Skip to content

valkyoth/vardheim

Repository files navigation

Security-first ACME and certificate lifecycle foundations for Rust.
Strict protocol boundaries, durable workflow planning, no_std portability, and security-gated release evidence.


Vardheim Rust crate overview

vardheim

vardheim is a no_std-first Rust workspace for security-focused ACME and certificate lifecycle building blocks.

The project target is a serious production-ready certificate lifecycle framework at 1.0.0, reached through small releases with explicit RFC, security, compatibility, dependency, testing, and pentest evidence. Protocol logic remains separate from networking, runtimes, cryptographic providers, challenge presentation, persistent storage, and certificate deployment.

Current Status

Status: v0.3.1 released; pentest, remediation retest, and GitHub checks passed.

Vardheim does not issue, validate, renew, revoke, or deploy certificates yet. The current release establishes the crate boundaries and enforcement needed before security-sensitive protocol implementation begins.

Implemented now:

  • Rust workspace pinned to stable 1.97.0.
  • MSRV policy and verified checks for Rust 1.90.0 through 1.97.0.
  • Dependency-free no_std facade, core, and challenge-family crates.
  • Future-proof HTTP, DNS, and TLS challenge crate boundaries.
  • Workspace-wide #![forbid(unsafe_code)].
  • Maximum 500-line policy for every Rust source file.
  • MIT OR Apache-2.0 licensing.
  • GitHub CI, CODEOWNERS, funding, Dependabot, and SHA-pinned Actions.
  • GitHub CodeQL Default setup policy.
  • cargo-deny, cargo-audit, package, documentation, and SPDX SBOM gates.
  • Mandatory pentest bound to the reviewed implementation before every tag.
  • Independent crate versions and dependency-ordered publication enforcement.
  • Complete implementation and version plan through 1.0.0.
  • Tracked, byte-locked reference copies of all required RFC texts, excluded from published crates.
  • Generated proof that all normative RFC references from every published ACME family document are present in the 105-document local source set.
  • Complete generated section index for all tracked RFCs and reviewed all-status errata evidence for every published ACME RFC.
  • Complete bounded fixtures for all 107 records in all 13 IANA ACME registries, current HTTP replacements, supporting standards, and pinned external-profile revisions.
  • Complete inventory of all normative non-RFC ACME sources, including byte-pinned supporting IANA registries and exact external revisions.
  • Linux, Windows, BSD, macOS, Android, iOS, and future custom-target architecture requirements.

Not implemented yet:

  • No ACME directory or account operations.
  • No JOSE, JWK, JWS, EAB, or nonce implementation.
  • No order, authorization, challenge, finalization, or revocation workflow.
  • No CSR or certificate parsing and verification.
  • No HTTP, DNS, TLS, cryptographic, storage, or deployment backend.
  • No durable orchestration, CLI, daemon, or remote agent.
  • No stable RFC conformance claim.

Every missing item has a concrete pre-1.0 version in the release plan. There is no unversioned post-1.0 backlog for known requirements.

Trust Dashboard

Area Status
License MIT OR Apache-2.0
MSRV Rust 1.90.0
Pinned toolchain Rust 1.97.0
Default target no_std
External dependencies zero
Unsafe policy first-party crates use #![forbid(unsafe_code)]
Default networking none
Default cryptographic backend none
Maximum Rust source size 500 physical lines
Release evidence checks, deny, audit, SBOM, reviewed-implementation pentest
crates.io payload Cargo metadata, crate README, and Rust source only
Panic policy application-owned; expected failures use typed errors
Current RFC conformance none claimed
1.0 target complete production-ready ACME lifecycle framework

Install

The latest published foundation release is:

[dependencies]
vardheim = "0.3.1"

Most users should depend only on vardheim. Lower-level crates exist for applications that need direct protocol or challenge-family boundaries.

Workspace Crates

Crate Responsibility
vardheim public facade and common re-exports
vardheim-core bounded, runtime-independent ACME protocol foundations
vardheim-challenge-http current and future HTTP challenge methods
vardheim-challenge-dns current and future DNS challenge methods
vardheim-challenge-tls current and future TLS challenge methods

The challenge crate names intentionally do not contain protocol revision numbers. For example, dns-01 and a future dns-02 belong to versioned modules inside vardheim-challenge-dns, not separate packages.

vardheim-rustls is assigned to version 0.51.0, after the generic TLS challenge identity boundary is complete. vardheim-pkix is assigned to 0.28.1 as the dependency-light certificate parsing and verification boundary. Heavy crypto, DNS SDK, runtime, database, HTTP framework, and TLS integrations remain separate explicitly selected adapter packages rather than features of the portable core or challenge crates.

Rust Version Support

The minimum supported Rust version is 1.90.0. New development and release verification use pinned stable Rust 1.97.0.

Rust Required evidence
1.90.0 cargo check --workspace --all-features
1.91.0 cargo check --workspace --all-features
1.92.0 cargo check --workspace --all-features
1.93.0 cargo check --workspace --all-features
1.94.0 cargo check --workspace --all-features
1.95.0 cargo check --workspace --all-features
1.96.0 cargo check --workspace --all-features
1.96.1 cargo check --workspace --all-features
1.97.0 full local and release gates

Platform Policy

Runtime-independent crates must remain portable across Linux, Windows, BSD, macOS, Android, iOS, and custom no_std targets. Platform-specific adapters live outside the core and fail closed on unsupported targets. Clocks, entropy, networking, storage, signing, allocation, and deployment remain injectable so a future custom operating system is not locked out.

Security And Release Policy

Every release, including patches and release candidates, stops for an independent pentest of the exact implementation commit. A tag cannot pass the release gate without a permanent Status: PASS report.

Read:

Development

scripts/checks.sh
scripts/check-rust-version-matrix.sh
cargo deny check
cargo audit
scripts/generate-sbom.sh
scripts/release_crates.py --check
scripts/validate-package-contents.py
python3 scripts/test-package-contents.py
python3 scripts/audit_release_plan.py docs/RELEASE_PLAN.md
python3 scripts/test-release-plan-audit.py
scripts/rfc_inventory.py
scripts/rfc_errata.py
scripts/registry_baseline.py
python3 scripts/test-registry-baseline.py

The networked freshness check verifies pinned Cargo tools and GitHub Actions:

scripts/check_latest_tools.sh

License

Licensed under either of:

  • Apache License, Version 2.0
  • MIT License

at your option.

About

Security-first, no_std ACME and certificate lifecycle framework for Rust, built through RFC-driven, fully tested release milestones.

Topics

Resources

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Sponsor this project

  •  

Packages

 
 
 

Contributors