feat: CRP-2844 CRP-2850 CRP-2853 add Motoko basic IBE backend and enable its use in ICP Ninja (#158)

Also:
* Adds helper functions for the management canister VetKD API and
signing with BLS.
* Removes the frontend declarations from the repo, since they are
generated upon deployment.

Author: altkdf

.github/workflows/examples-basic-ibe.yml

@@ -19,34 +19,65 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 jobs:
-  examples-basic-ibe-darwin:
+  examples-basic-ibe-rust-darwin:
     runs-on: macos-15
     steps:
       - uses: actions/checkout@v4
       - name: Provision Darwin
         run: |
           bash .github/workflows/provision-darwin.sh
-      - name: Deploy Basic IBE Darwin
+      - name: Deploy Basic IBE Rust Darwin
         run: |
           set -eExuo pipefail
           cargo install candid-extractor
           npm i
-          pushd examples/basic_ibe
-          ./deploy_locally.sh
+          pushd examples/basic_ibe/rust
+          dfx start --background && dfx deploy
           cd frontend
           npm run lint
-  examples-basic-ibe-linux:
+  examples-basic-ibe-rust-linux:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
       - name: Provision Linux
         run: bash .github/workflows/provision-linux.sh
-      - name: Deploy Basic IBE Linux
+      - name: Deploy Basic IBE Rust Linux
         run: |
           set -eExuo pipefail
           cargo install candid-extractor
           npm i
-          pushd examples/basic_ibe
-          ./deploy_locally.sh
+          pushd examples/basic_ibe/rust
+          dfx start --background && dfx deploy
+          cd frontend
+          npm run lint
+  examples-basic-ibe-motoko-darwin:
+    runs-on: macos-15
+    steps:
+      - uses: actions/checkout@v4
+      - name: Provision Darwin
+        run: |
+          bash .github/workflows/provision-darwin.sh
+      - name: Deploy Basic IBE Motoko Darwin
+        run: |
+          set -eExuo pipefail
+          cargo install candid-extractor
+          npm i
+          pushd examples/basic_ibe/motoko
+          dfx start --background && dfx deploy
+          cd frontend
+          npm run lint
+  examples-basic-ibe-motoko-linux:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Provision Linux
+        run: bash .github/workflows/provision-linux.sh
+      - name: Deploy Basic IBE Motoko Linux
+        run: |
+          set -eExuo pipefail
+          cargo install candid-extractor
+          npm i
+          pushd examples/basic_ibe/motoko
+          dfx start --background && dfx deploy
           cd frontend
           npm run lint 

Cargo.lock

@@ -5,7 +5,6 @@ members = [
     "backend/rs/canisters/ic_vetkeys_encrypted_maps_canister",
     "backend/rs/canisters/ic_vetkeys_manager_canister",
     "backend/rs/canisters/tests",
-    "examples/basic_ibe/backend",
     "examples/password_manager_with_metadata/backend"
 ]
 resolver = "2"

Cargo.toml

@@ -1,5 +1,10 @@
 # Change Log
 
+## [Unreleased]
+
+### Adds
+- Sign with BLS and VetKD helper functions.
+
 ## [0.2.0] - 2025-06-18
 
 ### Fixes

backend/mo/ic_vetkeys/CHANGELOG.md

@@ -0,0 +1,53 @@
+import Blob "mo:base/Blob";
+
+module {
+    public type VetKdKeyid = {
+        curve : { #bls12_381_g2 };
+        name : Text;
+    };
+
+    public type VetkdSystemApi = actor {
+        vetkd_public_key : ({
+            canister_id : ?Principal;
+            context : Blob;
+            key_id : VetKdKeyid;
+        }) -> async ({ public_key : Blob });
+        vetkd_derive_key : ({
+            context : Blob;
+            input : Blob;
+            key_id : VetKdKeyid;
+            transport_public_key : Blob;
+        }) -> async ({ encrypted_key : Blob });
+    };
+
+    public func vetKdDeriveKey(input : Blob, context : Blob, keyId : VetKdKeyid, transportPublicKey : Blob) : async Blob {
+        let request = {
+            context;
+            input;
+            key_id = keyId;
+            transport_public_key = transportPublicKey;
+        };
+        let (reply) = await (with cycles = 26_153_846_153) (actor ("aaaaa-aa") : VetkdSystemApi).vetkd_derive_key(request);
+        reply.encrypted_key;
+    };
+
+    public func vetKdPublicKey(canisterId : ?Principal, context : Blob, VetKdKeyid : VetKdKeyid) : async Blob {
+        let request = {
+            canister_id = canisterId;
+            context;
+            key_id = VetKdKeyid;
+        };
+        let (reply) = await (actor ("aaaaa-aa") : VetkdSystemApi).vetkd_public_key(request);
+        reply.public_key;
+    };
+
+    public func signWithBls(message : Blob, context : Blob, VetKdKeyid : VetKdKeyid) : async Blob {
+        // Encryption with the G1 identity element produces unencrypted vetKeys
+        let pointAtInfinity : Blob = Blob.fromArray([192, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
+        await vetKdDeriveKey(message, context, VetKdKeyid, pointAtInfinity);
+    };
+
+    public func blsPublicKey(canisterId : ?Principal, context : Blob, VetKdKeyid : VetKdKeyid) : async Blob {
+        await vetKdPublicKey(canisterId, context, VetKdKeyid);
+    };
+};

backend/mo/ic_vetkeys/src/ManagementCanister.mo

@@ -47,6 +47,7 @@ import Result "mo:base/Result";
 import Types "../Types";
 import Text "mo:base/Text";
 import Nat8 "mo:base/Nat8";
+import ManagementCanister "../ManagementCanister";
 
 module {
     /// The public verification key used to verify the authenticity of derived vetKeys.
@@ -70,20 +71,6 @@ module {
     /// The public transport key used to encrypt vetKeys for secure transmission.
     public type TransportKey = Blob;
 
-    type VetkdSystemApi = actor {
-        vetkd_public_key : ({
-            canister_id : ?Principal;
-            context : Blob;
-            key_id : { curve : { #bls12_381_g2 }; name : Text };
-        }) -> async ({ public_key : Blob });
-        vetkd_derive_key : ({
-            context : Blob;
-            input : Blob;
-            key_id : { curve : { #bls12_381_g2 }; name : Text };
-            transport_public_key : Blob;
-        }) -> async ({ encrypted_key : Blob });
-    };
-
     func compareKeyIds(a : KeyId, b : KeyId) : { #less; #greater; #equal } {
         let ownersCompare = Principal.compare(a.0, b.0);
         if (ownersCompare == #equal) {
@@ -102,7 +89,7 @@ module {
     };
 
     /// See the module documentation for more information.
-    public class KeyManager<T>(key_id : { curve : { #bls12_381_g2 }; name : Text }, domainSeparator : Text, accessRightsOperations : Types.AccessControlOperations<T>) {
+    public class KeyManager<T>(vetKdKeyId : ManagementCanister.VetKdKeyid, domainSeparator : Text, accessRightsOperations : Types.AccessControlOperations<T>) {
         public var accessControl : OrderedMap.Map<Principal, [(KeyId, T)]> = accessControlMapOps().empty();
         public var sharedKeys : OrderedMap.Map<KeyId, [Principal]> = sharedKeysMapOps().empty();
         let domainSeparatorBytes = Text.encodeUtf8(domainSeparator);
@@ -154,16 +141,7 @@ module {
         /// Retrieves the vetKD verification key for this canister.
         /// This key is used to verify the authenticity of derived vetKeys.
         public func getVetkeyVerificationKey() : async VetKeyVerificationKey {
-            let context = domainSeparatorBytes;
-
-            let request = {
-                canister_id = null;
-                context;
-                key_id;
-            };
-
-            let (reply) = await (actor ("aaaaa-aa") : VetkdSystemApi).vetkd_public_key(request);
-            reply.public_key;
+            await ManagementCanister.vetKdPublicKey(null, domainSeparatorBytes, vetKdKeyId);
         };
 
         /// Retrieves an encrypted vetKey for caller and key id.
@@ -180,17 +158,7 @@ module {
                         Blob.toArray(keyId.1),
                     ]);
 
-                    let context = domainSeparatorBytes;
-
-                    let request = {
-                        input = Blob.fromArray(input);
-                        context;
-                        key_id;
-                        transport_public_key = transportKey;
-                    };
-
-                    let (reply) = await (with cycles = 26_153_846_153) (actor ("aaaaa-aa") : VetkdSystemApi).vetkd_derive_key(request);
-                    #ok(reply.encrypted_key);
+                    #ok(await ManagementCanister.vetKdDeriveKey(Blob.fromArray(input), domainSeparatorBytes, vetKdKeyId, transportKey));
                 };
             };
         };

backend/mo/ic_vetkeys/src/key_manager/KeyManager.mo

@@ -1,5 +1,6 @@
 import KeyManagerModule "key_manager/KeyManager";
 import EncryptedMapsModule "encrypted_maps/EncryptedMaps";
+import ManagementCanisterModule "ManagementCanister";
 import Types "Types";
 
 module {
@@ -9,4 +10,6 @@ module {
 
     public let KeyManager = KeyManagerModule;
     public let EncryptedMaps = EncryptedMapsModule;
+
+    public let ManagementCanister = ManagementCanisterModule;
 };

backend/mo/ic_vetkeys/src/lib.mo

@@ -32,10 +32,13 @@ npm install
 
 ### Deploy the Canisters
 
-Run the local deployment script, which starts the local development environment (`dfx`) if necessary, builds both backend and frontend (asset) canisters, and installs them locally.
+If you want to deploy this project locally with a Motoko backend, then run:
 ```bash
-bash deploy_locally.sh
+dfx start --background && dfx deploy
 ```
+from the `motoko` folder.
+
+To use the Rust backend instead of Motoko, run the same command in the `rust` folder.
 
 ## Example Components
 
@@ -50,7 +53,7 @@ The backend consists of a canister that:
 
 The frontend is a vanilla typescript application providing a simple interface for sending, receiving, and deleting encrypted messages.
 
-To run the frontend in development mode with hot reloading (after running `deploy_locally.sh`):
+To run the frontend in development mode with hot reloading (after running `dfx deploy`):
 
 ```bash
 npm run dev