180D874789172EB5A58298022E4&vpc_SecureHashType=SHA256 

Any ideas on what I've done wrong?? I called the bank, and they couldn't help me, they had no idea what I was even talking about..

I know the $SECURE_SECRET number is correct, as it's the same number I've used for the original md5 hash. So the problem lays with the sha256 hash, and I'm not sure why, or how to fix it.

Answer 1

Hi i am sharing with u my working code. Enjoy.

   $secretHash="xxxxxx";
    $accessCode='xxxxx';
    $merchantId='xxxxx';    

    $data = array(
        "vpc_AccessCode" => $accessCode,
        "vpc_Amount" => '100',
        "vpc_Command" => 'pay',
        "vpc_Locale" => 'en',
        "vpc_MerchTxnRef" =>  "REF_".time(),
        "vpc_Merchant" => $merchantId,
        "vpc_OrderInfo" => "Order_N_".time(),
        "vpc_ReturnURL" => urlencode("yourReturnUrl"),
        "vpc_Version" => '1',
        'vpc_SecureHashType' => 'SHA256'    
    );

    ksort($data);
    $hash = null;
    foreach ($data as $k => $v) {
        if (in_array($k, array('vpc_SecureHash', 'vpc_SecureHashType'))) {
            continue;
        }
        if ((strlen($v) > 0) && ((substr($k, 0, 4)=="vpc_") || (substr($k, 0, 5) =="user_"))) {
            $hash .= $k . "=" . $v . "&";
        }
    }
    $hash = rtrim($hash, "&");

    $secureHash = strtoupper(hash_hmac('SHA256', $hash, pack('H*', $secretHash)));
    $paraFinale = array_merge($data, array('vpc_SecureHash' => $secureHash));
    $actionurl = 'https://migs.mastercard.com.au/vpcpay?'.http_build_query($paraFinale);

    //print_r($actionurl);
    header("Location:".$actionurl);

Answer 2

1. Use ksort() to sort your array before linking your parameters.
2. Don't use urlencode() to process the vpc_ReturnURL, which would make the SHA256 hash result incorrect. Here is what I found from official Troubleshooting Guide:

c) Make sure that the vpc_ReturnURL is not URL encoded (i.e. the "/" becomes %2f) You can use the following link to decode a URL - http://meyerweb.com/eric/tools/dencoder/ Sample sorted string based on this example as below: (Removed jsessionid, noheader, tdrid from output of 2b) i.e These elements can be removed prior to sorting the order

vpc_AccessCode=A837820A&vpc_Amount=100&vpc_Card=VC&vpc_CardNum=4222222222222&vpc_CardSecurityCode=100&vpc_Command=pay&vpc_Gateway=threeDSecure&vpc_Locale=en&vpc_MerchTxnRef=T2_7956&vpc_Merchant=TESTDIALECTTEST&vpc_ReturnURL=http://anjumpc:8080/dev-pg/payment/3dprocess.do&vpc_Version=1

3. Don't send/hash the values which keys don't start with vpc_ because MGIS doesn't care about those values and doesn't use those values in hash check. And the guide also mentioned about this:

b) Remove unnecessary fields for Hash calculation such as vpc_SecureHashType, vpc_SecureHash and anything that does not begins with vpc_ or user_ - i.e fields highlighted in Bold in 2a above to be removed

4. (Ignore this, the SHA256 can be used on working MIGS merchant)