While integrating Ogone in a project for a client, I've found out that the list of parameters in the signatureIncomingParameters() and signatureOutgoingParameters() functions in OgonePaymentMethodController.inc is not up to date with the lists Ogone uses to calculate the SHA-IN and SHA-OUT hashes which causes the payments to be not accepted due to not matching hashes. Mismatching hashes might indicate tampering with the request so it makes sense the requests are not accepted when the hashes don't match. But when the hashes never match because of a lack of parameters that are used to calculate the hashes the Ogone module becomes unusable and no payments can be made.

For my implementation it was at least the PAYIDSUB and the MOBILEMODE parameters that where missing but I've updated the two functions with all new parameters and removed the ones that are no longer used according to the Ogone documentation.

One can find the full list of parmeters that are used for the SHA-IN and SHA-OUT hashes in Chapter 17 Appendix: List of Parameters to be included in SHA Calculations in https://secure.ogone.com/ncol/Ogone_e-Com-ADV_EN.pdf
While I had contact with the Ogone support they let me know that also the PAYIDSUB should be included in the signatureOutgoingParameters list. The document that is provided on this URL dates from 2015 and does not include the PAYIDSUBparameter so I asked confirmation to the Ogone support in order to be sure this is the most recent version of the document of that they can point me in the direction of a newer version of the document, but I didn't yet had any feedback on it.

I'll provide a patch in a few minutes.

CommentFileSizeAuthor
#11 ogone-signature-parameters_2753493-10.patch11.65 KBFloris Vedder
#10 ogone-signature-parameters_2753493-9.patch11.65 KBFloris Vedder
#9 ogone-signature-parameters_2753493-8.patch7.76 KBFloris Vedder
#7 ogone_signature_parameters-2753493-7.patch7 KBbaekelandt
#2 ogone-signature-parameters_2753493_2.patch6.73 KBbaekelandt
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

baekelandt created an issue. See original summary.

baekelandt’s picture

baekelandt CreditAttribution: baekelandt at Duo commented
FileSize
ogone-signature-parameters_2753493_2.patch6.73 KB

Patch with all the new/updated signature parameters used to calculating the SHA-IN and SHA-OUT hashes

baekelandt’s picture

baekelandt CreditAttribution: baekelandt at Duo commented

Note: the PAYIDSUB parameter is available since Platform release 04.114 which was released on 2016-05-25
Extract from release notes:

Parameter PAYIDSUB is now available in Dynamic Parm list
PAYIDSUB is the ID indicating the history level of a transaction. Merchants can use PAYIDSUB for partial maintenance. Eg. make a partial refund on a specific partial capture, and store the information on their end as well. They can also track how many attempts were needed before the transaction got the latest status PAYIDSUB can now be selected as dynamic parameter in the BO. Once selected, the value will be included in the PostSale - Status Change output.

Bart Vanhoutte’s picture

Bart Vanhoutte CreditAttribution: Bart Vanhoutte at Duo commented
Status: Active » Needs review
Arne Slabbinck’s picture

Arne Slabbinck CreditAttribution: Arne Slabbinck as a volunteer commented

Thanks for the effort! I'll test this patch today.

BarisW’s picture

BarisW CreditAttribution: BarisW at LimoenGroen for gemeente Leidschendam-Voorburg commented
Status: Needs review » Reviewed & tested by the community

Great patch

baekelandt’s picture

baekelandt CreditAttribution: baekelandt at Duo commented
Status: Reviewed & tested by the community » Needs review
FileSize
ogone_signature_parameters-2753493-7.patch7 KB

In the latest release of the Ingenico e-Commerce Solutions platform 4.118 they've changed the parameter list again, so I've updated this patch accordingly.

Details:
signatureIncomingParameters()
+ 'INITIAL_REC_TRN',
- 'PAYMENTOCCURRENCE',
+ 'SIGNDATE',
+ 'XDL',

signatureOutgoingParameters()
- 'NCERRORCARDNO',
- 'NCERRORCN',
- 'NCERRORCVC',
- 'NCERRORED',

Status: Needs review » Needs work

The last submitted patch, 7: ogone_signature_parameters-2753493-7.patch, failed testing.

Floris Vedder’s picture

Floris Vedder CreditAttribution: Floris Vedder commented
FileSize
ogone-signature-parameters_2753493-8.patch7.76 KB

With a slightly different cause I also get this issue.
In my case the signature parameters differ because of custom ogone settings done by my client.
As well as a different position of the passphrase (only in the end).

Because the parameters and the passphrase position can be different I made a patch where this can be changed in the config.

Floris Vedder’s picture

Floris Vedder CreditAttribution: Floris Vedder at Atom commented
FileSize
ogone-signature-parameters_2753493-9.patch11.65 KB

Continuing with the functionality I was building it appeared that I also needed a different solution for the signature parameter parts. For example with or without their parameter label, the '=' sign or the passphrase.

Now this is:
$signature_data_string .= strtoupper($data_parameter) . '=' . $value . $passphrase;

In my case I only need:
$signature_data_string .= $value

To also include this kind of customization in the module I changed that with a configurable pattern that works with token_replace.
So with the included patch one can now also easy configure how the signature element structure looks like.
For example the current default: [hash_signature:data-parameter]=[hash_signature:data-value][hash_signature:passphrase]
Or only the value: [hash_signature:data-value]

Mind that this patch replaces my #8 patch and uses the same update hook: 7001

Floris Vedder’s picture

Floris Vedder CreditAttribution: Floris Vedder at Atom commented
FileSize
ogone-signature-parameters_2753493-10.patch11.65 KB

Small typo fix.
Replaced: explode("\n\r", $data);
With: explode("\r\n", $data);

behindthepage’s picture

behindthepage CreditAttribution: behindthepage as a volunteer commented

Attention: Patches 8 - 10 are not related to patch 2 and 7 which address the changes that Ogone has made to their incoming and outgoing Signature parameters. So if you want to update to the latest patch 7 is the one to apply.