Incorrect encrypted password value for 8 character password (INVALID PARAMS)

[karora]

I'm trying to use this from Ireland, where I see the following response:

$ carwings -email andrew@mcmillan.net.nz -password XXXXXXX -debug battery
Logging into Carwings...
POST https://gdcportalgw.its-mo.com/api_v180117_NE/gdc/InitialApp.php map[initial_app_strings:[geORNtsZe5I4lRGjG9GZiA]]
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Sat, 04 Aug 2018 19:41:42 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000

45
{"status":200,"message":"success","baseprm":"uyI5Dj9g8VCOFDnBRUbr3g"}
0

POST https://gdcportalgw.its-mo.com/api_v180117_NE/gdc/UserLoginRequest.php map[initial_app_strings:[geORNtsZe5I4lRGjG9GZiA] UserId:[andrew@mcmillan.net.nz] Password:[XXXXXXXXXXX] RegionCode:[NNA]]
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Date: Sat, 04 Aug 2018 19:41:42 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000

2d
{"status":"-2010","message":"INVALID PARAMS"}
0

ERROR: json: cannot unmarshal string into Go struct field .status of type int

Aside from the bug in their JSON response where they return a string "-2010" rather than a number, I'm not sure what the valid parms might be.

I've also tried using -region EU or -region NE (after I looked at the code a bit :-)

I'm keen to help out where I can.

Thanks, Andrew.

[joeshaw]

As I understand it, -region NE is what you need in Europe. Do you get the same INVALID PARAMS error with that?

[joeshaw]

Another possibility: you may want to try your username (rather than your email address) despite the -email flag -- I have read that for some people they are different things?

[karora]

Thanks for your response. Yes, I've tried using "NE" for the region, as well as using my username instead of the email address: I get the same INVALID PARAMS response regardless.

[joeshaw]

Could you try changing the baseURL in the code to https://gdcportalgw.its-mo.com/gworchest_160803A/gdc/ and https://gdcportalgw.its-mo.com/gworchest_160803EC/gdc/ and let me know if either works?

[karora]

The first of those URLs gives a 404, the second gives the same INVALID PARAMS response. I have tried using the https://github.com/gboudreau/nissan-connect-php project to connect and that was initially also returning INVALID PARAMS until I switched to using a username rather than an email address, but now that it is working I see that it is using https://gdcportalgw.its-mo.com/gworchest_160803EC/gdc/ for it's base URL.

I can also see that when it makes the login request it sends a different encrypted password: ****J94ByT1QL04P52m33Q== (nissan-connect-php) vs ****J94ByT0= (carwings.go) (first four characters replaced for security reasons, but they're the same in both strings).

The PHP code also seems to be sending some additional params, (it outputs params in JSON for debugging) i.e.:

{
  "UserId":"karora",
  "Password":"****J94ByT1QL04P52m33Q==",
  "custom_sessionid":"",
  "initial_app_strings":"geORNtsZe5I4lRGjG9GZiA",
  "RegionCode":"NE",
  "lg":"en-US",
  "DCMID":"",
  "VIN":"",
  "tz":"Europe\/Dublin"
}

[karora]

OK, the issue seems to be with the encryption of the password. My password was 8 characters - exactly the same size as a Blowfish chunk - but when I changed it to a 10 character password the encrypted values match between the two libraries and I am now able to get past the login :-)

So I shall retitle this issue to indicate the underlying problem with the password encryption.

[joeshaw]

Wow! Thank you for the excellent detective work. I will look into fixing this.

[karora]

Just thought I'd see what happened if padding was always applied, and it matches what the PHP code does in that case.

This comment might indicate the thinking behind OpenSSL's behaviour on this one: https://stackoverflow.com/questions/41181905/php-mcrypt-encrypt-to-openssl-encrypt-and-openssl-zero-padding-problems

Presumably the server-side PHP is also using openssl libraries, so it gets this behaviour too.