MIGS在线支付SHA256 HMAC错误

Question

Bendigo银行告诉我们需要将md5更改为SHA256。我已经按照他们的指示，我得到这个错误：

HTTP Status - 400 
E5000: Cannot form a matching secure hash based on the merchant's request using either of the two merchant's secrets 

他们例如代码是这样的：

<?php foreach($_POST as $key => $value) { 
    if (strlen($value) > 0) { ?> 
      <input type="hidden" name="<?php echo($key); ?>" value="<?php echo($value); ?>"/><br> 
    <?php   
     if ((strlen($value) > 0) && ((substr($key, 0,4)=="vpc_") || (substr($key,0,5) =="user_"))) { 
      $hashinput .= $key . "=" . $value . "&"; 
     } 
    } 
} 
$hashinput = rtrim($hashinput,"&"); 
?> 
<!-- attach SecureHash --> 
<input type="hidden" name="vpc_SecureHash" value="<?php echo(strtoupper(hash_hmac('SHA256', $hashinput, pack('H*',$securesecret)))); ?>"/> 
<input type="hidden" name="vpc_SecureHashType" value="SHA256"> 

这是我的帖子：

Array (
    [AgainLink] => http://fallscreekcountryclub.com.au/make-a-booking/submit-booking.html 
    [b_terms] => 1 
    [chargetypeid] => 33 
    [deposit] => 580.00 
    [notes] => 4 Nights - 26/11/2016 to 30/11/2016 
    [propertyid] => 2 
    [total] => 580.00 
    [vpc_AccessCode] => 903876BC 
    [vpc_Amount] => 58000 
    [vpc_Command] => pay 
    [vpc_Locale] => en 
    [vpc_MerchTxnRef] => 1479746896 
    [vpc_Merchant] => BBL5800396 
    [vpc_OrderInfo] => Studio Deluxe 
    [vpc_ReturnURL] => http://fallscreekcountryclub.com.au/make-a-booking/booking-complete.html 
    [vpc_Version] => 1 
) 

这是我的代码：

 $appendAmp = 0; 
     $isencoded = ''; 
     $notencoded = ''; 
     foreach($_POST as $key => $value) { 
      if (strlen($value) > 0) { 
       if ($appendAmp == 0) : 
        $notencoded  .= $key . '=' . $value; 
        $isencoded  .= urlencode($key) . '=' . urlencode($value); 
        $appendAmp  = 1; 
       else : 
        $notencoded  .= '&' . $key . '=' . $value; 
        $isencoded  .= '&' . urlencode($key) . '=' . urlencode($value); 
       endif; 
      } 
     } 

     if (strlen($SECURE_SECRET) > 0) { 
      #$vpcURL .= "&vpc_SecureHash=" . strtoupper(md5($md5HashData)); 
      $SecureHash  = strtoupper(hash_hmac('SHA256',$notencoded,pack('H*',$SECURE_SECRET))); 
      $SecureHashType = 'SHA256'; 
     } 
     $vpcURL .= $notencoded.'&vpc_SecureHash='.$SecureHash.'&vpc_SecureHashType='.$SecureHashType; 

我已经“isencoded”和“notencoded”因为我已经看到了人们不进行urlencode的字符串vpc_ReturnURL说，直到我建vpcURL，但既不工程。

的vpcURL的urlencoded的版本是：

https://migs.mastercard.com.au/vpcpay?AgainLink=http%3A%2F%2Ffallscreekcountryclub.com.au%2Fmake-a-booking%2Fsubmit-booking.html&b_terms=1&chargetypeid=33&deposit=580.00&notes=4+Nights+-+26%2F11%2F2016+to+30%2F11%2F2016&propertyid=2&total=580.00&vpc_AccessCode=903876BC&vpc_Amount=58000&vpc_Command=pay&vpc_Locale=en&vpc_MerchTxnRef=1479746896&vpc_Merchant=BBL5800396&vpc_OrderInfo=Studio+Deluxe&vpc_ReturnURL=http%3A%2F%2Ffallscreekcountryclub.com.au%2Fmake-a-booking%2Fbooking-complete.html&vpc_Version=1&vpc_SecureHash=A5BA6503FC7A169A90C9AAC7039878F45D761180D874789172EB5A58298022E4&vpc_SecureHashType=SHA256 

和非urlencoded的版本是：对我做了什么错

https://migs.mastercard.com.au/vpcpay?AgainLink=http://fallscreekcountryclub.com.au/make-a-booking/submit-booking.html&b_terms=1&chargetypeid=33&deposit=580.00&notes=4 Nights - 26/11/2016 to 30/11/2016&propertyid=2&total=580.00&vpc_AccessCode=903876BC&vpc_Amount=58000&vpc_Command=pay&vpc_Locale=en&vpc_MerchTxnRef=1479746896&vpc_Merchant=BBL5800396&vpc_OrderInfo=Studio Deluxe&vpc_ReturnURL=http://fallscreekcountryclub.com.au/make-a-booking/booking-complete.html&vpc_Version=1&vpc_SecureHash=A5BA6503FC7A169A90C9AAC7039878F45D761180D874789172EB5A58298022E4&vpc_SecureHashType=SHA256 

任何想法？我打电话给银行，他们不能帮助我，他们不知道我在说甚么。

我知道$ SECURE_SECRET号码是正确的，因为它与原始号码相同md5散列。所以这个问题与sha256散列有关，我不知道为什么，或者如何解决它。

Answer 1

1. 使用ksort()链接到你的参数之前，你的数组排序。
2. 请勿使用urlencode()来处理vpc_ReturnURL，这会导致SHA256哈希结果不正确。以下是我从官方的故障排除指南发现：

c) Make sure that the vpc_ReturnURL is not URL encoded (i.e. the "/" becomes %2f) You can use the following link to decode a URL - http://meyerweb.com/eric/tools/dencoder/ Sample sorted string based on this example as below: (Removed jsessionid, noheader, tdrid from output of 2b) i.e These elements can be removed prior to sorting the order

vpc_AccessCode=A837820A&vpc_Amount=100&vpc_Card=VC&vpc_CardNum=4222222222222&vpc_CardSecurityCode=100&vpc_Command=pay&vpc_Gateway=threeDSecure&vpc_Locale=en&vpc_MerchTxnRef=T2_7956&vpc_Merchant=TESTDIALECTTEST&vpc_ReturnURL=http://anjumpc:8080/dev-pg/payment/3dprocess.do&vpc_Version=1 

不要发送/哈希的键的值不vpc_启动，因为没有按军事地理信息系统不关心这些值，也不会在散列检查中使用这些值。和导向也提到这一点：

b) Remove unnecessary fields for Hash calculation such as vpc_SecureHashType, vpc_SecureHash and anything that does not begins with vpc_ or user_ - i.e fields highlighted in Bold in 2a above to be removed

Answer 2

尝试从得到散列的字符串中排除vpc_SecureHash和vpc_SecureHashType。这里是代码片段

https://gist.github.com/lucasnetau/bcacb528d664f0ad1339086c1a585021

让我知道，如果它的工作原理..

Answer 3

您好我正在共享（忽略这一点，SHA256可以在工作MIGS商家使用）与你我的工作代码。 享受。

$secretHash="xxxxxx"; 
    $accessCode='xxxxx'; 
    $merchantId='xxxxx';  

    $data = array(
     "vpc_AccessCode" => $accessCode, 
     "vpc_Amount" => '100', 
     "vpc_Command" => 'pay', 
     "vpc_Locale" => 'en', 
     "vpc_MerchTxnRef" => "REF_".time(), 
     "vpc_Merchant" => $merchantId, 
     "vpc_OrderInfo" => "Order_N_".time(), 
     "vpc_ReturnURL" => urlencode("yourReturnUrl"), 
     "vpc_Version" => '1', 
     'vpc_SecureHashType' => 'SHA256'  
    ); 

    ksort($data); 
    $hash = null; 
    foreach ($data as $k => $v) { 
     if (in_array($k, array('vpc_SecureHash', 'vpc_SecureHashType'))) { 
      continue; 
     } 
     if ((strlen($v) > 0) && ((substr($k, 0, 4)=="vpc_") || (substr($k, 0, 5) =="user_"))) { 
      $hash .= $k . "=" . $v . "&"; 
     } 
    } 
    $hash = rtrim($hash, "&"); 

    $secureHash = strtoupper(hash_hmac('SHA256', $hash, pack('H*', $secretHash))); 
    $paraFinale = array_merge($data, array('vpc_SecureHash' => $secureHash)); 
    $actionurl = 'https://migs.mastercard.com.au/vpcpay?'.http_build_query($paraFinale); 

    //print_r($actionurl); 
    header("Location:".$actionurl);