SagePay Server Integration Verify Signature

Question

I'm trying to integrate into SagePay using PHP and the Protocol documents. However I seem to be having a problem with the MD5 hash!

Everything up to the point where we receive the notification POST is fine. However when we go to verify the signature it doesn't match the one in the notification POST??? Yet I have followed the document to the letter and quadruple checked everything. As well as changing things outside the scope of the document thinking there might be a typo etc..???? Any help much appreciated!!!

A2: Acknowledged response on first POST.

3.00,OK,2014 : The Transaction was Registered Successfully.,{4483C552-6078-6D1C-E37C-294B89DB1DCA},O9WQNAKEHJ,<https://test.sagepay.com/gateway/service/cardselection?vpstxid={4483C552-6078-6D1C-E37C-294B89DB1DCA}>

A3: Notification POST to callback.

VPSProtocol,TxType,VendorTxCode,VPSTxId,Status,StatusDetail,TxAuthNo,AVSCV2,AddressResult,PostCodeResult,CV2Result,GiftAid,3DSecureStatus,CAVV,CardType,Last4Digits,VPSSignature,DeclineCode,ExpiryDate,BankAuthCode

3.00,DEFERRED,m-5367c2da33a72,{4483C552-6078-6D1C-E37C-294B89DB1DCA},OK,0000 : The Authorisation was Successful.,6953629,SECURITY CODE MATCH ONLY,NOTMATCHED,NOTMATCHED,MATCHED,0,OK,AAABARR5kwAAAAAAAAAAAAAAAAA=,VISA,0006,CB2EFFBC5A872B26DA0AA50F85DD1FEA,00,0115,999777

I build the string based on this:

    $string = $this->getSagePayTxID()
    .$this->getVendorTxCode()
    .$this->getSagePayStatus()
    .$this->getTxAuthNo()
    .SAGEPAY_VENDOR
    .$this->getAVSCV2()
    .$this->getSecurityKey()
    .$this->getAddressResult()
    .$this->getPostCodeResult()
    .$this->getCV2Result()
    .$this->getGiftAid()
    .$this->get3DSecureStatus()
    .$this->getCAVV()
    .$this->getCardType()
    .$this->getLast4Digits()
    .$this->getDeclineCode()
    .$this->getExpiryDate()
    .$this->getFraudResponse()
    .$this->getBankAuthCode();

    if($signature == strtoupper(md5($string)))
    {
        return TRUE;
    }
    else
    {
        return FALSE;    
    }

The string produced is this:

{4483C552-6078-6D1C-E37C-294B89DB1DCA}m-5367c2da33a72OK6953629atbristolltdSECURITY CODE MATCH ONLYO9WQNAKEHJNOTMATCHEDNOTMATCHEDMATCHED0OKAAABARR5kwAAAAAAAAAAAAAAAAA=VISA0006000115999777

Thanks for any help!!!

Answer 1

The string you build doesn't seem to match the documentation, which states:

MD5 signature of the concatenation of the values of: VPSTxId + VendorTxCode + Status + TxAuthNo + VendorName+ AVSCV2 + SecurityKey + AddressResult + PostCodeResult + CV2Result + GiftAid + 3DSecureStatus + CAVV + AddressStatus + PayerStatus + CardType + Last4Digits + DeclineCode + ExpiryDate + FraudResponse + BankAuthCode.

NOTE: MD5 value is returned in UPPER CASE.

Please ensure the VendorName is LOWER CASE prior to hashing. Use urldecode to reverse the urlencoding you received from Sagepay If a field is returned without a value this should not be be checked against the string

Compare the fields after CAVV with your fields. Yours seems to be missing the AddressStatus and PayerStatus.

Also, I don't think @dav83's number (3) in his comment is correct. In my code where it's working correctly, my VPSTxId does contain the curly braces (just like in your example).

Answer 2

This was in fact due to URL encoding in the end.

The 'html_entity_decode' was required for the VPSTxId. The POST needs to be urlencode and the response needs to be urldecode.