Thornwood is a Pine-maintained Rust cryptography workspace and rustls
CryptoProvider. It is built for deployments that want modern cryptography, a
C-free cryptographic build graph, and a dependency boundary that can be reviewed
down to the primitive layer.
The project is built for long-term ownership: verified arithmetic where a rigorous no-C component exists, owned Rust protocol and provider glue around that arithmetic, and a single isolated crate for the unsafe assembly boundary.
Thornwood is pre-1.0. The v0.1.0 tag is the first signed source release and
semver anchor; no crates have been published to crates.io yet. External adopters
should treat Thornwood as pre-production until independent audit, broader binary
constant-time validation, and release hardening are complete.
- Hashing and key derivation: SHA-2, SHA-3/SHAKE, BLAKE2b, HMAC, and HKDF.
- Authenticated encryption: AES-128/256-GCM with table-free AES and GHASH.
- Public-key cryptography: X25519, P-256/P-384 ECDH, Ed25519, P-256/P-384 ECDSA, and RSA PKCS#1 v1.5/PSS signing and verification.
- Post-quantum and PAKE: ML-KEM-768, X25519MLKEM768, RFC 9497 OPRF, RFC 9807 OPAQUE, and RFC 9106 Argon2id.
- TLS integration: a C-free
rustlsCryptoProviderfor TLS 1.3 and TLS 1.2, including AES-GCM suites, ECDHE, X25519MLKEM768, HKDF, and certificate signing and verification.
- Verified arithmetic where available: s2n-bignum assembly and fiat-crypto Rust field arithmetic.
- Owned Rust implementations for the hash, MAC, AES-GCM, ML-KEM, OPRF, OPAQUE, parser, key-type, and provider layers.
- Official vectors, Wycheproof coverage, differential and property tests, fuzzing harnesses, and native binary constant-time checks.
- No
unsafeoutsidepine-thornwood-s2n. - No
ring,aws-lc-rs,openssl, ornative-tlsin the compiled cryptographic build graph.
The assurance bar is described in more detail in ARCHITECTURE.md and ASSURANCE.md.
Thornwood is intentionally narrow. It is not a compatibility layer for legacy cryptography, a drop-in replacement for OpenSSL, or a promise to implement every algorithm a general-purpose crypto library might carry. The focus is a modern, auditable Rust provider stack for TLS and application cryptography.
Design choices are documented in ARCHITECTURE.md, threat boundaries in THREAT_MODEL.md, and support expectations in SUPPORT.md.
| Crate | Role |
|---|---|
pine-thornwood |
Public umbrella crate for AES-GCM, ECDSA, Ed25519, RSA, and the lower cryptographic layers. |
pine-thornwood-hash |
SHA-2, SHA-3/SHAKE, BLAKE2b, HMAC, HKDF, and constant-time comparison. |
pine-thornwood-s2n |
Vendored s2n-bignum assembly and the only crate allowed to contain unsafe. |
pine-thornwood-fiat |
Coq-verified fiat-crypto P-256 field backend for wasm-oriented P-256 use. |
pine-thornwood-ec |
X25519, P-256/P-384 ECDH, ECDSA verification, RFC 9497 OPRF, and RFC 9380 hash-to-curve. |
pine-thornwood-mlkem |
From-scratch ML-KEM-768 implementation. |
pine-thornwood-pake |
Argon2id and RFC 9807 OPAQUE. |
pine-thornwood-rustls |
C-free rustls provider for TLS 1.3 and TLS 1.2. |
Each crate has its own README under crates/.
Until crates are published to a registry, depend on Thornwood by signed git tag:
[dependencies]
pine-thornwood-rustls = { git = "https://github.com/pine-org/thornwood", tag = "v0.1.0" }Release tags are annotated and SSH-signed. Verify them with release-signers.allowed_signers:
git -c gpg.format=ssh \
-c gpg.ssh.allowedSignersFile=release-signers.allowed_signers \
verify-tag v0.1.0Install the provider as the process-wide rustls default, then build
ClientConfig and ServerConfig values from it:
pine_thornwood_rustls::provider()
.install_default()
.expect("install Thornwood as the default rustls CryptoProvider");On Linux, a C-free and libc-free build depends on selecting getrandom's
raw-syscall backend in the downstream crate:
[build]
rustflags = ['--cfg', 'getrandom_backend="linux_raw"']The compiled graph is the C-free ground truth. ring and cc appear in
Cargo.lock only as inactive optional-feature candidates of rustls-webpki; the
workspace keeps that ring feature disabled.
Thornwood is pre-1.0 software at version 0.1.0. Breaking changes can land before 1.0 when they improve the security model, API clarity, or long-term maintainability.
The minimum supported Rust version is Rust 1.96, edition 2024, pinned in rust-toolchain.toml. Treat that MSRV as a hard floor; raising it is a version bump.
- Architecture: ARCHITECTURE.md
- Threat model: THREAT_MODEL.md
- Assurance status: ASSURANCE.md
- Security policy: SECURITY.md
- Contribution guide: CONTRIBUTING.md
- Support policy: SUPPORT.md
- Governance: GOVERNANCE.md
- Maintainers: MAINTAINERS.md
- Release process: RELEASING.md
- Changelog: CHANGELOG.md
Licensed under the Apache License, Version 2.0. See LICENSE and NOTICE.