• Public
  • Public/Protected
  • All

This extension allows an app to encrypt and apply digital signatures to m-ld protocol network traffic.

For encryption, a secret key is included in the domain data (using declareSecret, or an equivalent write), and is required to decrypt all operations on the domain. The secret can only be obtained by joining the domain, which in turn requires that the requester is registered as a principal in the domain.

Registering a principal requires that the user has a public/private key pair. The public key is registered in the domain using registerPrincipal (or an equivalent write), e.g.

const aliceKeys = generateKeyPairSync('rsa', {
  modulusLength: 2048,
  publicKeyEncoding: { type: 'spki', format: 'der' },
  privateKeyEncoding: { type: 'pkcs1', format: 'pem' }
await clone.write(MeldAclTransportSecurity.registerPrincipal(
  'https://alice.example/profile#me', aliceKeys.publicKey));

To use transport security, every local clone in the access-controlled domain must be initialised with the following members of the MeldApp:

  • An instance of this class as the transportSecurity member. (This extension cannot be loaded dynamically because transport security must be available before the clone can connect to the domain.)
  • An AppPrincipal object as the principal, that represents the current logged-in user. This object will sign data using RSASSA-PKCS1-v1_5 on the extension's request. E.g.:
sign = (data: Buffer) => createSign('RSA-SHA256')


  • MeldAclTransportSecurity




Protected decryptOperation

  • decryptOperation(data: Buffer, key: CryptoKey): Promise<Buffer>
  • Parameters

    • data: Buffer
    • key: CryptoKey

    Returns Promise<Buffer>

Protected encryptOperation

  • encryptOperation(data: Buffer, key: CryptoKey): Promise<Buffer>
  • Parameters

    • data: Buffer
    • key: CryptoKey

    Returns Promise<Buffer>

Protected getPublicKey

  • getPublicKey(principalId: Iri, state: MeldReadState): Promise<CryptoKey>
  • Parameters

    Returns Promise<CryptoKey>

Static declareSecret

  • declareSecret(domainName: string, aesKey: Buffer): Write
  • Shared secret declaration. Insert into the domain data to install the extension. For example (assuming a m-ld clone object):

    clone.write(MeldAclExtensions.declareSecret('test.m-ld.org', randomBytes(16)));


    • domainName: string

      as declared in the MeldConfig of the clone

    • aesKey: Buffer

      a raw AES key, e.g. randomBytes(32)

    Returns Write

Static registerPrincipal

  • registerPrincipal(principalIri: Iri, rsaPublicKeySpki: Buffer): Write
  • Use to register each principal with access to the domain, for example (assuming a m-ld clone object):

      'https://alice.example/profile#me', alicePublicKeySpki));


    • principalIri: Iri

      the principal's identity. As for all domain data, the principal's IRI can be relative (e.g. 'fred').

    • rsaPublicKeySpki: Buffer

      DER & SPKI encoded public key belonging to the principal

    Returns Write


  • Constructor
  • Property
  • Method
  • Property
  • Method
  • Inherited property
  • Inherited method
  • Static property
  • Static method
  • Protected method

Generated using TypeDoc. Delivered by Vercel. @m-ld/m-ld - v0.10.0 Source code licensed MIT. Privacy policy