Skip to content
/ roughenough Public

A Roughtime secure time sync client and server written in Rust

int08h.com/post/roughenough-a-rust-roughtime-server/

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT
141 stars 21 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

int08h/roughenough

BranchesTags

Repository files navigation

Roughtime

Build Status License

Roughenough is an implementation of the IETF Roughtime secure time synchronization protocol. Roughenough provides both server and client components for cryptographically verifiable time synchronization.

Features

  • RFC Compliant: Full implementation of the Roughtime RFC specification
  • High Performance Server: Performance oriented asynchronous UDP server
  • Flexible Client: Command-line client with multiple output formats and server validation
  • Malfeasance Reporting: Clients can (optionally) report malfeasance to a remote server for analysis
  • Key Management: Multiple backends for secure key and identity protection (KMS, Secret Manager, Linux KRS, SSH agent, PKCS#11)

Quick Start

System Requirements

  • MSRV 1.88, Rust 2024 edition
  • Linux, MacOS, or other Unix-like operating system
  • Optional: cloud provider credentials for backend key storage

Installation

Build all components:

cargo build --release

Build with all optional features:

# Enable all optional features
cargo build --release --all-features

Running the Server

# Debug build
cargo run --bin roughenough_server

# Release build with optimizations
cargo run --release --bin roughenough_server

# Run the server binary directly
target/release/roughenough_server

The server will start listening for UDP requests on the default port (2002).

Running the Client

Basic usage:

# Query a Roughtime server
cargo run --bin roughenough_client -- roughtime.int08h.com 2002

# Verify server public key
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 -k <base64-or-hex-key>

# Multiple requests
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 -n 10

# Verbose output
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 -v

# Different time formats
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 --epoch  # Unix timestamp
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 --zulu   # ISO 8601 UTC

Query multiple servers from an RFC compliant JSON list:

cargo run --bin roughenough_client -- -l servers.json

Running Tests

# Run all tests
cargo test

# Run tests for specific crate
cargo test -p protocol

# Run integration tests
target/debug/roughenough_integration_test

Project Structure

Roughtime is structured as a Cargo workspace with multiple crates:

  • protocol: Core wire format handling, request/response types, data structures
  • merkle: Merkle tree implementation with Roughtime-specific tweaks
  • server: High-performance UDP server with async I/O and batching
  • client: Command-line client for querying Roughtime servers
  • common: Shared cryptography and encoding utilities
  • keys: Key material handling with multiple secure storage backends
  • reporting-server: Web server for collecting malfeasance reports
  • integration: End-to-end integration tests
  • fuzz: Fuzzing harness

Optional Features

Client Features

  • reporting: Enable clients to report malfeasance to a remote server 
    cargo build -p client --features reporting
cargo run --bin roughenough_client -- hostname.com 2002 --report

Keys Crate Features

See doc/PROTECTION.md for detailed information on seed protection strategies.

Runtime Protection (Online Key Backends)

  • online-linux-krs (default): Store seed in Linux Kernel Keyring for runtime protection
  • online-ssh-agent Use SSH agent for seed storage and signing operations
  • online-pkcs11 PKCS#11 hardware security module integration (Yubikey, HSM, etc)

Long-term Protection (Seed Storage)

  • longterm-aws-kms AWS Key Management Service for seed encryption
  • longterm-gcp-kms Google Cloud KMS for seed encryption
  • longterm-aws-secret-manager AWS Secrets Manager for seed storage
  • longterm-gcp-secret-manager Google Cloud Secret Manager for seed storage

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

Thank you to all past and present contributors:

  • Stuart Stock (stuart {at} int08h.com)
  • Aaron Hill (aa1ronham {at} gmail.com)
  • Peter Todd (pete {at} petertodd.org)
  • Muncan90 (github.com/muncan90)
  • Zicklag (github.com/zicklag)
  • Greg at Unrelenting Tech (github.com/unrelentingtech)
  • Eric Swanson (github.com/lachesis)
  • Marcus Dansarie (github.com/dansarie)

License

Copyright (c) 2025 the Roughenough Project Contributors.

Roughenough is licensed under either of

at your option.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

About

A Roughtime secure time sync client and server written in Rust

int08h.com/post/roughenough-a-rust-roughtime-server/

Topics

rust roughtime rust-library time-sync

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT

Contributing

Contributing

Security policy

Security policy
Activity

Stars

141 stars

Watchers

5 watching

Forks

21 forks
Report repository

Releases 26

2.0.0-draft14 Latest
Oct 21, 2025
+ 25 releases

Packages

No packages published

Contributors 10

Languages