thephpleague · judgej · Apr 27, 2019 · Mar 12, 2019 · Mar 12, 2019 · Mar 12, 2019
diff --git a/src/Message/SIMAuthorizeResponse.php b/src/Message/SIMAuthorizeResponse.php
@@ -44,4 +44,9 @@ public function getRedirectData()
     {
         return $this->getData();
     }
+
+    public function getTransactionId()
+    {
+        return isset($this->data[SIMAbstractRequest::TRANSACTION_ID_PARAM]) ? $this->data[SIMAbstractRequest::TRANSACTION_ID_PARAM] : null;
+    }
 }
diff --git a/src/Message/SIMCompleteAuthorizeRequest.php b/src/Message/SIMCompleteAuthorizeRequest.php
@@ -21,7 +21,7 @@ public function getTransactionId()
     public function getData()
     {
         // The hash sent in the callback from the Authorize.Net gateway.
-        $hash_posted = strtolower($this->httpRequest->request->get('x_MD5_Hash'));
+        $hash_posted = $this->getPostedHash($this->httpRequest);
 
         // The transaction reference generated by the Authorize.Net gateway and sent in the callback.
         $posted_transaction_reference = $this->httpRequest->request->get('x_trans_id');
@@ -30,7 +30,7 @@ public function getData()
         $posted_amount = $this->httpRequest->request->get('x_amount');
 
         // Calculate the hash locally, using the shared "hash secret" and login ID.
-        $hash_calculated = $this->getHash($posted_transaction_reference, $posted_amount);
+        $hash_calculated = $this->getHash($posted_transaction_reference, $posted_amount, $this->httpRequest);
 
         if ($hash_posted !== $hash_calculated) {
             // If the hash is incorrect, then we can't trust the source nor anything sent.
@@ -65,20 +65,107 @@ public function getData()
      * and x_amount) and it is those that should be checked against.
      * @param $transaction_reference
      * @param $amount
+     * @param $httpRequest
      * @return string
      */
-    public function getHash($transaction_reference, $amount)
+    public function getHash($transaction_reference, $amount, $httpRequest)
+    {
+        if (!empty($httpRequest) && $hash = $this->getSha512Hash($httpRequest)) {
+            return $hash;
+        } else {
+            return $this->getMd5Hash($transaction_reference, $amount);
+        }
+    }
+
+    /**
+     * Generate md5 hash.
+     *
+     * @param $transaction_reference
+     * @param $amount
+     * @return string
+     */
+    public function getMd5Hash($transaction_reference, $amount)
     {
         $key = array(
             $this->getHashSecret(),
             $this->getApiLoginId(),
             $transaction_reference,
             $amount,
-         );
+        );
 
         return md5(implode('', $key));
     }
 
+    /**
+     * Generate sha512 hash.
+     * Required fields are provided in Table 18 in https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf#page=73
+     * @param $httpRequest
+     * @return string|null
+     */
+    public function getSha512Hash($httpRequest)
+    {
+        $signatureKey = $this->getSignatureKey();
+        if (empty($signatureKey) || empty($httpRequest)) {
+            return null;
+        }
+
+        $hashData = implode('^', [
+            $httpRequest->request->get('x_trans_id'),
+            $httpRequest->request->get('x_test_request'),
+            $httpRequest->request->get('x_response_code'),
+            $httpRequest->request->get('x_auth_code'),
+            $httpRequest->request->get('x_cvv2_resp_code'),
+            $httpRequest->request->get('x_cavv_response'),
+            $httpRequest->request->get('x_avs_code'),
+            $httpRequest->request->get('x_method'),
+            $httpRequest->request->get('x_account_number'),
+            $httpRequest->request->get('x_amount'),
+            $httpRequest->request->get('x_company'),
+            $httpRequest->request->get('x_first_name'),
+            $httpRequest->request->get('x_last_name'),
+            $httpRequest->request->get('x_address'),
+            $httpRequest->request->get('x_city'),
+            $httpRequest->request->get('x_state'),
+            $httpRequest->request->get('x_zip'),
+            $httpRequest->request->get('x_country'),
+            $httpRequest->request->get('x_phone'),
+            $httpRequest->request->get('x_fax'),
+            $httpRequest->request->get('x_email'),
+            $httpRequest->request->get('x_ship_to_company'),
+            $httpRequest->request->get('x_ship_to_first_name'),
+            $httpRequest->request->get('x_ship_to_last_name'),
+            $httpRequest->request->get('x_ship_to_address'),
+            $httpRequest->request->get('x_ship_to_city'),
+            $httpRequest->request->get('x_ship_to_state'),
+            $httpRequest->request->get('x_ship_to_zip'),
+            $httpRequest->request->get('x_ship_to_country'),
+            $httpRequest->request->get('x_invoice_num'),
+        ]);
+        $hash = hash_hmac('sha512', '^' . $hashData . '^', hex2bin($signatureKey));
+        $hash = strtoupper($hash);
+
+        return $hash;
+    }
+
+    /**
+     * Get posted hash from the callback from the Authorize.Net gateway.
+     *
+     * @param $httpRequest
+     * @return string|null
+     */
+    public function getPostedHash($httpRequest)
+    {
+        if (empty($httpRequest)){
+            return null;
+        }
+
+        if ($signatureKey = $this->getSignatureKey()) {
+            return strtoupper($httpRequest->request->get('x_SHA2_Hash'));
+        }
+
+        return strtolower($httpRequest->request->get('x_MD5_Hash'));
+    }
+
     public function sendData($data)
     {
         return $this->response = new SIMCompleteAuthorizeResponse($this, $data);