Skip to main content

HMAC creation

Updated 

4 days ago

When creating the CheckHash parameter and verifying the OrderHash parameter HMAC_SHA256 should be used. The process works by concatenating the secret key and the message together and creating a hash using SHA256, it then concatenates the secret key and the hash and runs it through SHA256 to create the HMAC value.

HMAC_SHA256(secretkey, message) = SHA256(secretkey || SHA256(secretkey || message))

where message contains the data to be hashed. F.ex.

CheckHashMessage = MerchantId|ReturnUrlSuccess|ReturnUrlSuccessServer|OrderId|Amount|Currency
OrderHashMessage = OrderId|Amount|Currency

Examples

SecretKey = "1234567890abcdef"
CheckHashMessage = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"
CheckHash value = "275dcb516773c96a1856550c1b2126f35d501c5dc1b0ba2f73fdf617cecb7461"

OrderHashMessage = "TEST00000001|100|ISK"
OrderHash value = "d605531aa71c833edb59651652161e7845933d2f7d44d3697bc336e493befd25"

NOTE: If returnurlsuccessserver parameter is not present, the value of the returnurlsuccess parameter is used as returnurlsuccessserver.

A number of online HMAC generators can be used to verify the output of your implementation f.ex. https://www.freeformatter.com/hmac-generator.html.

NOTE: Never use production information when using online HMAC testers.

Following are examples of HMAC implementations in various programming languages:

C# using HMAC_SHA256

Example using the HMACSHA256 class.

string secretKey = "1234567890abcdef"; string message = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"; byte[] secretBytes = Encoding.UTF8.GetBytes(secretKey); HMACSHA256 hasher = new HMACSHA256(secretBytes); byte[] result = hasher.ComputeHash(Encoding.UTF8.GetBytes(message)); string checkhash = BitConverter.ToString(result).Replace("-", "");

PHP

Example using hash_hmac.

$secretKey = '1234567890abcdef'; $message = utf8_encode('9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'); $checkhash = hash_hmac('sha256', $message, $secretKey);

Python 2.7

Example using hmac.

#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = '1234567890abcdef' message = u'9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode('utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()

Python 3.4

Example using hmac.

#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = b'1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode(encoding='utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()

Ruby

Example using OpenSSL::HMAC.

# encoding: utf-8require'openssl' secret_key = '1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK' digest = OpenSSL::Digest.new('sha256') checkhash = OpenSSL::HMAC.hexdigest(digest, secret_key, message)

Java

Example using Mac

import java.util.*; import javax.crypto.*; import javax.crypto.spec.*; import javax.xml

When creating the CheckHash parameter and verifying the OrderHash parameter HMAC_SHA256 should be used. The process works by concatenating the secret key and the message together and creating a hash using SHA256, it then concatenates the secret key and the hash and runs it through SHA256 to create the HMAC value.

HMAC_SHA256(secretkey, message) = SHA256(secretkey || SHA256(secretkey || message))

where message contains the data to be hashed. F.ex.

CheckHashMessage = MerchantId|ReturnUrlSuccess|ReturnUrlSuccessServer|OrderId|Amount|Currency
OrderHashMessage = OrderId|Amount|Currency

Examples

SecretKey = "1234567890abcdef"
CheckHashMessage = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"
CheckHash value = "275dcb516773c96a1856550c1b2126f35d501c5dc1b0ba2f73fdf617cecb7461"

OrderHashMessage = "TEST00000001|100|ISK"
OrderHash value = "d605531aa71c833edb59651652161e7845933d2f7d44d3697bc336e493befd25"

NOTE: If returnurlsuccessserver parameter is not present, the value of the returnurlsuccess parameter is used as returnurlsuccessserver.

A number of online HMAC generators can be used to verify the output of your implementation f.ex. https://www.freeformatter.com/hmac-generator.html.

NOTE: Never use production information when using online HMAC testers.

Following are examples of HMAC implementations in various programming languages:

C# using HMAC_SHA256

Example using the HMACSHA256 class.

string secretKey = "1234567890abcdef"; string message = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"; byte[] secretBytes = Encoding.UTF8.GetBytes(secretKey); HMACSHA256 hasher = new HMACSHA256(secretBytes); byte[] result = hasher.ComputeHash(Encoding.UTF8.GetBytes(message)); string checkhash = BitConverter.ToString(result).Replace("-", "");

PHP

Example using hash_hmac.

$secretKey = '1234567890abcdef'; $message = utf8_encode('9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'); $checkhash = hash_hmac('sha256', $message, $secretKey);

Python 2.7

Example using hmac.

#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = '1234567890abcdef' message = u'9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode('utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()

Python 3.4

Example using hmac.

#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = b'1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode(encoding='utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()

Ruby

Example using OpenSSL::HMAC.

# encoding: utf-8require'openssl' secret_key = '1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK' digest = OpenSSL::Digest.new('sha256') checkhash = OpenSSL::HMAC.hexdigest(digest, secret_key, message)

Java

Example using Mac

import java.util.*; import javax.crypto.*; import javax.crypto.spec.*; import javax.xml

Was this article helpful?

Payment solutions
A card machine from people who care. Accept all major payment methods, send payment links and, get paid faster.
About us
Careers - we're hiring
Partnerships
Support
+44 128 389 6876
© Teya Services Ltd. 2023
Policy
Terms and conditions
Teya Services Ltd. is registered in England and Wales with the company number 12271069 and the registered address Third Floor, 20 Old Bailey, London, EC4M 7AN, United Kingdom. Teya Solutions Ltd. is authorised by the Financial Conduct Authority under the E-Money Regulations 2011 [Reference no. 978181] for the provision of payment services and issuing of electronic money.