From c476c8b3c902fcc9b2697b1defa00e87ed738360 Mon Sep 17 00:00:00 2001
From: Jiaqi Gao <jiaqi.gao@intel.com>
Date: Wed, 4 Feb 2026 16:08:18 +0800
Subject: [PATCH] migtd: extract peer cert after tls handshake

Signed-off-by: Jiaqi Gao <jiaqi.gao@intel.com>
---
 src/migtd/src/migration/rebinding.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/migtd/src/migration/rebinding.rs b/src/migtd/src/migration/rebinding.rs
index 73b000ab..e448adfa 100644
--- a/src/migtd/src/migration/rebinding.rs
+++ b/src/migtd/src/migration/rebinding.rs
@@ -668,12 +668,13 @@ async fn rebinding_new_prepare(
         MigrationResult::SecureSessionError
     })?;
 
-    let servtd_ext = get_servtd_ext_from_cert(&ratls_server.peer_certs())?;
     let rebind_token = tls_receive_rebind_token(&mut ratls_server).await?;
     if rebind_token.target_td_uuid != info.target_td_uuid {
         return Err(MigrationResult::InvalidParameter);
     }
 
+    // The TLS session is established; we can now extract servtd_ext from the peer certificates.
+    let servtd_ext = get_servtd_ext_from_cert(&ratls_server.peer_certs())?;
     write_rebinding_session_token(&rebind_token.token)?;
     write_servtd_rebind_attr(&servtd_ext.cur_servtd_attr)?;
     write_approved_servtd_ext_hash(&servtd_ext.calculate_approved_servtd_ext_hash()?)?;