Sagepay 2.22 到 3.00 表单升级 - PHP 更新到 AES 加密

Sagepay 2.22 to 3.00 form upgrade - PHP update to AES encryption

我一直在尝试了解如何将我公司的三个电子商务网站的代码中使用的加密从 simpleXor 升级到 AES 加密,但没有成功。如果不这样做,我将无法升级其余代码,这意味着 7 月之后我们将无法在线进行任何付款。

我已根据升级到 3.00 的要求更新了加密表单代码。

我可以识别加密代码并查看了来自 Sagepay 的 PHP 的表单集成演示下载,但找不到任何看起来与我的加密代码相似的东西?!

有人能给我指出正确的方向,让我找到合适的加密代码来替换旧的吗?

我们的网站基于 JShop,我有一个要发送的文件和一个响应文件。

这是发送信息的文件:

    <?php   function startProcessor($orderNumber) {     global $dbA,$orderArray,$jssStoreWebDirHTTP,$jssStoreWebDirHTTPS,$cartMain;             $callBack = "$jssStoreWebDirHTTPS"."gateways/response/protx.php";               $cDetails = returnCurrencyDetails($orderArray["currencyID"]);       $gatewayOptions = retrieveGatewayOptions("PROTX");      switch ($gatewayOptions["testMode"]) {          case "S":               $myAction = "https://test.sagepay.com/Simulator/VSPFormGateway.asp";                break;          case "Y":               $myAction = "https://test.sagepay.com/gateway/service/vspform-register.vsp";                break;          case "N":               $myAction = "https://live.sagepay.com/gateway/service/vspform-register.vsp";                break;      }       $myVendor = $gatewayOptions["vendor"];      $myEncryptionPassword = $gatewayOptions["encryptionPassword"];              $billingAddress  = $orderArray["address1"]."\n";        if ($orderArray["address2"] != "") {            $billingAddress .= $orderArray["address2"]."\n";        }       $billingAddress .= $orderArray["town"]."\n";        $billingAddress .= $orderArray["county"]."\n";      $billingAddress .= $orderArray["country"];      $deliveryAddress  = $orderArray["deliveryAddress1"]."\n";       if ($orderArray["deliveryAddress2"] != "") {            $deliveryAddress .= $orderArray["deliveryAddress2"]."\n";       }       $deliveryAddress .= $orderArray["deliveryTown"]."\n";       $deliveryAddress .= $orderArray["deliveryCounty"]."\n";     $deliveryAddress .= $orderArray["deliveryCountry"];                     $crypt = "VendorTxCode=$orderNumber";
        $crypt .= "&Amount=".number_format($orderArray["orderTotal"],$cDetails["decimals"],'.','');
        $crypt .= "&Currency=".@$cDetails["code"];
        $crypt .= "&Description=".$gatewayOptions["description"];
        $crypt .= "&SuccessURL=$callBack?xOid=$orderNumber&xRn=".$orderArray["randID"];
        $crypt .= "&FailureURL=$callBack?xOid=$orderNumber&xRn=".$orderArray["randID"];
        $crypt .= "&BillingSurname=".$orderArray["surname"];
        $crypt .= "&BillingFirstnames=".$orderArray["forename"];
        $crypt .= "&BillingAddress1=".$orderArray["address1"];
        $crypt .= "&BillingCity=".$orderArray["town"];
        $crypt .= "&BillingPostCode=".preg_replace("/[^\s\-a-zA-Z0-9]/", "", $orderArray["postcode"]);
        $crypt .= "&BillingCountry=".$orderArray["country"];
        $crypt .= "&DeliverySurname=".&orderArray["surname"];
        $crypt .= "&DeliveryFirstnames=".&orderArray["forename"];

    if ($orderArray["deliveryPostcode"] != "") {
        $crypt .= "&DeliveryAddress1=".$orderArray["deliveryAddress1"];
        $crypt .= "&DeliveryCity=".$orderArray["deliveryTown"];
        $crypt .= "&DeliveryPostCode=".preg_replace("/[^\s\-a-zA-Z0-9]/", "", $orderArray["deliveryPostcode"]);
        $crypt .= "&DeliveryCountry=".$orderArray["deliveryCountry"]; }
    else {
        $crypt .= "&DeliveryAddress1=".$orderArray["address1"];
        $crypt .= "&DeliveryCity=".$orderArray["town"];
        $crypt .= "&DeliveryPostCode=".preg_replace("/[^\s\-a-zA-Z0-9]/", "", $orderArray["postcode"]);
        $crypt .= "&DeliveryCountry=".$orderArray["country"]; }

        $crypt .= "&BillingPhone=".preg_replace("/[^\sa-zA-Z0-9]/", "", $orderArray["telephone"]);      
if ($gatewayOptions["sendEmail"] == 1) {            
        $crypt .= "&CustomerEmail=".$orderArray["email"];       }
        $crypt .= "&VendorEmail=".$gatewayOptions["vendorEmail"];   
        $crypt .= "&ApplyAVSCV2=".$gatewayOptions["cvvCheck"];  
        $crypt .= "&Apply3DSecure=".$gatewayOptions["3DSecure"];            
        $crypt = base64_encode(protx_simpleXor($crypt,$myEncryptionPassword));      
        $tpl = createTSysObject(templatesCreatePath($cartMain["templateSet"]),"gatewaytransfer.html",$requiredVars,0);          
        $gArray["method"] = "POST"; 
        $gArray["action"] = $myAction;  
        $gArray["fields"][] = array("name"=>"VPSProtocol","value"=>"3.00"); 
        $gArray["fields"][] = array("name"=>"Vendor","value"=>$myVendor);   
        $gArray["fields"][] = array("name"=>"TxType","value"=>$gatewayOptions["txType"]);               $gArray["fields"][] = array("name"=>"Crypt","value"=>$crypt);           
        $mArray = $gArray;          
        $gArray["process"] = "document.automaticForm.submit();";    
        $tpl->addVariable("shop",templateVarsShopRetrieve());   
        $tpl->addVariable("labels",templateVarsLabelsRetrieve());   
        $tpl->addVariable("automaticForm",$gArray); 
        $tpl->addVariable("manualForm",$mArray);    
        $tpl->showPage();   }

function protx_simpleXor($inString, $key) {     $outString="";      $l=0;       if (strlen($inString)!=0) {         for ($i = 0; $i < strlen($inString); $i++) {                $outString=$outString . ($inString[$i]^$key[$l]);               $l++;               if ($l==strlen($key)) { $l=0; }         }       }       return $outString;  }   ?>

这是响应文件:

 <?php

/*================ JShop Server ================

  = (c)2003-2010 Whorl Ltd.                    =

  = All Rights Reserved                        =

  = Redistribution of this file is prohibited. =

  = http://www.jshop.co.uk/                    =

  ==============================================*/

?><?php

    define("IN_JSHOP", TRUE);

    include("../../static/config.php");

    include("../../routines/dbAccess_".$databaseType.".php");

    include("../../routines/tSys.php");

    include("../../routines/general.php");

    include("../../routines/stockControl.php");

    include("../../routines/emailOutput.php");



    dbConnect($dbA);



    $orderID = makeSafe(getFORM("xOid"));

    $newOrderID = $orderID;

    $randID = makeSafe(getFORM("xRn"));

    $crypt = makeSafe(getFORM("crypt"));



    $gatewayOptions = retrieveGatewayOptions("PROTX");



    $orderID = makeInteger($orderID) - retrieveOption("orderNumberOffset");



    $result =  $dbA->query("select * from $tableOrdersHeaders where orderID=$orderID and randID='$randID'");

    if ($dbA->count($result) == 0 || $crypt=="") {

        doRedirect_JavaScript($jssStoreWebDirHTTP."index.php");

        exit;

    }

    $orderArray = $dbA->fetch($result);

    $ccResult = $dbA->query("select * from $tablePaymentOptions where paymentID=".$orderArray["paymentID"]);

    $poRecord = $dbA->fetch($ccResult);

    $paidStatus = $poRecord["statusID"];



    $crypt = str_replace(" ","+",$crypt);

    $crypt = protx_simpleXor(base64_decode($crypt),$gatewayOptions["encryptionPassword"]);  



    $nameValues = explode("&",$crypt);

    $resultCode = "";

    for ($f = 0; $f < count($nameValues); $f++) {

        $thisCode = explode("=",$nameValues[$f]);

        $resultCode[$thisCode[0]] = $thisCode[1];

    }



    if ($resultCode["VendorTxCode"] != $newOrderID) {

        doRedirect_JavaScript($jssStoreWebDirHTTP."index.php");

        exit;

    }



    $authResponse = "&Status Result=".$resultCode["Status"]."&AVS/CV2 Check=".@$resultCode["AVSCV2"]."&Address Result=".@$resultCode["AddressResult"]."&Postcode Result=".@$resultCode["PostCodeResult"]."&CV2 Result=".@$resultCode["CV2Result"]."&3d Secure Status=".@$resultCode["3DSecureStatus"];



    $randID = $orderArray["randID"];

    if ($orderArray["status"] != $paidStatus) {

            $dt=date("YmdHis",createOffsetTime());

            switch ($resultCode["Status"]) {

                case "OK":

                case "AUTHENTICATED":

                case "REGISTERED":

                    $authResponse="Gateway=Sage Pay&Authorisation Code=".$resultCode["TxAuthNo"]."&Sage Pay Transaction ID=".$resultCode["VPSTxId"]."&Status=Payment Confirmed".$authResponse;

                    $dbA->query("update $tableOrdersHeaders set status=$paidStatus, authInfo=\"$authResponse\", paymentDate=\"$dt\" where orderID=$orderID");

                    $orderArray["status"] = $paidStatus;

                    //ok, this is where we should do the stock control then.

                    include("process/paidProcessList.php");

                    doRedirect_JavaScript($jssStoreWebDirHTTPS."process.php?xOid=$newOrderID&xRn=$randID");

                    break;

                case "REJECTED":
                    $authResponse="Gateway=Sage Pay&Status=Payment Rejected Due To Rules".$authResponse;
                    $dbA->query("update $tableOrdersHeaders set status=3, authInfo=\"$authResponse\", paymentDate=\"$dt\" where orderID=$orderID");
                    include("process/failProcessList.php");
                    doRedirect_JavaScript($jssStoreWebDirHTTPS."process.php?xOid=$newOrderID&xRn=$randID");
                    break;

                default:
                    if ($orderArray["status"] == 1) {
                        $authResponse="Gateway=Sage Pay&Status=Payment Failed".$authResponse;
                        $dbA->query("update $tableOrdersHeaders set status=3, authInfo=\"$authResponse\", paymentDate=\"$dt\" where orderID=$orderID");
                        include("process/failProcessList.php");
                }

                    doRedirect_JavaScript($jssStoreWebDirHTTPS."process.php?xOid=$newOrderID&xRn=$randID");
                    break;
            }
    } else {
            doRedirect_JavaScript($jssStoreWebDirHTTPS."process.php?xOid=$newOrderID&xRn=$randID");
    }

    function protx_simpleXor($inString, $key) {
        $outString="";

        $l=0;

        if (strlen($inString)!=0) {
            for ($i = 0; $i < strlen($inString); $i++) {
                $outString=$outString . ($inString[$i]^$key[$l]);
                $l++;

                if ($l==strlen($key)) { $l=0; }
            }
        }

        return $outString;
    }
?>

看起来您使用的代码很旧。我建议您尝试使用 official Sage Pay integration libraries 完全 port/rewrite 您的代码,以避免出现诸如转义之类的奇怪错误。

如果您赶时间,这里是 class 的精简版,您需要让 encryption/decryption 部分正常工作。

<?php
class SagepayUtil
{
    /**
     * PHP's mcrypt does not have built in PKCS5 Padding, so we use this.
     *
     * @param string $input The input string.
     *
     * @return string The string with padding.
     */
    static protected function addPKCS5Padding($input)
    {
        $blockSize = 16;
        $padd = "";

        // Pad input to an even block size boundary.
        $length = $blockSize - (strlen($input) % $blockSize);
        for ($i = 1; $i <= $length; $i++)
        {
            $padd .= chr($length);
        }

        return $input . $padd;
    }

    /**
     * Remove PKCS5 Padding from a string.
     *
     * @param string $input The decrypted string.
     *
     * @return string String without the padding.
     * @throws SagepayApiException
     */
    static protected function removePKCS5Padding($input)
    {
        $blockSize = 16;
        $padChar = ord($input[strlen($input) - 1]);

        /* Check for PadChar is less then Block size */
        if ($padChar > $blockSize)
        {
            throw new SagepayApiException('Invalid encryption string');
        }
        /* Check by padding by character mask */
        if (strspn($input, chr($padChar), strlen($input) - $padChar) != $padChar)
        {
            throw new SagepayApiException('Invalid encryption string');
        }

        $unpadded = substr($input, 0, (-1) * $padChar);
        /* Chech result for printable characters */
        if (preg_match('/[[:^print:]]/', $unpadded))
        {
            throw new SagepayApiException('Invalid encryption string');
        }
        return $unpadded;
    }

    /**
     * Encrypt a string ready to send to SagePay using encryption key.
     *
     * @param  string  $string  The unencrypyted string.
     * @param  string  $key     The encryption key.
     *
     * @return string The encrypted string.
     */
    static public function encryptAes($string, $key)
    {
        // AES encryption, CBC blocking with PKCS5 padding then HEX encoding.
        // Add PKCS5 padding to the text to be encypted.
        $string = self::addPKCS5Padding($string);

        // Perform encryption with PHP's MCRYPT module.
        $crypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $string, MCRYPT_MODE_CBC, $key);

        // Perform hex encoding and return.
        return "@" . strtoupper(bin2hex($crypt));
    }

    /**
     * Decode a returned string from SagePay.
     *
     * @param string $strIn         The encrypted String.
     * @param string $password      The encyption password used to encrypt the string.
     *
     * @return string The unecrypted string.
     * @throws SagepayApiException
     */
    static public function decryptAes($strIn, $password)
    {
        // HEX decoding then AES decryption, CBC blocking with PKCS5 padding.
        // Use initialization vector (IV) set from $str_encryption_password.
        $strInitVector = $password;

        // Remove the first char which is @ to flag this is AES encrypted and HEX decoding.
        $hex = substr($strIn, 1);

        // Throw exception if string is malformed
        if (!preg_match('/^[0-9a-fA-F]+$/', $hex))
        {
            throw new SagepayApiException('Invalid encryption string');
        }
        $strIn = pack('H*', $hex);

        // Perform decryption with PHP's MCRYPT module.
        $string = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, $strIn, MCRYPT_MODE_CBC, $strInitVector);
        return self::removePKCS5Padding($string);
    }
}

像现在一样设置变量。

$gatewayOptions["encryptionPassword"] = "PASSWORDPASSWORD";
$crypt = "Your=Sagepay&Query=String";

然后加密(发送到 sagepay)使用这个

//$crypt = base64_encode(protx_simpleXor($crypt,$myEncryptionPassword));
$crypt = SagepayUtil::encryptAes($crypt, $gatewayOptions["encryptionPassword"]);

var_dump($crypt);
//@714DCF7FE82FADA4B9F8CF53982D56FFC8F2021A5FC10481409ED1FD7BF6880E

解密(从 sagepay 接收)使用这个

//$crypt = protx_simpleXor(base64_decode($crypt),$gatewayOptions["encryptionPassword"]);  
$crypt = SagepayUtil::decryptAes($crypt, $gatewayOptions["encryptionPassword"]);

var_dump($crypt);
//Your=Sagepay&Query=String

编辑:删除了 base64 编码层。 Protx 将假定 base64 编码的字符串使用旧的 XOR 方法,因此您不能使用 base64 编码。相反,有必要使用十六进制编码并以“@”字符开头的字符串。