HMAC creation

Updated 

When creating the CheckHash parameter and verifying the OrderHash parameter HMAC_SHA256 should be used. The process works by concatenating the secret key and the message together and creating a hash using SHA256, it then concatenates the secret key and the hash and runs it through SHA256 to create the HMAC value.

HMAC_SHA256(secretkey, message) = SHA256(secretkey || SHA256(secretkey || message))

where message contains the data to be hashed. F.ex.

CheckHashMessage = MerchantId|ReturnUrlSuccess|ReturnUrlSuccessServer|OrderId|Amount|Currency
OrderHashMessage = OrderId|Amount|Currency

Examples

SecretKey = "1234567890abcdef"
CheckHashMessage = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"
CheckHash value = "275dcb516773c96a1856550c1b2126f35d501c5dc1b0ba2f73fdf617cecb7461"

OrderHashMessage = "TEST00000001|100|ISK"
OrderHash value = "d605531aa71c833edb59651652161e7845933d2f7d44d3697bc336e493befd25"

NOTE: If returnurlsuccessserver parameter is not present, the value of the returnurlsuccess parameter is used as returnurlsuccessserver.

A number of online HMAC generators can be used to verify the output of your implementation f.ex. https://www.freeformatter.com/hmac-generator.html.

NOTE: Never use production information when using online HMAC testers.

Following are examples of HMAC implementations in various programming languages:

C# using HMAC_SHA256

Example using the HMACSHA256 class.

string secretKey = "1234567890abcdef"; string message = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"; byte[] secretBytes = Encoding.UTF8.GetBytes(secretKey); HMACSHA256 hasher = new HMACSHA256(secretBytes); byte[] result = hasher.ComputeHash(Encoding.UTF8.GetBytes(message)); string checkhash = BitConverter.ToString(result).Replace("-", "");

PHP

Example using hash_hmac.

$secretKey = '1234567890abcdef'; $message = utf8_encode('9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'); $checkhash = hash_hmac('sha256', $message, $secretKey);

Python 2.7

Example using hmac.

#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = '1234567890abcdef' message = u'9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode('utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()

Python 3.4

Example using hmac.

#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = b'1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode(encoding='utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()

Ruby

Example using OpenSSL::HMAC.

# encoding: utf-8require'openssl' secret_key = '1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK' digest = OpenSSL::Digest.new('sha256') checkhash = OpenSSL::HMAC.hexdigest(digest, secret_key, message)

Java

Example using Mac

import java.util.*; import javax.crypto.*; import javax.crypto.spec.*; import javax.xml

When creating the CheckHash parameter and verifying the OrderHash parameter HMAC_SHA256 should be used. The process works by concatenating the secret key and the message together and creating a hash using SHA256, it then concatenates the secret key and the hash and runs it through SHA256 to create the HMAC value.

HMAC_SHA256(secretkey, message) = SHA256(secretkey || SHA256(secretkey || message))

where message contains the data to be hashed. F.ex.

CheckHashMessage = MerchantId|ReturnUrlSuccess|ReturnUrlSuccessServer|OrderId|Amount|Currency
OrderHashMessage = OrderId|Amount|Currency

Examples

SecretKey = "1234567890abcdef"
CheckHashMessage = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"
CheckHash value = "275dcb516773c96a1856550c1b2126f35d501c5dc1b0ba2f73fdf617cecb7461"

OrderHashMessage = "TEST00000001|100|ISK"
OrderHash value = "d605531aa71c833edb59651652161e7845933d2f7d44d3697bc336e493befd25"

NOTE: If returnurlsuccessserver parameter is not present, the value of the returnurlsuccess parameter is used as returnurlsuccessserver.

A number of online HMAC generators can be used to verify the output of your implementation f.ex. https://www.freeformatter.com/hmac-generator.html.

NOTE: Never use production information when using online HMAC testers.

Following are examples of HMAC implementations in various programming languages:

C# using HMAC_SHA256

Example using the HMACSHA256 class.

string secretKey = "1234567890abcdef"; string message = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"; byte[] secretBytes = Encoding.UTF8.GetBytes(secretKey); HMACSHA256 hasher = new HMACSHA256(secretBytes); byte[] result = hasher.ComputeHash(Encoding.UTF8.GetBytes(message)); string checkhash = BitConverter.ToString(result).Replace("-", "");

PHP

Example using hash_hmac.

$secretKey = '1234567890abcdef'; $message = utf8_encode('9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'); $checkhash = hash_hmac('sha256', $message, $secretKey);

Python 2.7

Example using hmac.

#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = '1234567890abcdef' message = u'9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode('utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()

Python 3.4

Example using hmac.

#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = b'1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode(encoding='utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()

Ruby

Example using OpenSSL::HMAC.

# encoding: utf-8require'openssl' secret_key = '1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK' digest = OpenSSL::Digest.new('sha256') checkhash = OpenSSL::HMAC.hexdigest(digest, secret_key, message)

Java

Example using Mac

import java.util.*; import javax.crypto.*; import javax.crypto.spec.*; import javax.xml