dfinity
diff --git a/‎Cargo.lock‎
Lines changed: 3 additions & 0 deletions b/‎Cargo.lock‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎backend/mo/canisters/ic_vetkeys_encrypted_maps_canister/src/Main.mo‎
Lines changed: 19 additions & 19 deletions b/‎backend/mo/canisters/ic_vetkeys_encrypted_maps_canister/src/Main.mo‎
Lines changed: 19 additions & 19 deletions
diff --git a/‎backend/mo/canisters/ic_vetkeys_manager_canister/src/Main.mo‎
Lines changed: 10 additions & 12 deletions b/‎backend/mo/canisters/ic_vetkeys_manager_canister/src/Main.mo‎
Lines changed: 10 additions & 12 deletions
diff --git a/‎backend/mo/ic_vetkeys/src/key_manager/KeyManager.mo‎
Lines changed: 2 additions & 2 deletions b/‎backend/mo/ic_vetkeys/src/key_manager/KeyManager.mo‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎backend/rs/canisters/ic_vetkeys_encrypted_maps_canister/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎backend/rs/canisters/ic_vetkeys_encrypted_maps_canister/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎backend/rs/canisters/ic_vetkeys_encrypted_maps_canister/tests/tests.rs‎
Lines changed: 51 additions & 18 deletions b/‎backend/rs/canisters/ic_vetkeys_encrypted_maps_canister/tests/tests.rs‎
Lines changed: 51 additions & 18 deletions
@@ -7,10 +7,9 @@ import Result "mo:base/Result";
 import Array "mo:base/Array";
 
 persistent actor class (keyName : Text) {
-    let encryptedMapsState = IcVetkeys.EncryptedMaps.newEncryptedMapsState<Types.AccessRights>(
-        { curve = #bls12_381_g2; name = keyName },
-        "encrypted maps dapp",
-    );
+    let encryptedMapsState = IcVetkeys.EncryptedMaps.newEncryptedMapsState<Types.AccessRights>({ curve = #bls12_381_g2; name = "" }, "encrypted maps dapp");
+    encryptedMapsState.keyManager.vetKdKeyId := { curve = #bls12_381_g2; name = keyName };
+    transient let encryptedMaps = IcVetkeys.EncryptedMaps.EncryptedMaps<Types.AccessRights>(encryptedMapsState, Types.accessRightsOperations());
 
     /// In this canister, we use the `ByteBuf` type to represent blobs. The reason is that we want to be consistent with the Rust canister implementation.
     /// Unfortunately, the `Blob` type cannot be serialized/deserialized in the current Rust implementation efficiently without nesting it in another type.
@@ -35,7 +34,7 @@ persistent actor class (keyName : Text) {
 
     public query (msg) func get_accessible_shared_map_names() : async [(Principal, ByteBuf)] {
         Array.map<(Principal, Blob), (Principal, ByteBuf)>(
-            getEncryptedMaps().getAccessibleSharedMapNames(msg.caller),
+            encryptedMaps.getAccessibleSharedMapNames(msg.caller),
 
             func((principal, blob) : (Principal, Blob)) {
                 (principal, { inner = blob });
@@ -47,14 +46,14 @@ persistent actor class (keyName : Text) {
         map_owner : Principal,
         map_name : ByteBuf,
     ) : async Result<[(Principal, Types.AccessRights)], Text> {
-        convertResult(getEncryptedMaps().getSharedUserAccessForMap(msg.caller, (map_owner, map_name.inner)));
+        convertResult(encryptedMaps.getSharedUserAccessForMap(msg.caller, (map_owner, map_name.inner)));
     };
 
     public query (msg) func get_encrypted_values_for_map(
         map_owner : Principal,
         map_name : ByteBuf,
     ) : async Result<[(ByteBuf, ByteBuf)], Text> {
-        let result = getEncryptedMaps().getEncryptedValuesForMap(msg.caller, (map_owner, map_name.inner));
+        let result = encryptedMaps.getEncryptedValuesForMap(msg.caller, (map_owner, map_name.inner));
         switch (result) {
             case (#err(e)) { #Err(e) };
             case (#ok(values)) {
@@ -72,7 +71,7 @@ persistent actor class (keyName : Text) {
 
     public query (msg) func get_all_accessible_encrypted_values() : async [((Principal, ByteBuf), [(ByteBuf, ByteBuf)])] {
         Array.map<((Principal, Blob), [(Blob, Blob)]), ((Principal, ByteBuf), [(ByteBuf, ByteBuf)])>(
-            getEncryptedMaps().getAllAccessibleEncryptedValues(msg.caller),
+            encryptedMaps.getAllAccessibleEncryptedValues(msg.caller),
             func(((owner, map_name), values) : ((Principal, Blob), [(Blob, Blob)])) {
                 (
                     (owner, { inner = map_name }),
@@ -89,7 +88,7 @@ persistent actor class (keyName : Text) {
 
     public query (msg) func get_all_accessible_encrypted_maps() : async [EncryptedMapData] {
         Array.map<IcVetkeys.EncryptedMaps.EncryptedMapData<Types.AccessRights>, EncryptedMapData>(
-            getEncryptedMaps().getAllAccessibleEncryptedMaps(msg.caller),
+            encryptedMaps.getAllAccessibleEncryptedMaps(msg.caller),
             func(map : IcVetkeys.EncryptedMaps.EncryptedMapData<Types.AccessRights>) : EncryptedMapData {
                 {
                     map_owner = map.map_owner;
@@ -111,7 +110,7 @@ persistent actor class (keyName : Text) {
         map_name : ByteBuf,
         map_key : ByteBuf,
     ) : async Result<?ByteBuf, Text> {
-        let result = getEncryptedMaps().getEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner);
+        let result = encryptedMaps.getEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner);
         switch (result) {
             case (#err(e)) { #Err(e) };
             case (#ok(null)) { #Ok(null) };
@@ -123,7 +122,7 @@ persistent actor class (keyName : Text) {
         map_owner : Principal,
         map_name : ByteBuf,
     ) : async Result<[ByteBuf], Text> {
-        let result = getEncryptedMaps().removeMapValues(msg.caller, (map_owner, map_name.inner));
+        let result = encryptedMaps.removeMapValues(msg.caller, (map_owner, map_name.inner));
         switch (result) {
             case (#err(e)) { #Err(e) };
             case (#ok(values)) {
@@ -141,7 +140,7 @@ persistent actor class (keyName : Text) {
 
     public query (msg) func get_owned_non_empty_map_names() : async [ByteBuf] {
         Array.map<Blob, ByteBuf>(
-            getEncryptedMaps().getOwnedNonEmptyMapNames(msg.caller),
+            encryptedMaps.getOwnedNonEmptyMapNames(msg.caller),
             func(blob : Blob) : ByteBuf {
                 { inner = blob };
             },
@@ -154,7 +153,8 @@ persistent actor class (keyName : Text) {
         map_key : ByteBuf,
         value : ByteBuf,
     ) : async Result<?ByteBuf, Text> {
-        let result = getEncryptedMaps().insertEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner, value.inner);
+        let result = encryptedMaps.insertEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner, value.inner);
+
         switch (result) {
             case (#err(e)) { #Err(e) };
             case (#ok(null)) { #Ok(null) };
@@ -167,7 +167,7 @@ persistent actor class (keyName : Text) {
         map_name : ByteBuf,
         map_key : ByteBuf,
     ) : async Result<?ByteBuf, Text> {
-        let result = getEncryptedMaps().removeEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner);
+        let result = encryptedMaps.removeEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner);
         switch (result) {
             case (#err(e)) { #Err(e) };
             case (#ok(null)) { #Ok(null) };
@@ -176,7 +176,7 @@ persistent actor class (keyName : Text) {
     };
 
     public shared func get_vetkey_verification_key() : async ByteBuf {
-        let inner = await getEncryptedMaps().getVetkeyVerificationKey();
+        let inner = await encryptedMaps.getVetkeyVerificationKey();
         { inner };
     };
 
@@ -185,7 +185,7 @@ persistent actor class (keyName : Text) {
         map_name : ByteBuf,
         transport_key : ByteBuf,
     ) : async Result<ByteBuf, Text> {
-        let result = await getEncryptedMaps().getEncryptedVetkey(msg.caller, (map_owner, map_name.inner), transport_key.inner);
+        let result = await encryptedMaps.getEncryptedVetkey(msg.caller, (map_owner, map_name.inner), transport_key.inner);
         switch (result) {
             case (#err(e)) { #Err(e) };
             case (#ok(vetkey)) { #Ok({ inner = vetkey }) };
@@ -197,7 +197,7 @@ persistent actor class (keyName : Text) {
         map_name : ByteBuf,
         user : Principal,
     ) : async Result<?Types.AccessRights, Text> {
-        convertResult(getEncryptedMaps().getUserRights(msg.caller, (map_owner, map_name.inner), user));
+        convertResult(encryptedMaps.getUserRights(msg.caller, (map_owner, map_name.inner), user));
     };
 
     public shared (msg) func set_user_rights(
@@ -206,15 +206,15 @@ persistent actor class (keyName : Text) {
         user : Principal,
         access_rights : Types.AccessRights,
     ) : async Result<?Types.AccessRights, Text> {
-        convertResult(getEncryptedMaps().setUserRights(msg.caller, (map_owner, map_name.inner), user, access_rights));
+        convertResult(encryptedMaps.setUserRights(msg.caller, (map_owner, map_name.inner), user, access_rights));
     };
 
     public shared (msg) func remove_user(
         map_owner : Principal,
         map_name : ByteBuf,
         user : Principal,
     ) : async Result<?Types.AccessRights, Text> {
-        convertResult(getEncryptedMaps().removeUser(msg.caller, (map_owner, map_name.inner), user));
+        convertResult(encryptedMaps.removeUser(msg.caller, (map_owner, map_name.inner), user));
     };
 
     /// Convert to the result type compatible with Rust's `Result`
 
@@ -7,11 +7,9 @@ import Result "mo:base/Result";
 import Array "mo:base/Array";
 
 persistent actor class (keyName : Text) {
-    let keyManagerState = IcVetkeys.KeyManager.newKeyManagerState<Types.AccessRights>({ curve = #bls12_381_g2; name = keyName }, "key manager");
-
-    func getKeyManager() : IcVetkeys.KeyManager.KeyManager<Types.AccessRights> {
-        IcVetkeys.KeyManager.KeyManager<Types.AccessRights>(keyManagerState, Types.accessRightsOperations());
-    };
+    let keyManagerState = IcVetkeys.KeyManager.newKeyManagerState<Types.AccessRights>({ curve = #bls12_381_g2; name = "" }, "key manager");
+    keyManagerState.vetKdKeyId := { curve = #bls12_381_g2; name = keyName };
+    transient let keyManager = IcVetkeys.KeyManager.KeyManager<Types.AccessRights>(keyManagerState, Types.accessRightsOperations());
 
     /// In this canister, we use the `ByteBuf` type to represent blobs. The reason is that we want to be consistent with the Rust canister implementation.
     /// Unfortunately, the `Blob` type cannot be serialized/deserialized in the current Rust implementation efficiently without nesting it in another type.
@@ -25,7 +23,7 @@ persistent actor class (keyName : Text) {
 
     public query (msg) func get_accessible_shared_key_ids() : async [(Principal, ByteBuf)] {
         Array.map<(Principal, Blob), (Principal, ByteBuf)>(
-            getKeyManager().getAccessibleSharedKeyIds(msg.caller),
+            keyManager.getAccessibleSharedKeyIds(msg.caller),
             func((principal, blob) : (Principal, Blob)) {
                 (principal, { inner = blob });
             },
@@ -36,11 +34,11 @@ persistent actor class (keyName : Text) {
         key_owner : Principal,
         key_name : ByteBuf,
     ) : async Result<[(Principal, Types.AccessRights)], Text> {
-        convertResult(getKeyManager().getSharedUserAccessForKey(msg.caller, (key_owner, key_name.inner)));
+        convertResult(keyManager.getSharedUserAccessForKey(msg.caller, (key_owner, key_name.inner)));
     };
 
     public shared func get_vetkey_verification_key() : async ByteBuf {
-        let inner = await getKeyManager().getVetkeyVerificationKey();
+        let inner = await keyManager.getVetkeyVerificationKey();
         { inner };
     };
 
@@ -49,7 +47,7 @@ persistent actor class (keyName : Text) {
         key_name : ByteBuf,
         transport_key : ByteBuf,
     ) : async Result<ByteBuf, Text> {
-        let vetkeyBytebuf = await getKeyManager().getEncryptedVetkey(msg.caller, (key_owner, key_name.inner), transport_key.inner);
+        let vetkeyBytebuf = await keyManager.getEncryptedVetkey(msg.caller, (key_owner, key_name.inner), transport_key.inner);
         switch (vetkeyBytebuf) {
             case (#err(e)) { #Err(e) };
             case (#ok(inner)) { #Ok({ inner }) };
@@ -61,7 +59,7 @@ persistent actor class (keyName : Text) {
         key_name : ByteBuf,
         user : Principal,
     ) : async Result<?Types.AccessRights, Text> {
-        convertResult(getKeyManager().getUserRights(msg.caller, (key_owner, key_name.inner), user));
+        convertResult(keyManager.getUserRights(msg.caller, (key_owner, key_name.inner), user));
     };
 
     public shared (msg) func set_user_rights(
@@ -70,15 +68,15 @@ persistent actor class (keyName : Text) {
         user : Principal,
         access_rights : Types.AccessRights,
     ) : async Result<?Types.AccessRights, Text> {
-        convertResult(getKeyManager().setUserRights(msg.caller, (key_owner, key_name.inner), user, access_rights));
+        convertResult(keyManager.setUserRights(msg.caller, (key_owner, key_name.inner), user, access_rights));
     };
 
     public shared (msg) func remove_user(
         key_owner : Principal,
         key_name : ByteBuf,
         user : Principal,
     ) : async Result<?Types.AccessRights, Text> {
-        convertResult(getKeyManager().removeUserRights(msg.caller, (key_owner, key_name.inner), user));
+        convertResult(keyManager.removeUserRights(msg.caller, (key_owner, key_name.inner), user));
     };
 
     /// Convert to the result type compatible with Rust's `Result`
 
@@ -91,15 +91,15 @@ module {
     public type KeyManagerState<T> = {
         var accessControl : OrderedMap.Map<Principal, [(KeyId, T)]>;
         var sharedKeys : OrderedMap.Map<KeyId, [Principal]>;
-        vetKdKeyId : ManagementCanister.VetKdKeyid;
+        var vetKdKeyId : ManagementCanister.VetKdKeyid;
         domainSeparator : Text;
     };
 
     public func newKeyManagerState<T>(vetKdKeyId : ManagementCanister.VetKdKeyid, domainSeparator : Text) : KeyManagerState<T> {
         {
             var accessControl = accessControlMapOps().empty();
             var sharedKeys = sharedKeysMapOps().empty();
-            vetKdKeyId;
+            var vetKdKeyId = vetKdKeyId;
             domainSeparator;
         };
     };
 
@@ -23,6 +23,7 @@ serde = "1.0.217"
 
 [dev-dependencies]
 assert_matches = "1.5.0"
+ic-vetkeys-test-utils = { path = "../../ic_vetkeys_test_utils" }
 pocket-ic = "9.0.0"
 rand = "0.8.5"
 rand_chacha = "0.3.1"
 
@@ -6,6 +6,7 @@ use ic_vetkeys::encrypted_maps::{VetKey, VetKeyVerificationKey};
 use ic_vetkeys::key_manager::key_id_to_vetkd_input;
 use ic_vetkeys::types::{AccessControl, AccessRights, ByteBuf, TransportKey};
 use ic_vetkeys::{DerivedPublicKey, EncryptedVetKey, TransportSecretKey};
+use ic_vetkeys_test_utils::upgrade_for_enhanced_orthogonal_persistence;
 use pocket_ic::{PocketIc, PocketIcBuilder};
 use rand::{CryptoRng, Rng, SeedableRng};
 use rand_chacha::ChaCha20Rng;
@@ -896,15 +897,35 @@ fn should_survive_canister_upgrade() {
     )
     .unwrap();
 
-    let wasm_bytes = load_encrypted_maps_example_canister_wasm();
-    env.pic
-        .upgrade_canister(
+    let obtained_value = env
+        .query::<Result<Option<ByteBuf>, String>>(
+            env.principal_0,
+            "get_encrypted_value",
+            encode_args((env.principal_0, map_name.clone(), map_key.clone())).unwrap(),
+        )
+        .unwrap();
+
+    assert_eq!(obtained_value, Some(encrypted_value.clone()));
+
+    let (wasm_bytes, enhanced_orthogonal_persistence) = load_encrypted_maps_example_canister_wasm();
+
+    if enhanced_orthogonal_persistence {
+        upgrade_for_enhanced_orthogonal_persistence(
+            &env.pic,
             env.example_canister_id,
             wasm_bytes,
             encode_one("dfx_test_key").unwrap(),
-            None,
-        )
-        .unwrap();
+        );
+    } else {
+        env.pic
+            .upgrade_canister(
+                env.example_canister_id,
+                wasm_bytes,
+                encode_one("dfx_test_key").unwrap(),
+                None,
+            )
+            .unwrap();
+    }
 
     let encrypted_vetkey_1 = env
         .update::<Result<VetKey, String>>(
@@ -929,7 +950,10 @@ fn should_survive_canister_upgrade() {
         )
         .unwrap();
 
-    assert_eq!(obtained_value, Some(encrypted_value.clone()));
+    assert!(
+        obtained_value == Some(encrypted_value.clone()),
+        "{obtained_value:?}"
+    );
 }
 
 pub fn reproducible_rng() -> ChaCha20Rng {
@@ -957,7 +981,7 @@ impl TestEnvironment {
         let example_canister_id = pic.create_canister();
         pic.add_cycles(example_canister_id, 2_000_000_000_000);
 
-        let example_wasm_bytes = load_encrypted_maps_example_canister_wasm();
+        let (example_wasm_bytes, _) = load_encrypted_maps_example_canister_wasm();
         pic.install_canister(
             example_canister_id,
             example_wasm_bytes,
@@ -1007,17 +1031,26 @@ impl TestEnvironment {
     }
 }
 
-fn load_encrypted_maps_example_canister_wasm() -> Vec<u8> {
-    let wasm_path_string = match std::env::var("CUSTOM_WASM_PATH") {
-        Ok(path) if !path.is_empty() => path,
-        _ => format!(
-            "{}/target/wasm32-unknown-unknown/release/ic_vetkeys_encrypted_maps_canister.wasm",
-            git_root_dir()
-        ),
-    };
+fn load_encrypted_maps_example_canister_wasm() -> (Vec<u8>, bool) {
+    let (wasm_path_string, enhanced_orthogonal_persistence) =
+        match std::env::var("CUSTOM_WASM_PATH") {
+            Ok(path) if !path.is_empty() => (path, true),
+            _ => (
+                format!(
+                "{}/target/wasm32-unknown-unknown/release/ic_vetkeys_encrypted_maps_canister.wasm",
+                git_root_dir()
+            ),
+                false,
+            ),
+        };
     let wasm_path = Path::new(&wasm_path_string);
-    std::fs::read(wasm_path)
-        .expect("wasm does not exist - run `cargo build --release --target wasm32-unknown-unknown`")
+
+    (
+        std::fs::read(wasm_path).expect(
+            "wasm does not exist - run `cargo build --release --target wasm32-unknown-unknown`",
+        ),
+        enhanced_orthogonal_persistence,
+    )
 }
 
 fn random_transport_key<R: Rng + CryptoRng>(rng: &mut R) -> TransportSecretKey {