Thanks to visit codestin.com
Credit goes to github.com

Skip to content

crypto/tls: support RA-TLS challenge extension in ClientHello#77714

Draft
bfoing wants to merge 1 commit intogolang:release-branch.go1.25from
Privasys:ratls
Draft

crypto/tls: support RA-TLS challenge extension in ClientHello#77714
bfoing wants to merge 1 commit intogolang:release-branch.go1.25from
Privasys:ratls

Conversation

@bfoing
Copy link

@bfoing bfoing commented Feb 20, 2026

⚠️ Not ready

This PR should only be considered once the real IANA value is assigned for the RA-TLS extension. See the TODO comment on extensionRATLS in src/crypto/tls/common.go

I open it so that early adopters of RA-TLS can look at / use the fork in the mean time.

Summary

This adds server-side support for the Remote Attestation TLS (RA-TLS) challenge extension, as defined in the RFC-9334.

When a TLS client includes the RA-TLS extension in its ClientHello, the server can read the challenge bytes and use them to generate a platform-specific attestation evidence (e.g. an Intel TDX) that is bound to the TLS handshake.

Changes

File Change
src/crypto/tls/common.go Added extensionRATLS constant (0xffbb) and RATLSChallenge []byte field to ClientHelloInfo
src/crypto/tls/handshake_messages.go Added raTLSChallenge field to clientHelloMsg and unmarshal logic with 8–64 byte length validation
src/crypto/tls/handshake_server.go Propagated raTLSChallenge from clientHelloMsg into ClientHelloInfo
src/crypto/tls/handshake_messages_test.go Added TestRATLSChallengeExtension (8 subtests)

Design decisions

  • Server-side only (unmarshal, no marshal): The Go TLS client does not
    need to send this extension; it is consumed by the server to produce
    attestation evidence via GetConfigForClient or GetCertificate callbacks.
  • Length validation: The challenge must be 8–64 bytes. Empty or
    out-of-range payloads are rejected during unmarshal (handshake fails).
  • Extension code 0xffbb: Temporary private-use value. Will be
    replaced with the IANA-assigned code once the draft is finalized.
  • Optional: When the extension is absent, ClientHelloInfo.RATLSChallenge
    is nil and the handshake proceeds normally.

Test coverage

TestRATLSChallengeExtension covers:

  • Valid challenges at boundary sizes (8, 32, 64 bytes)
  • Rejection of undersized (0, 7 bytes) and oversized (65 bytes) payloads
  • ClientHello with no RA-TLS extension (field stays nil)
  • End-to-end propagation into ClientHelloInfo.RATLSChallenge

References

@bfoing
crypto/tls: add RA-TLS challenge extension support
1de8bde 
Parse the RA-TLS challenge from the ClientHello extensions
(extension code temporarily set to 0xffbb) and expose it via
ClientHelloInfo.RATLSChallenge, allowing server-side callbacks
(GetConfigForClient, GetCertificate) to access the attestation
challenge during the TLS handshake.

The extension is optional and server-side only (unmarshal only, no
marshal). The challenge payload is validated to be between 8 and 64
bytes; malformed or out-of-range values cause the handshake to fail.

Concept: https://www.rfc-editor.org/rfc/rfc9334.html
@google-cla
Copy link

google-cla bot commented Feb 20, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@bfoing bfoing changed the base branch from master to release-branch.go1.25 February 20, 2026 14:50
@bfoing bfoing marked this pull request as draft February 20, 2026 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bfoing