Why doesn't match my password with the encodedPassword?

Question

I was playing around with Spring Security. There are some PasswordEncoders. Now I heard of Argon2 and the library argon2-jvm. So I used this library to implement an Argon2 PasswordEncoder.

import de.mkammerer.argon2.Argon2;
import de.mkammerer.argon2.Argon2Factory;
import org.springframework.security.crypto.password.PasswordEncoder;

public class Argon2PasswordEncoder implements PasswordEncoder {

    private final static Argon2 ARGON2 = Argon2Factory.create();

    @Override
    public String encode(CharSequence rawPassword) {
        return ARGON2.hash(2, 512, 1, rawPassword.toString());
    }

    @Override
    public boolean matches(CharSequence rawPassword, String encodedPassword) {
        return ARGON2.verify(rawPassword.toString(), encodedPassword);
    }
}

Ok. Now I tested the implementation and with the password "Password" I get a hash of "$argon2i$v=19$m=512,t=2,p=1$RXlcbec6BOFAo7tfgeAp7g$z4mUln5y/ylkmNjoK8u3wmQYQxwBzWyRepQaZlGtSPw"

But this can't be the hash, I think the hash is the part after p=, isn't it?

Ok, then I tried to matches them and it failed. Why?

System.out.println(encoder.matches("Password", "$argon2i$v=19$m=512,t=2,p=1$RXlcbec6BOFAo7tfgeAp7g$z4mUln5y/ylkmNjoK8u3wmQYQxwBzWyRepQaZlGtSPw");

=> false

System.out.println(encoder.matches("Password", "1$RXlcbec6BOFAo7tfgeAp7g$z4mUln5y/ylkmNjoK8u3wmQYQxwBzWyRepQaZlGtSPw");

=> false

How can I match them and why are there some of the parameters like paralellism and memory part of the hash?

Answer 1

Looking at the argon2-library's testcode at GitHub, I think you call verfiy with the wrong order of parameters. The testcase passes the hashed value first, followed by the plain password. You do it vice versa.