@sd-jwt/core 0.3.2-next.97 → 0.3.2-next.99

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 import * as _sd_jwt_types from '@sd-jwt/types';
-import { Base64urlString, Signer, Verifier, kbHeader, kbPayload, SDJWTCompact, Hasher, DisclosureFrame, HasherAndAlg, SaltGenerator, SDJWTConfig, KBOptions } from '@sd-jwt/types';
+import { Base64urlString, Signer, Verifier, kbHeader, kbPayload, KbVerifier, JwtPayload, SDJWTCompact, Hasher, DisclosureFrame, HasherAndAlg, SaltGenerator, SDJWTConfig, KBOptions } from '@sd-jwt/types';
 import { Disclosure } from '@sd-jwt/utils';
 
 type JwtData<Header extends Record<string, unknown>, Payload extends Record<string, unknown>> = {
@@ -29,7 +29,10 @@ declare class Jwt<Header extends Record<string, unknown> = Record<string, unknow
 }
 
 declare class KBJwt<Header extends kbHeader = kbHeader, Payload extends kbPayload = kbPayload> extends Jwt<Header, Payload> {
-    verify(verifier: Verifier): Promise<{
+    verifyKB(values: {
+        verifier: KbVerifier;
+        payload: JwtPayload;
+    }): Promise<{
         payload: Payload;
         header: Header;
     }>;

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 import * as _sd_jwt_types from '@sd-jwt/types';
-import { Base64urlString, Signer, Verifier, kbHeader, kbPayload, SDJWTCompact, Hasher, DisclosureFrame, HasherAndAlg, SaltGenerator, SDJWTConfig, KBOptions } from '@sd-jwt/types';
+import { Base64urlString, Signer, Verifier, kbHeader, kbPayload, KbVerifier, JwtPayload, SDJWTCompact, Hasher, DisclosureFrame, HasherAndAlg, SaltGenerator, SDJWTConfig, KBOptions } from '@sd-jwt/types';
 import { Disclosure } from '@sd-jwt/utils';
 
 type JwtData<Header extends Record<string, unknown>, Payload extends Record<string, unknown>> = {
@@ -29,7 +29,10 @@ declare class Jwt<Header extends Record<string, unknown> = Record<string, unknow
 }
 
 declare class KBJwt<Header extends kbHeader = kbHeader, Payload extends kbPayload = kbPayload> extends Jwt<Header, Payload> {
-    verify(verifier: Verifier): Promise<{
+    verifyKB(values: {
+        verifier: KbVerifier;
+        payload: JwtPayload;
+    }): Promise<{
         payload: Payload;
         header: Header;
     }>;

package/dist/index.js

@@ -5,10 +5,8 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __reflectGet = Reflect.get;
 var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __spreadValues = (a, b) => {
   for (var prop in b || (b = {}))
@@ -35,7 +33,6 @@ var __copyProps = (to, from, except, desc) => {
   return to;
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var __superGet = (cls, obj, key) => __reflectGet(__getProtoOf(cls), key, obj);
 var __async = (__this, __arguments, generator) => {
   return new Promise((resolve, reject) => {
     var fulfilled = (value) => {
@@ -145,14 +142,29 @@ var Jwt = class _Jwt {
 var import_utils2 = require("@sd-jwt/utils");
 var KBJwt = class _KBJwt extends Jwt {
   // Checking the validity of the key binding jwt
-  verify(verifier) {
+  // the type unknown is not good, but we don't know at this point how to get the public key of the signer, this is defined in the kbVerifier
+  verifyKB(values) {
     return __async(this, null, function* () {
       var _a, _b, _c, _d, _e, _f;
       if (!((_a = this.header) == null ? void 0 : _a.alg) || !this.header.typ || !((_b = this.payload) == null ? void 0 : _b.iat) || !((_c = this.payload) == null ? void 0 : _c.aud) || !((_d = this.payload) == null ? void 0 : _d.nonce) || // this is for backward compatibility with version 06
       !(((_e = this.payload) == null ? void 0 : _e.sd_hash) || ((_f = this.payload) == null ? void 0 : _f._sd_hash))) {
         throw new import_utils2.SDJWTException("Invalid Key Binding Jwt");
       }
-      return yield __superGet(_KBJwt.prototype, this, "verify").call(this, verifier);
+      if (!this.header || !this.payload || !this.signature) {
+        throw new import_utils2.SDJWTException("Verify Error: Invalid JWT");
+      }
+      const header = (0, import_utils2.Base64urlEncode)(JSON.stringify(this.header));
+      const payload = (0, import_utils2.Base64urlEncode)(JSON.stringify(this.payload));
+      const data = `${header}.${payload}`;
+      const verified = yield values.verifier(
+        data,
+        this.signature,
+        values.payload
+      );
+      if (!verified) {
+        throw new import_utils2.SDJWTException("Verify Error: Invalid JWT Signature");
+      }
+      return { payload: this.payload, header: this.header };
     });
   }
   // This function is for creating KBJwt object for verify properly
@@ -557,7 +569,13 @@ var _SDJwtInstance = class _SDJwtInstance {
       if (!this.userConfig.kbVerifier) {
         throw new import_utils5.SDJWTException("Key Binding Verifier not found");
       }
-      const kb = yield sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+      const kb = yield sdjwt.kbJwt.verifyKB({
+        verifier: this.userConfig.kbVerifier,
+        payload
+      });
+      if (!kb) {
+        throw new Error("signature is not valid");
+      }
       const sdHashfromKb = kb.payload.sd_hash;
       const sdjwtWithoutKb = new SDJwt({
         jwt: sdjwt.jwt,

package/dist/index.mjs

@@ -2,10 +2,8 @@ var __defProp = Object.defineProperty;
 var __defProps = Object.defineProperties;
 var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
 var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __reflectGet = Reflect.get;
 var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __spreadValues = (a, b) => {
   for (var prop in b || (b = {}))
@@ -19,7 +17,6 @@ var __spreadValues = (a, b) => {
   return a;
 };
 var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
-var __superGet = (cls, obj, key) => __reflectGet(__getProtoOf(cls), key, obj);
 var __async = (__this, __arguments, generator) => {
   return new Promise((resolve, reject) => {
     var fulfilled = (value) => {
@@ -115,17 +112,32 @@ var Jwt = class _Jwt {
 };
 
 // src/kbjwt.ts
-import { SDJWTException as SDJWTException2 } from "@sd-jwt/utils";
+import { Base64urlEncode as Base64urlEncode2, SDJWTException as SDJWTException2 } from "@sd-jwt/utils";
 var KBJwt = class _KBJwt extends Jwt {
   // Checking the validity of the key binding jwt
-  verify(verifier) {
+  // the type unknown is not good, but we don't know at this point how to get the public key of the signer, this is defined in the kbVerifier
+  verifyKB(values) {
     return __async(this, null, function* () {
       var _a, _b, _c, _d, _e, _f;
       if (!((_a = this.header) == null ? void 0 : _a.alg) || !this.header.typ || !((_b = this.payload) == null ? void 0 : _b.iat) || !((_c = this.payload) == null ? void 0 : _c.aud) || !((_d = this.payload) == null ? void 0 : _d.nonce) || // this is for backward compatibility with version 06
       !(((_e = this.payload) == null ? void 0 : _e.sd_hash) || ((_f = this.payload) == null ? void 0 : _f._sd_hash))) {
         throw new SDJWTException2("Invalid Key Binding Jwt");
       }
-      return yield __superGet(_KBJwt.prototype, this, "verify").call(this, verifier);
+      if (!this.header || !this.payload || !this.signature) {
+        throw new SDJWTException2("Verify Error: Invalid JWT");
+      }
+      const header = Base64urlEncode2(JSON.stringify(this.header));
+      const payload = Base64urlEncode2(JSON.stringify(this.payload));
+      const data = `${header}.${payload}`;
+      const verified = yield values.verifier(
+        data,
+        this.signature,
+        values.payload
+      );
+      if (!verified) {
+        throw new SDJWTException2("Verify Error: Invalid JWT Signature");
+      }
+      return { payload: this.payload, header: this.header };
     });
   }
   // This function is for creating KBJwt object for verify properly
@@ -537,7 +549,13 @@ var _SDJwtInstance = class _SDJwtInstance {
       if (!this.userConfig.kbVerifier) {
         throw new SDJWTException4("Key Binding Verifier not found");
       }
-      const kb = yield sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+      const kb = yield sdjwt.kbJwt.verifyKB({
+        verifier: this.userConfig.kbVerifier,
+        payload
+      });
+      if (!kb) {
+        throw new Error("signature is not valid");
+      }
       const sdHashfromKb = kb.payload.sd_hash;
       const sdjwtWithoutKb = new SDJwt({
         jwt: sdjwt.jwt,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sd-jwt/core",
-  "version": "0.3.2-next.97+e9f2367",
+  "version": "0.3.2-next.99+94f33f1",
   "description": "sd-jwt draft 7 implementation in typescript",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -38,12 +38,12 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@sd-jwt/crypto-nodejs": "0.3.2-next.97+e9f2367"
+    "@sd-jwt/crypto-nodejs": "0.3.2-next.99+94f33f1"
   },
   "dependencies": {
-    "@sd-jwt/decode": "0.3.2-next.97+e9f2367",
-    "@sd-jwt/types": "0.3.2-next.97+e9f2367",
-    "@sd-jwt/utils": "0.3.2-next.97+e9f2367"
+    "@sd-jwt/decode": "0.3.2-next.99+94f33f1",
+    "@sd-jwt/types": "0.3.2-next.99+94f33f1",
+    "@sd-jwt/utils": "0.3.2-next.99+94f33f1"
   },
   "publishConfig": {
     "access": "public"
@@ -61,5 +61,5 @@
       "esm"
     ]
   },
-  "gitHead": "e9f2367e77f495ca457a8a28aa87130a313c10fa"
+  "gitHead": "94f33f1931393345ad1d0977adad67d407615607"
 }

package/src/index.ts

@@ -11,6 +11,7 @@ import {
   SDJWTConfig,
 } from '@sd-jwt/types';
 import { getSDAlgAndPayload } from '@sd-jwt/decode';
+import { JwtPayload } from '@sd-jwt/types';
 
 export * from './sdjwt';
 export * from './kbjwt';
@@ -212,7 +213,13 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
     if (!this.userConfig.kbVerifier) {
       throw new SDJWTException('Key Binding Verifier not found');
     }
-    const kb = await sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+    const kb = await sdjwt.kbJwt.verifyKB({
+      verifier: this.userConfig.kbVerifier,
+      payload: payload as JwtPayload,
+    });
+    if (!kb) {
+      throw new Error('signature is not valid');
+    }
     const sdHashfromKb = kb.payload.sd_hash;
     const sdjwtWithoutKb = new SDJwt({
       jwt: sdjwt.jwt,

package/src/kbjwt.ts

@@ -1,13 +1,14 @@
-import { SDJWTException } from '@sd-jwt/utils';
+import { Base64urlEncode, SDJWTException } from '@sd-jwt/utils';
 import { Jwt } from './jwt';
-import { Verifier, kbHeader, kbPayload } from '@sd-jwt/types';
+import { JwtPayload, kbHeader, kbPayload, KbVerifier } from '@sd-jwt/types';
 
 export class KBJwt<
   Header extends kbHeader = kbHeader,
   Payload extends kbPayload = kbPayload,
 > extends Jwt<Header, Payload> {
   // Checking the validity of the key binding jwt
-  public async verify(verifier: Verifier) {
+  // the type unknown is not good, but we don't know at this point how to get the public key of the signer, this is defined in the kbVerifier
+  public async verifyKB(values: { verifier: KbVerifier; payload: JwtPayload }) {
     if (
       !this.header?.alg ||
       !this.header.typ ||
@@ -22,7 +23,22 @@ export class KBJwt<
     ) {
       throw new SDJWTException('Invalid Key Binding Jwt');
     }
-    return await super.verify(verifier);
+    if (!this.header || !this.payload || !this.signature) {
+      throw new SDJWTException('Verify Error: Invalid JWT');
+    }
+
+    const header = Base64urlEncode(JSON.stringify(this.header));
+    const payload = Base64urlEncode(JSON.stringify(this.payload));
+    const data = `${header}.${payload}`;
+    const verified = await values.verifier(
+      data,
+      this.signature,
+      values.payload,
+    );
+    if (!verified) {
+      throw new SDJWTException('Verify Error: Invalid JWT Signature');
+    }
+    return { payload: this.payload, header: this.header };
   }
 
   // This function is for creating KBJwt object for verify properly

package/src/test/index.spec.ts

@@ -1,8 +1,10 @@
 import { SDJwtInstance, SdJwtPayload } from '../index';
 import { Signer, Verifier } from '@sd-jwt/types';
-import Crypto from 'node:crypto';
+import Crypto, { KeyLike } from 'node:crypto';
 import { describe, expect, test } from 'vitest';
 import { digest, generateSalt } from '@sd-jwt/crypto-nodejs';
+import { KbVerifier, JwtPayload } from '@sd-jwt/types';
+import { importJWK, exportJWK, JWK } from 'jose';
 
 export const createSignerVerifier = () => {
   const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
@@ -181,23 +183,53 @@ describe('index', () => {
 
   test('verify with kbJwt', async () => {
     const { signer, verifier } = createSignerVerifier();
+
+    const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
+
+    //TODO: maybe we can pass a minial class of the jwt to pass the token
+    const kbVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      let publicKey: JsonWebKey;
+      if (payload.cnf) {
+        // use the key from the cnf
+        publicKey = payload.cnf.jwk;
+      } else {
+        throw Error('key binding not supported');
+      }
+      // get the key of the holder to verify the signature
+      return Crypto.verify(
+        null,
+        Buffer.from(data),
+        (await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
+        Buffer.from(sig, 'base64url'),
+      );
+    };
+
+    const kbSigner = (data: string) => {
+      const sig = Crypto.sign(null, Buffer.from(data), privateKey);
+      return Buffer.from(sig).toString('base64url');
+    };
+
     const sdjwt = new SDJwtInstance<SdJwtPayload>({
       signer,
       signAlg: 'EdDSA',
       verifier,
       hasher: digest,
       saltGenerator: generateSalt,
-      kbSigner: signer,
-      kbVerifier: verifier,
+      kbSigner: kbSigner,
+      kbVerifier: kbVerifier,
       kbSignAlg: 'EdDSA',
     });
-
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
-        iss: 'Issuer',
         iat: new Date().getTime(),
-        vct: '',
+        cnf: {
+          jwk: await exportJWK(publicKey),
+        },
       },
       {
         _sd: ['foo'],

package/src/test/kbjwt.spec.ts

@@ -1,8 +1,15 @@
 import { SDJWTException } from '@sd-jwt/utils';
 import { KBJwt } from '../kbjwt';
-import { KB_JWT_TYP, Signer, Verifier } from '@sd-jwt/types';
-import Crypto from 'node:crypto';
+import {
+  JwtPayload,
+  KB_JWT_TYP,
+  KbVerifier,
+  Signer,
+  Verifier,
+} from '@sd-jwt/types';
+import Crypto, { KeyLike } from 'node:crypto';
 import { describe, expect, test } from 'vitest';
+import { JWK, exportJWK, importJWK } from 'jose';
 
 describe('KB JWT', () => {
   test('create', async () => {
@@ -69,11 +76,27 @@ describe('KB JWT', () => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
+
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      const publicKey = payload.cnf?.jwk;
+
       return Crypto.verify(
         null,
         Buffer.from(data),
-        publicKey,
+        (await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
         Buffer.from(sig, 'base64url'),
       );
     };
@@ -91,7 +114,10 @@ describe('KB JWT', () => {
     });
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
-    const verified = await decoded.verify(testVerifier);
+    const verified = await decoded.verifyKB({
+      verifier: testVerifier,
+      payload,
+    });
     expect(verified).toStrictEqual({
       header: {
         typ: KB_JWT_TYP,
@@ -112,11 +138,26 @@ describe('KB JWT', () => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
+
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      const publicKey = payload.cnf?.jwk;
+
       return Crypto.verify(
         null,
         Buffer.from(data),
-        publicKey,
+        (await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
         Buffer.from(sig, 'base64url'),
       );
     };
@@ -136,26 +177,34 @@ describe('KB JWT', () => {
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
     try {
-      await decoded.verify(testVerifier);
+      await decoded.verifyKB({ verifier: testVerifier, payload });
     } catch (e: unknown) {
       const error = e as SDJWTException;
       expect(error.message).toBe('Invalid Key Binding Jwt');
     }
   });
 
-  test('verify with custom Verifier', async () => {
+  test('verify failed with verifier return false', async () => {
     const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
     const testSigner: Signer = async (data: string) => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
-      return Crypto.verify(
-        null,
-        Buffer.from(data),
-        publicKey,
-        Buffer.from(sig, 'base64url'),
-      );
+
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      return false;
     };
 
     const kbJwt = new KBJwt({
@@ -170,37 +219,37 @@ describe('KB JWT', () => {
         sd_hash: 'hash',
       },
     });
-
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
-    const verified = await decoded.verify(testVerifier);
-    expect(verified).toStrictEqual({
-      header: {
-        typ: KB_JWT_TYP,
-        alg: 'EdDSA',
-      },
-      payload: {
-        iat: 1,
-        aud: 'aud',
-        nonce: 'nonce',
-        sd_hash: 'hash',
-      },
-    });
+    try {
+      await decoded.verifyKB({ verifier: testVerifier, payload });
+    } catch (e: unknown) {
+      const error = e as SDJWTException;
+      expect(error.message).toBe('Verify Error: Invalid JWT Signature');
+    }
   });
 
-  test('verify failed with custom Verifier', async () => {
+  test('verify failed with invalid jwt', async () => {
     const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
     const testSigner: Signer = async (data: string) => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
-      return Crypto.verify(
-        null,
-        Buffer.from(data),
-        publicKey,
-        Buffer.from(sig, 'base64url'),
-      );
+
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      return false;
     };
 
     const kbJwt = new KBJwt({
@@ -212,17 +261,17 @@ describe('KB JWT', () => {
         iat: 1,
         aud: 'aud',
         nonce: 'nonce',
-        sd_hash: '',
+        sd_hash: 'hash',
       },
     });
-
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
+    decoded.signature = undefined;
     try {
-      await decoded.verify(testVerifier);
+      await decoded.verifyKB({ verifier: testVerifier, payload });
     } catch (e: unknown) {
       const error = e as SDJWTException;
-      expect(error.message).toBe('Invalid Key Binding Jwt');
+      expect(error.message).toBe('Verify Error: Invalid JWT');
     }
   });
 
@@ -232,11 +281,25 @@ describe('KB JWT', () => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      const publicKey = payload.cnf?.jwk;
+
       return Crypto.verify(
         null,
         Buffer.from(data),
-        publicKey,
+        (await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
         Buffer.from(sig, 'base64url'),
       );
     };
@@ -258,7 +321,10 @@ describe('KB JWT', () => {
 
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
-    const verified = await decoded.verify(testVerifier);
+    const verified = await decoded.verifyKB({
+      verifier: testVerifier,
+      payload,
+    });
     expect(verified).toStrictEqual({
       header: {
         typ: KB_JWT_TYP,