While integrating Ogone in a project for a client, I've found out that the list of parameters in the signatureIncomingParameters() and signatureOutgoingParameters() functions in OgonePaymentMethodController.inc is not up to date with the lists Ogone uses to calculate the SHA-IN and SHA-OUT hashes which causes the payments to be not accepted due to not matching hashes. Mismatching hashes might indicate tampering with the request so it makes sense the requests are not accepted when the hashes don't match. But when the hashes never match because of a lack of parameters that are used to calculate the hashes the Ogone module becomes unusable and no payments can be made.
For my implementation it was at least the PAYIDSUB and the MOBILEMODE parameters that where missing but I've updated the two functions with all new parameters and removed the ones that are no longer used according to the Ogone documentation.
One can find the full list of parmeters that are used for the SHA-IN and SHA-OUT hashes in Chapter 17 Appendix: List of Parameters to be included in SHA Calculations in https://secure.ogone.com/ncol/Ogone_e-Com-ADV_EN.pdf
While I had contact with the Ogone support they let me know that also the PAYIDSUB should be included in the signatureOutgoingParameters list. The document that is provided on this URL dates from 2015 and does not include the PAYIDSUBparameter so I asked confirmation to the Ogone support in order to be sure this is the most recent version of the document of that they can point me in the direction of a newer version of the document, but I didn't yet had any feedback on it.
I'll provide a patch in a few minutes.
Comments
Comment #2
baekelandt CreditAttribution: baekelandt at Duo commentedPatch with all the new/updated signature parameters used to calculating the SHA-IN and SHA-OUT hashes
Comment #3
baekelandt CreditAttribution: baekelandt at Duo commentedNote: the PAYIDSUB parameter is available since Platform release 04.114 which was released on 2016-05-25
Extract from release notes:
Comment #4
Bart Vanhoutte CreditAttribution: Bart Vanhoutte at Duo commentedComment #5
Arne Slabbinck CreditAttribution: Arne Slabbinck as a volunteer commentedThanks for the effort! I'll test this patch today.
Comment #6
BarisW CreditAttribution: BarisW at LimoenGroen for gemeente Leidschendam-Voorburg commentedGreat patch
Comment #7
baekelandt CreditAttribution: baekelandt at Duo commentedIn the latest release of the Ingenico e-Commerce Solutions platform 4.118 they've changed the parameter list again, so I've updated this patch accordingly.
Details:
signatureIncomingParameters()
+ 'INITIAL_REC_TRN',
- 'PAYMENTOCCURRENCE',
+ 'SIGNDATE',
+ 'XDL',
signatureOutgoingParameters()
- 'NCERRORCARDNO',
- 'NCERRORCN',
- 'NCERRORCVC',
- 'NCERRORED',
Comment #9
Floris Vedder CreditAttribution: Floris Vedder commentedWith a slightly different cause I also get this issue.
In my case the signature parameters differ because of custom ogone settings done by my client.
As well as a different position of the passphrase (only in the end).
Because the parameters and the passphrase position can be different I made a patch where this can be changed in the config.
Comment #10
Floris Vedder CreditAttribution: Floris Vedder at Atom commentedContinuing with the functionality I was building it appeared that I also needed a different solution for the signature parameter parts. For example with or without their parameter label, the '=' sign or the passphrase.
Now this is:
$signature_data_string .= strtoupper($data_parameter) . '=' . $value . $passphrase;
In my case I only need:
$signature_data_string .= $value
To also include this kind of customization in the module I changed that with a configurable pattern that works with token_replace.
So with the included patch one can now also easy configure how the signature element structure looks like.
For example the current default: [hash_signature:data-parameter]=[hash_signature:data-value][hash_signature:passphrase]
Or only the value: [hash_signature:data-value]
Mind that this patch replaces my #8 patch and uses the same update hook: 7001
Comment #11
Floris Vedder CreditAttribution: Floris Vedder at Atom commentedSmall typo fix.
Replaced: explode("\n\r", $data);
With: explode("\r\n", $data);
Comment #12
behindthepage CreditAttribution: behindthepage as a volunteer commentedAttention: Patches 8 - 10 are not related to patch 2 and 7 which address the changes that Ogone has made to their incoming and outgoing Signature parameters. So if you want to update to the latest patch 7 is the one to apply.