When creating the CheckHash parameter and verifying the OrderHash parameter HMAC_SHA256 should be used. The process works by concatenating the secret key and the message together and creating a hash using SHA256, it then concatenates the secret key and the hash and runs it through SHA256 to create the HMAC value.
HMAC_SHA256(secretkey, message) = SHA256(secretkey || SHA256(secretkey || message))where message contains the data to be hashed. F.ex.
CheckHashMessage = MerchantId|ReturnUrlSuccess|ReturnUrlSuccessServer|OrderId|Amount|Currency OrderHashMessage = OrderId|Amount|Currency
Examples
SecretKey = "1234567890abcdef" CheckHashMessage = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK" CheckHash value = "275dcb516773c96a1856550c1b2126f35d501c5dc1b0ba2f73fdf617cecb7461" OrderHashMessage = "TEST00000001|100|ISK" OrderHash value = "d605531aa71c833edb59651652161e7845933d2f7d44d3697bc336e493befd25"
NOTE: If returnurlsuccessserver parameter is not present, the value of the returnurlsuccess parameter is used as returnurlsuccessserver.
A number of online HMAC generators can be used to verify the output of your implementation f.ex. https://www.freeformatter.com/hmac-generator.html.
NOTE: Never use production information when using online HMAC testers.
Following are examples of HMAC implementations in various programming languages:
C# using HMAC_SHA256
Example using the HMACSHA256 class.
string secretKey = "1234567890abcdef"; string message = "9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK"; byte[] secretBytes = Encoding.UTF8.GetBytes(secretKey); HMACSHA256 hasher = new HMACSHA256(secretBytes); byte[] result = hasher.ComputeHash(Encoding.UTF8.GetBytes(message)); string checkhash = BitConverter.ToString(result).Replace("-", "");PHP
Example using hash_hmac.
$secretKey = '1234567890abcdef'; $message = utf8_encode('9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'); $checkhash = hash_hmac('sha256', $message, $secretKey);Python 2.7
Example using hmac.
#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = '1234567890abcdef' message = u'9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode('utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()Python 3.4
Example using hmac.
#!/usr/bin/env python# -*- coding: utf-8 -*-import hmac import hashlib secret_key = b'1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK'.encode(encoding='utf-8') checkhash = hmac.new(secret_key, msg=message, digestmod=hashlib.sha256).hexdigest()Ruby
Example using OpenSSL::HMAC.
# encoding: utf-8require'openssl' secret_key = '1234567890abcdef' message = '9123456|https://borgun.is|https://borgun.is/success|TEST00000001|100|ISK' digest = OpenSSL::Digest.new('sha256') checkhash = OpenSSL::HMAC.hexdigest(digest, secret_key, message)Java
Example using Mac
import java.util.*; import javax.crypto.*; import javax.crypto.spec.*; import javax.xml