-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathSigner.php
129 lines (129 loc) · 7.24 KB
/
Signer.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<?php
namespace Dfe\PostFinance;
use Dfe\PostFinance\W\Event;
/**
* 2017-08-20
* SHA-IN:
* *) All parameters that you send
* (and that appear in the list in List of parameters to be included in SHA-IN calculation)
* will be included in the string-to-hash;
* *) All parameter names should be in UPPERCASE (to avoid any case confusion);
* *) All parameters have to be arranged alphabetically;
* *) Parameters that do not have a value should NOT be included in the string to hash;
* *) Some sorting algorithms place special characters in front of the first letter of the alphabet,
* while others place them at the end. If in doubt, please respect the order as displayed in the SHA-list;
* *) When you choose to transfer your test account to production via the link in the account menu,
* a random SHA-IN passphrase will be automatically configured in your production account;
* *) For extra safety, we request that you use different SHA passphrases in test and production.
* If they are found to be identical, your TEST passphrase will be changed by our system
* (you do get a notification mail for this).
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce#shainsignature
*
* SHA-OUT:
* *) All sent parameters (that appear in the SHA-OUT Parameter list), will be included in the string to hash.
* *) All parameters need to be sorted alphabetically.
* *) Parameters that do not have a value should NOT be included in the string to hash.
* *) Even though some parameters are (partially) returned in lower case by our system,
* for the SHA-OUT calculation each parameter must be put in upper case.
* *) When you choose to transfer your test account to production via the link in the back-office menu,
* a random SHA-OUT passphrase will be automatically configured in your production account.
* For extra safety, we request that you use different SHA passphrases for TEST and PROD.
* Please note that if they are found to be identical,
* your TEST passphrase will be changed by our system (you will of course be notified).
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/transaction-feedback#redirectionwithdatabaseupdate_shaout
*
* 2017-08-21
* «List of parameters to be included in SHA-IN calculation»:
* https://e-payment-postfinance.v-psp.com/~/media/kdb/integration%20guides/sha-in_params.ashx?la=en
* «SHA-OUT Parameter list»:
* https://e-payment-postfinance.v-psp.com/~/media/kdb/integration%20guides/sha-out_params.ashx?la=en
* @method Settings s()
*/
final class Signer extends \Df\PaypalClone\Signer {
/**
* 2017-08-21
* @override
* @see \Df\PaypalClone\Signer::sign()
* @used-by \Df\PaypalClone\Signer::_sign()
*/
final protected function sign():string {
$s = $this->s(); /** @var Settings $s */
$p = $this->v(); /** @var array(string => mixed) $p */
# 2017-08-21 Whether the result should be SHA-IN or SHA-OUT.
# 2017-08-21 `SHASIGN`: «SHA signature calculated by our system».
# https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/transaction-feedback#feedbackparameters
/** @var string $password */
$password = isset($p[Event::K_SIGNATURE]) ? $s->password2() : $s->password1();
unset($p[Event::K_SIGNATURE]);
/**
* 2017-08-21
* SHA-IN:
* «All parameter names should be in UPPERCASE (to avoid any case confusion)».
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/security-pre-payment-check#shainsignature_creatingthestring
* SHA-OUT:
* «Even though some parameters are (partially) returned in lower case by our system,
* for the SHA-OUT calculation each parameter must be put in upper case».
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/transaction-feedback#redirectionwithdatabaseupdate_shaout
* The `marlon-ogone` library:
* $parameters = array_change_key_case($parameters, CASE_UPPER);
* https://github.com/marlon-be/marlon-ogone/blob/3.1.3/lib/Ogone/ParameterFilter/GeneralParameterFilter.php#L18
*/
$p = dfa_key_uc($p);
/**
* 2017-08-21
* SHA-IN, SHA-OUT:
* «Parameters that do not have a value should NOT be included in the string to hash».
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/security-pre-payment-check#shainsignature_creatingthestring
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/transaction-feedback#redirectionwithdatabaseupdate_shaout
* The `marlon-ogone` library:
* array_walk($parameters, 'trim');
* $parameters = array_filter($parameters, function ($value) {
* return (bool) strlen($value);
* });
* https://github.com/marlon-be/marlon-ogone/blob/3.1.3/lib/Ogone/ParameterFilter/GeneralParameterFilter.php#L19-L23
*/
$p = df_clean($p);
/**
* 2017-08-21
* Note 1. SHA-IN. «All parameters have to be arranged alphabetically».
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/security-pre-payment-check#shainsignature_creatingthestring
* Note 2. SHA-OUT. «All parameters need to be sorted alphabetically».
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/transaction-feedback#redirectionwithdatabaseupdate_shaout
* Note 3. The `marlon-ogone` library:
* ksort($parameters);
* https://github.com/marlon-be/marlon-ogone/blob/3.1.3/lib/Ogone/ShaComposer/AllParametersShaComposer.php#L52
* Note 34.
* We can use @uses ksort() here, because the keys are already uppercased.
* @see \Dfe\AllPay\Signer::sign()
* https://github.com/mage2pro/allpay/blob/1.6.20/Signer.php#L18-L41
*/
ksort($p);
/**
* 2017-08-21
* Note 1. SHA-IN.
* «The string that will be hashed is constructed by concatenating the values of the fields
* sent with the order, sorted alphabetically, in the format ‘PARAMETER=value’.
* Each parameter with its value is followed by a passphrase.».
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/security-pre-payment-check#shainsignature_creatingthestring
* Note 2. SHA-OUT.
* «The string to hash is constructed by concatenating the values of the fields sent with the order
* (sorted alphabetically, in the format ‘parameter=value’), followed by a passphrase.».
* https://e-payment-postfinance.v-psp.com/en/en/guides/integration%20guides/e-commerce/transaction-feedback#redirectionwithdatabaseupdate_shaout
* Note 3. The `marlon-ogone` library:
* $shaString = '';
* foreach ($parameters as $key => $value) {
* $shaString .= $key . '=' . $value . $this->passphrase;
* }
* return strtoupper(hash($this->hashAlgorithm, $shaString));
* https://github.com/marlon-be/marlon-ogone/blob/3.1.3/lib/Ogone/ShaComposer/AllParametersShaComposer.php#L54-L60
* Note 4. The `marlon-ogone` library uses @see strtoupper(),
* but it is never mentioned in the documentation.
* Nevertheless, I have decided to use it too.
* @see hash() function's result is lowercased:
* https://github.com/mage2pro/postfinance/blob/0.0.8/Source/Hash/Algorithm.php#L9-L11
*/
return strtoupper(hash($s->hashAlgorithm(), implode(df_map_k(function(string $k, $v) use($password):string {return
"$k=$v$password"
;}, $p))));
}
}