Security-first ACME and certificate lifecycle foundations for Rust.
Strict protocol boundaries, durable workflow planning, no_std portability, and security-gated release evidence.
vardheim is a no_std-first Rust workspace for security-focused ACME and
certificate lifecycle building blocks.
The project target is a serious production-ready certificate lifecycle
framework at 1.0.0, reached through small releases with explicit RFC,
security, compatibility, dependency, testing, and pentest evidence. Protocol
logic remains separate from networking, runtimes, cryptographic providers,
challenge presentation, persistent storage, and certificate deployment.
Status: v0.3.1 released; pentest, remediation retest, and GitHub checks
passed.
Vardheim does not issue, validate, renew, revoke, or deploy certificates yet. The current release establishes the crate boundaries and enforcement needed before security-sensitive protocol implementation begins.
Implemented now:
- Rust workspace pinned to stable
1.97.0. - MSRV policy and verified checks for Rust
1.90.0through1.97.0. - Dependency-free
no_stdfacade, core, and challenge-family crates. - Future-proof HTTP, DNS, and TLS challenge crate boundaries.
- Workspace-wide
#![forbid(unsafe_code)]. - Maximum 500-line policy for every Rust source file.
- MIT OR Apache-2.0 licensing.
- GitHub CI, CODEOWNERS, funding, Dependabot, and SHA-pinned Actions.
- GitHub CodeQL Default setup policy.
- cargo-deny, cargo-audit, package, documentation, and SPDX SBOM gates.
- Mandatory pentest bound to the reviewed implementation before every tag.
- Independent crate versions and dependency-ordered publication enforcement.
- Complete implementation and version plan through
1.0.0. - Tracked, byte-locked reference copies of all required RFC texts, excluded from published crates.
- Generated proof that all normative RFC references from every published ACME family document are present in the 105-document local source set.
- Complete generated section index for all tracked RFCs and reviewed all-status errata evidence for every published ACME RFC.
- Complete bounded fixtures for all 107 records in all 13 IANA ACME registries, current HTTP replacements, supporting standards, and pinned external-profile revisions.
- Complete inventory of all normative non-RFC ACME sources, including byte-pinned supporting IANA registries and exact external revisions.
- Linux, Windows, BSD, macOS, Android, iOS, and future custom-target architecture requirements.
Not implemented yet:
- No ACME directory or account operations.
- No JOSE, JWK, JWS, EAB, or nonce implementation.
- No order, authorization, challenge, finalization, or revocation workflow.
- No CSR or certificate parsing and verification.
- No HTTP, DNS, TLS, cryptographic, storage, or deployment backend.
- No durable orchestration, CLI, daemon, or remote agent.
- No stable RFC conformance claim.
Every missing item has a concrete pre-1.0 version in the release plan. There is no unversioned post-1.0 backlog for known requirements.
| Area | Status |
|---|---|
| License | MIT OR Apache-2.0 |
| MSRV | Rust 1.90.0 |
| Pinned toolchain | Rust 1.97.0 |
| Default target | no_std |
| External dependencies | zero |
| Unsafe policy | first-party crates use #![forbid(unsafe_code)] |
| Default networking | none |
| Default cryptographic backend | none |
| Maximum Rust source size | 500 physical lines |
| Release evidence | checks, deny, audit, SBOM, reviewed-implementation pentest |
| crates.io payload | Cargo metadata, crate README, and Rust source only |
| Panic policy | application-owned; expected failures use typed errors |
| Current RFC conformance | none claimed |
| 1.0 target | complete production-ready ACME lifecycle framework |
The latest published foundation release is:
[dependencies]
vardheim = "0.3.1"Most users should depend only on vardheim. Lower-level crates exist for
applications that need direct protocol or challenge-family boundaries.
| Crate | Responsibility |
|---|---|
vardheim |
public facade and common re-exports |
vardheim-core |
bounded, runtime-independent ACME protocol foundations |
vardheim-challenge-http |
current and future HTTP challenge methods |
vardheim-challenge-dns |
current and future DNS challenge methods |
vardheim-challenge-tls |
current and future TLS challenge methods |
The challenge crate names intentionally do not contain protocol revision
numbers. For example, dns-01 and a future dns-02 belong to versioned
modules inside vardheim-challenge-dns, not separate packages.
vardheim-rustls is assigned to version 0.51.0, after the generic TLS
challenge identity boundary is complete. vardheim-pkix is assigned to
0.28.1 as the dependency-light certificate parsing and verification
boundary. Heavy crypto, DNS SDK, runtime, database, HTTP framework, and TLS
integrations remain separate explicitly selected adapter packages rather than
features of the portable core or challenge crates.
The minimum supported Rust version is 1.90.0. New development and release
verification use pinned stable Rust 1.97.0.
| Rust | Required evidence |
|---|---|
1.90.0 |
cargo check --workspace --all-features |
1.91.0 |
cargo check --workspace --all-features |
1.92.0 |
cargo check --workspace --all-features |
1.93.0 |
cargo check --workspace --all-features |
1.94.0 |
cargo check --workspace --all-features |
1.95.0 |
cargo check --workspace --all-features |
1.96.0 |
cargo check --workspace --all-features |
1.96.1 |
cargo check --workspace --all-features |
1.97.0 |
full local and release gates |
Runtime-independent crates must remain portable across Linux, Windows, BSD,
macOS, Android, iOS, and custom no_std targets. Platform-specific adapters
live outside the core and fail closed on unsupported targets. Clocks, entropy,
networking, storage, signing, allocation, and deployment remain injectable so a
future custom operating system is not locked out.
Every release, including patches and release candidates, stops for an
independent pentest of the exact implementation commit. A tag cannot pass the
release gate without a permanent Status: PASS report.
Read:
- Architecture
- Implementation plan
- Release plan
- Longitudinal regression strategy
- ACME completeness contract
- RFC inventory
- Registry baseline
- RFC errata baseline
- Threat model
- Security controls
- Compatibility
- Release process
- Crate release policy
scripts/checks.sh
scripts/check-rust-version-matrix.sh
cargo deny check
cargo audit
scripts/generate-sbom.sh
scripts/release_crates.py --check
scripts/validate-package-contents.py
python3 scripts/test-package-contents.py
python3 scripts/audit_release_plan.py docs/RELEASE_PLAN.md
python3 scripts/test-release-plan-audit.py
scripts/rfc_inventory.py
scripts/rfc_errata.py
scripts/registry_baseline.py
python3 scripts/test-registry-baseline.pyThe networked freshness check verifies pinned Cargo tools and GitHub Actions:
scripts/check_latest_tools.shLicensed under either of:
- Apache License, Version 2.0
- MIT License
at your option.