Signature Generation
In order to prevent against malicious attacks and hijacking of browser sessions, Certegy Ezi-Pay implements a signing mechanism based on HMAC-SHA256. This section provides information on how you can use HMAC-SHA256 for signing and verification purposes.
As mentioned, Certegy Ezi-Pay uses HMAC-SHA256 for purposes of signing and verifying requests.
Below is an example that demonstrates how you can go about implementing a method in a shopping platform that is based on PHP to generate the signature.
PHP Example
Below is a PHP code snippet that demonstrates how a signature might be generated in the context of Certegy Ezi-Pay:
function certegy_ezipay_sign($query, $api_key )
{
$clear_text = '';
ksort($query);
foreach ($query as $key => $value) {
if (substr($key, 0, 2) === "x_") {
$clear_text .= $key . $value;
}
}
$hash = hash_hmac( "sha256", $clear_text, $api_key);
return str_replace('-', '', $hash);
}
First note that the method expects two parameters and they are $query
and $api_key
. The $query
represents the various key-value pairs that form your HTTP request POST and vary depending on the information that is entered as part of the checkout process on your shopping cart.
The parameter $api_key
represents the API Key that is unique for every merchant. It should only change once the API key has been changed on the Certegy Ezi-Pay side.
Having received the two parameters, the certegy_ezipay_sign
method will then perform an alphabetical sorting of the various key-value pairs based on the key but still maintaining the correlation between the keys and their respective values.
The method will then examine the $query
variable for the various key-value pairs by checking for the x_
prefix and would then append them together.
The method then computes the keyed hash value using the hash_hmac
method.