chore: code refactoring

MoeMahhouk · MoeMahhouk · commit 6c6ab11382fa · 2025-11-19T16:54:31.000Z
diff --git a/internal/attestation/azure/tdx/issuer.go b/internal/attestation/azure/tdx/issuer.go
@@ -95,40 +95,13 @@ func (i *Issuer) getInstanceInfo(ctx context.Context, tpm io.ReadWriteCloser, _
 		return nil, fmt.Errorf("getting quote: %w", err)
 	}
 
-	// Read the vTPM AK certificate from TPM NV index
-	// This certificate is signed by Azure and needs to be validated on the validator side
-	// If reading fails, we log a warning and continue - the validator will decide if this is critical
-	var cleanCertDER []byte
-	certDERRaw, err := tpm2.NVReadEx(tpm, tpmAkCertIdx, tpm2.HandleOwner, "", 0)
-	if err != nil {
-		i.log.Warn(fmt.Sprintf("Failed to read attestation key certificate from TPM: %v", err))
-	} else {
-		i.log.Debug(fmt.Sprintf("Read %d bytes from TPM AK cert index", len(certDERRaw)))
-
-		// The TPM NV index contains trailing data. We need to extract just the certificate.
-		// X.509 DER certificates start with 0x30 (SEQUENCE) followed by length encoding
-		cleanCertDER, err = extractDERCertificate(certDERRaw)
-		if err != nil {
-			i.log.Warn(fmt.Sprintf("Failed to extract certificate from TPM data: %v", err))
-			cleanCertDER = nil
-		} else {
-			i.log.Debug(fmt.Sprintf("Extracted %d bytes certificate from %d bytes TPM data", len(cleanCertDER), len(certDERRaw)))
-
-			// Verify we can parse the extracted certificate
-			_, err = x509.ParseCertificate(cleanCertDER)
-			if err != nil {
-				i.log.Warn(fmt.Sprintf("Failed to parse extracted attestation key certificate: %v", err))
-				cleanCertDER = nil
-			} else {
-				i.log.Debug("Successfully extracted and validated AK certificate format")
-			}
-		}
-	}
+	// Read and extract the vTPM AK certificate (returns nil on failure with warnings logged)
+	akCert := i.readAKCertificateFromTPM(tpm)
 
 	instanceInfo := InstanceInfo{
 		AttestationReport: quote,
 		RuntimeData:       runtimeData,
-		AkCert:            cleanCertDER, // Use the clean certificate
+		AkCert:            akCert, // Use the clean certificate
 	}
 	instanceInfoJSON, err := json.Marshal(instanceInfo)
 	if err != nil {
@@ -137,6 +110,38 @@ func (i *Issuer) getInstanceInfo(ctx context.Context, tpm io.ReadWriteCloser, _
 	return instanceInfoJSON, nil
 }
 
+// readAKCertificateFromTPM reads and extracts the attestation key certificate from TPM.
+// Returns the clean DER-encoded certificate, or nil if reading/extraction fails.
+// Failures are logged as warnings since AK cert verification is optional.
+func (i *Issuer) readAKCertificateFromTPM(tpm io.ReadWriteCloser) []byte {
+	certDERRaw, err := tpm2.NVReadEx(tpm, tpmAkCertIdx, tpm2.HandleOwner, "", 0)
+	if err != nil {
+		i.log.Warn(fmt.Sprintf("Failed to read attestation key certificate from TPM: %v", err))
+		return nil
+	}
+
+	i.log.Debug(fmt.Sprintf("Read %d bytes from TPM AK cert index", len(certDERRaw)))
+
+	// The TPM NV index contains trailing data. We need to extract just the certificate.
+	// X.509 DER certificates start with 0x30 (SEQUENCE) followed by length encoding
+	cleanCertDER, err := extractDERCertificate(certDERRaw)
+	if err != nil {
+		i.log.Warn(fmt.Sprintf("Failed to extract certificate from TPM data: %v", err))
+		return nil
+	}
+
+	i.log.Debug(fmt.Sprintf("Extracted %d bytes certificate from %d bytes TPM data", len(cleanCertDER), len(certDERRaw)))
+
+	// Verify we can parse the extracted certificate
+	_, err = x509.ParseCertificate(cleanCertDER)
+	if err != nil {
+		i.log.Warn(fmt.Sprintf("Failed to parse extracted attestation key certificate: %v", err))
+		return nil
+	}
+
+	return cleanCertDER
+}
+
 // extractDERCertificate extracts a clean X.509 DER certificate from raw TPM data.
 // The TPM NV index may contain trailing data, so this function parses the DER
 // structure to extract exactly the certificate bytes.
