1

Using ColdFusion, we're trying to process a customer payment by submitted details to Sage Pay.

We're getting errors 500 and 5080 no matter what we submit.

Our submitted crypt differs from the received version in a strange way: The first 1450 characters are indentical. Then a small section at the end is removed and a new, longer chuck is substituted.

We've looked at the Base64 options that have been suggested previously as a result of 12 bytes being received instead of 16, but that doesn't seem to solve the problem.

Has anyone seen this before and could anyone suggest things we could try to complete a purchase?

PLEASE! Gaz

Update from Kraig Johnson

Link to the specification PDF: https://www.opayo.ie/file/21086/download-document/FORM_Integration_and_Protocol_Guidelines_130515.pdf?token=FF7jKOvWemRFvw6UhEGOH1ULUpJBiXYIZKHSkhkl2II

Sage specifically states in the guide,

" The requirement is to encrypt the string as AES(block size 128-bit) in CBC mode with PKCS#5 padding using the provided password as both the key and initialisation vector and encode the result in hex."

If we don't encode it in base64 first, we get an invalid bit length error - 12 bytes.

stuff is our string to encode and EncryptionPassword is our key.

keyIVBytes = charsetDecode(EncryptionPassword, "utf-8");
base64Key = binaryEncode(keyIVBytes, "base64");
crypt=encrypt(stuff, base64Key,"AES/CBC/PKCS5Padding", "hex", keyIVBytes);
Adrian J. Moreno
  • 14,350
  • 1
  • 37
  • 44
Gary Basso
  • 11
  • 1
  • 3
    We would probably need to see some code... – TRose Feb 03 '21 at 15:51
  • Yeah, where are the API docs for the endpoint you're using and how are you crafting the data to send? Does the error returned from the API contain any messages or just the error codes? – Adrian J. Moreno Feb 03 '21 at 16:13
  • Please see Kraig information hope you can help – Gary Basso Feb 03 '21 at 16:57
  • How long is the input `stuff` that you are encoding, when it results in the first 1450 characters being identical? How long is your calculated `crypt` in this case, and how long is the received `crypt` that SagePay was expecting? ie trying to establish what proportion of your crypt matches. – Sev Roberts Feb 03 '21 at 16:59
  • Also what versions of CF and Java are you using? – Sev Roberts Feb 03 '21 at 17:00
  • See below Sev Lucee 5.3.3.62 / Gelert Java 1.8.0_271 64 Bit on Windows Server 2016 (10.0) 64 Bit – Gary Basso Feb 03 '21 at 17:19
  • Have you tested your code using the sample key + input + result from page 37 of the SagePay integration doc? Because if I throw the SagePay sample with Kraig's code below into a fiddle, it works. Eg https://trycf.com/gist/df472dd7a4f53c7b30f95bbf84f64697/lucee5 – Sev Roberts Feb 03 '21 at 17:50
  • But at first I only got the first 10% of characters matching until I realised where the whitespace was supposed to be in their test request. So if you're only getting a small bit non matching at the end, I suspect it's because your app or your webserver is adding something extra to the request body that SagePay sees but which you haven't accounted for in the encryption input. Perhaps a CSRF token appended somewhere? Or there's trailing whitespace on the request you're sending but you've trimmed it when encrypting? – Sev Roberts Feb 03 '21 at 17:53
  • I used #trim(theString)#, pre-encryption AND post-encryption to make sure there were no leading or trailing spaces. Same error still. – Gary Basso Feb 03 '21 at 18:55
  • So now we're looking at: stuff = trim(stuff); keyIVBytes = charsetDecode(EncryptionPassword, "utf-8"); base64Key = binaryEncode(keyIVBytes, "base64"); crypt=encrypt(stuff, base64Key,"AES/CBC/PKCS5Padding", "hex", keyIVBytes); crypt=trim(crypt); – Gary Basso Feb 03 '21 at 18:56
  • We are really struggling to get this to work and looking for any assistance in this matter. – Gary Basso Feb 03 '21 at 20:25
  • I asked quite a few questions which haven't been answered yet. Try going back through the comments and responding to each of those questions individually, then we have a better chance of helping. – Sev Roberts Feb 04 '21 at 09:52

1 Answers1

2

Link to the specification PDF: https://www.opayo.ie/file/21086/download-document/FORM_Integration_and_Protocol_Guidelines_130515.pdf?token=FF7jKOvWemRFvw6UhEGOH1ULUpJBiXYIZKHSkhkl2II

I am the developer working on the SagePay form integration. Sage specifically states in the guide, " The requirement is to encrypt the string as AES(block size 128-bit) in CBC mode with PKCS#5 padding using the provided password as both the key and initialisation vector and encode the result in hex."

If we don't encode it in base64 first, we get an invalid bit length error - 12 bytes.

"stuff" is our string to encode and EncryptionPassword is our key.

keyIVBytes = charsetDecode(EncryptionPassword, "utf-8");
base64Key = binaryEncode(keyIVBytes, "base64");
crypt=encrypt(stuff, base64Key,"AES/CBC/PKCS5Padding", "hex", keyIVBytes);
Kraig Johnson
  • 21
  • 2