Calculating Verifiable HashResponse

geilt replied

06-30-2014, 05:20 PM
Problem Solved with Workaround. Invalid SHA Returned from CNP.

There is a problem. It has to do with Click and Pledge's Hash Implementation. Sometimes, it omits one 0 at random and leaves it as a blank, making it a 39 character string instead of 40.

This is possibly due to a coding bug as referenced here on msdn

I created a workaround for this issue, by finding and replacing each generated hash's 0's with blank spaces, creating an array of possible hashes and then checking the base64_decoded hash from CNP against the array of possibilities.

It's dirty but it works. There was no pattern I could find as to WHEN a 0 would go missing, but from what I have seen it only loses one 0. I assumed at first it was the last 0, but that was not the case.

Code:

<?php function checkHashString($secret_key, $order_number, $amount, $receivedHash, $dump = false){ $hash = base64_decode($receivedHash); echo strlen($hash); $sha = sha1(utf8_encode("[" . $secret_key . "][" . $order_number . "][" . $amount . "]")); $hashes = array($sha); $i = 0; while(strpos($sha, '0', $i) !== false ): $pos = strpos($sha, '0', $i); $hashes[] = substr_replace($sha, '', $pos, 1); $i = $pos + 1; echo $i; endwhile; if($dump): $dump = $hashes; $dump[] = $hash; echo '<pre>'; print_r($dump); echo '</pre>'; endif; return in_array($hash, $hashes); } ?>

You can test with the following data:

Code:

<?php $results[] = checkHashString('letshashitout', 1406301520403881111, '50.00', 'MTkxOWJkMjU5YjIyODJiNTEyYTc1YTcxNzcxMmM2MTFhNGE0ZGEx'); $results[] = checkHashString('test123', 1404211124504441111, '17.00', 'ZTdhYjcwMjRiOWRlYzMxNThhNjdmOTc5ZDVmMTY5OTA5YWUyYTFk'); $results[] = checkHashString('test123', 1404181859539791111, '65.00', 'NjNiZDNiNTc5OTI2NmU2NjVmNmJjZmQ0Yjk2Y2FjMzJiY2I5MWI5'); $results[] = checkHashString('test123', 1404211146064211111, '897.00', 'NTQzNjdmODA1ZTJhN2QyOTg1MTgxNDE1NDM3YzdiZjFiNjNlY2FlOA=='); $results[] = checkHashString('letshashitout', 1406301520403881111, '50.00', 'MTkxOWJkMjU5YjIyODJiNTEyYTc1YTcxNzcxMmM2MTFhNGE0ZGEx=='); echo '<pre>'; print_r($results); echo '</pre>'; ?>

It would be great if Click and Pledge could take a look at their algorithm. It is in fact returning less than 40 digit hashes after decoding. This means it is either a SHA error, a string building error or a base64 Encoding error on their side. I am leaning toward a encoding or string error.

Originally posted by Simon View Post

is something going on with the backend? The hashes that I'm getting back are matching only occasionally.
The hashes being passed back from portal.clickandpledge.com don't always end in the == yet my calculated hashes always do.
I've made a sample donation page here: https://kellpartners-sj--developer-e...nate?test=true

and that posts to a super simple processor page. http://kellpartners.com/development/testHashCode2.php

So far the passed hash code is has been valid ~15% of the time, and since my calculated hashes always look similar, yet the CP passed hash seems to be changing in length, I can only assume there's something going on in the backend that's calculating the CP hash? Because according the the SHA1 specification it always returns the same length hash.
Leave a comment:
Simon replied

04-21-2014, 10:51 AM
By 'Similar' I meant they're always returning the same length string(56 chars) that ends in == , and yes I am including the amount. Whereas the returned hashresponse sometimes doesn't end in == and the length of the hash seems to be changing randomly.

here's a couple samples of the responses I get and the hashes (2 that return 52 char hashes that don't work and 1 56 character hash that does) these have the ordernumber, secret code and amount in them so you can check as well.

Page not found - KELL Partners

http://kellpartners.com/development/testHashCode2.php?Amount=17&on=1404211124504441111&vg=8e806cad-f31b-4aa5-8155-ae745befa2c6&au=837136&gn=7a39a18d-0b34-4855-894f-76b23f8eba6c&hashresponse=ZTdhYjcwMjRiOWRlYzMxNThhNjdmOTc5ZDVmMTY5OTA5YWUyYTFk&RefID=Web

http://kellpartners.com/development/testHashCode2.php?Amount=65&on=1404181859539791111&vg=d92ac70c-67e5-4570-a285-3a73991f67b1&au=c01c91&gn=21e809f2-331a-4e9d-b4b4-d29d1d94d5ff&hashresponse=NjNiZDNiNTc5OTI2NmU2NjVmNmJjZmQ0Yjk2Y2FjMzJiY2I5MWI5&RefID=Web

And One that works where the returned hash from CP is the proper 56 characters long

Page not found - KELL Partners

http://kellpartners.com/development/testHashCode2.php?Amount=897&on=1404211146064211111&vg=347b5441-0a10-4366-8b59-e6794cf9bb62&au=530c70&gn=452d223a-ce23-4719-98dd-3b5de489adc8&hashresponse=NTQzNjdmODA1ZTJhN2QyOTg1MTgxNDE1NDM3YzdiZjFiNjNlY2FlOA==&RefID=Web
Leave a comment:
CnP.Support replied

04-19-2014, 11:57 AM
Hi Simon,

Strange - since this works well in our own codes.

How can your hash code always look similar? Don't you include the amount?

[SecurityCode][Order Number][Amount]

the hashcode uses the order number and the amount and as such it is not possible for it to always be the same. Even if the amount is the same the order number is always different so the hashcode has to, by design, be different each time.

Please post your order number so we can review the XML.
Leave a comment:
Simon replied

04-18-2014, 04:38 PM
is something going on with the backend? The hashes that I'm getting back are matching only occasionally.
The hashes being passed back from portal.clickandpledge.com don't always end in the == yet my calculated hashes always do.
I've made a sample donation page here: https://kellpartners-sj--developer-e...nate?test=true

and that posts to a super simple processor page. http://kellpartners.com/development/testHashCode2.php

So far the passed hash code is has been valid ~15% of the time, and since my calculated hashes always look similar, yet the CP passed hash seems to be changing in length, I can only assume there's something going on in the backend that's calculating the CP hash? Because according the the SHA1 specification it always returns the same length hash.

Last edited by Simon; 04-18-2014, 06:03 PM.
Leave a comment:
CnP.Support replied

03-26-2014, 09:48 AM
Thanks Simon,

I will have that added to the manual.
Leave a comment:

Simon replied

03-26-2014, 09:45 AM

perfect that did it.
here's a small version of the PHP function for future reference that just accepts a string passed to it.

Code:

function hashcode($stringToParse){  return base64_encode(sha1(utf8_encode($stringToParse)));}

// and a sample to test against 

$hashResponseFromCP =  "OTgxY2JlZjJmMGJlY2FkMGU4NDczN2JjM2Y2MDUzY2Y3MTkzZWI3OA==";

// Our calculated String
$s = "[xxxxx][1403241635395841111][25.00]";
if (hashcode($s) == $hashResponseFromCP){
    echo "match";
}else{
    echo "nomatch";
}

Thanks.

Announcement

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment: