2 * Copyright (c) 2007-2010,2012-2015 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * SecTrustStoreServer.c - CertificateSource API to a system root certificate store
27 #include "SecTrustStoreServer.h"
29 #include <Security/SecCertificateInternal.h>
30 #include <Security/SecFramework.h>
33 #include <dispatch/dispatch.h>
38 #include <sys/param.h>
41 #include <CoreFoundation/CFData.h>
42 #include <CoreFoundation/CFPropertyList.h>
43 #include <CoreFoundation/CFURL.h>
44 #include <AssertMacros.h>
45 #include <utilities/debugging.h>
46 #include "SecBasePriv.h"
47 #include <Security/SecInternal.h>
48 #include <ipc/securityd_client.h>
49 #include <securityd/SecTrustStoreServer.h>
50 #include "utilities/sqlutils.h"
51 #include "utilities/SecDb.h"
52 #include <utilities/SecCFError.h>
53 #include "utilities/SecFileLocations.h"
54 #include <utilities/SecDispatchRelease.h>
55 #include <securityd/SecTrustLoggingServer.h>
57 /* uid of the _securityd user. */
58 #define SECURTYD_UID 64
60 static dispatch_once_t kSecTrustStoreUserOnce
;
61 static SecTrustStoreRef kSecTrustStoreUser
= NULL
;
63 static const char copyParentsSQL
[] = "SELECT data FROM tsettings WHERE subj=?";
64 static const char containsSQL
[] = "SELECT tset FROM tsettings WHERE sha1=?";
65 static const char insertSQL
[] = "INSERT OR REPLACE INTO tsettings(sha1,subj,tset,data)VALUES(?,?,?,?)";
66 static const char deleteSQL
[] = "DELETE FROM tsettings WHERE sha1=?";
67 static const char deleteAllSQL
[] = "BEGIN EXCLUSIVE TRANSACTION; DELETE from tsettings; COMMIT TRANSACTION; VACUUM;";
68 static const char copyAllSQL
[] = "SELECT data,tset FROM tsettings ORDER BY sha1";
69 static const char countAllSQL
[] = "SELECT COUNT(*) FROM tsettings";
71 #define kSecTrustStoreName CFSTR("TrustStore")
72 #define kSecTrustStoreDbExtension CFSTR("sqlite3")
74 #define kTrustStoreFileName CFSTR("TrustStore.sqlite3")
77 struct __SecTrustStore
{
78 dispatch_queue_t queue
;
80 sqlite3_stmt
*copyParents
;
81 sqlite3_stmt
*contains
;
83 bool containsSettings
; // For optimization of high-use calls.
86 static int sec_create_path(const char *path
)
88 char pathbuf
[PATH_MAX
];
89 size_t pos
, len
= strlen(path
);
90 if (len
== 0 || len
> PATH_MAX
)
91 return SQLITE_CANTOPEN
;
92 memcpy(pathbuf
, path
, len
);
93 for (pos
= len
-1; pos
> 0; --pos
)
95 /* Search backwards for trailing '/'. */
96 if (pathbuf
[pos
] == '/')
99 /* Attempt to create parent directories of the database. */
100 if (!mkdir(pathbuf
, 0777))
108 return SQLITE_CANTOPEN
;
110 return SQLITE_READONLY
;
113 if (err
== ENOSPC
|| err
== EDQUOT
)
118 /* EFAULT || ELOOP | ENAMETOOLONG || something else */
119 return SQLITE_INTERNAL
;
126 static int sec_sqlite3_open(const char *db_name
, sqlite3
**s3h
,
130 s3e
= sqlite3_open(db_name
, s3h
);
131 if (s3e
== SQLITE_CANTOPEN
&& create_path
) {
132 /* Make sure the path to db_name exists and is writable, then
134 s3e
= sec_create_path(db_name
);
136 s3e
= sqlite3_open(db_name
, s3h
);
142 static int64_t SecTrustStoreCountAll(SecTrustStoreRef ts
) {
143 __block
int64_t result
= -1;
144 require_quiet(ts
, errOutNotLocked
);
145 dispatch_sync(ts
->queue
, ^{
146 sqlite3_stmt
*countAllStmt
= NULL
;
147 int s3e
= sqlite3_prepare_v2(ts
->s3h
, countAllSQL
, sizeof(countAllSQL
),
148 &countAllStmt
, NULL
);
149 if (s3e
== SQLITE_OK
) {
150 s3e
= sqlite3_step(countAllStmt
);
151 if (s3e
== SQLITE_ROW
) {
152 result
= sqlite3_column_int64(countAllStmt
, 0);
157 verify_noerr(sqlite3_finalize(countAllStmt
));
165 static SecTrustStoreRef
SecTrustStoreCreate(const char *db_name
,
170 require(ts
= (SecTrustStoreRef
)malloc(sizeof(struct __SecTrustStore
)), errOut
);
171 ts
->queue
= dispatch_queue_create("truststore", DISPATCH_QUEUE_SERIAL
);
172 require_noerr(s3e
= sec_sqlite3_open(db_name
, &ts
->s3h
, create
), errOut
);
174 s3e
= sqlite3_prepare_v3(ts
->s3h
, copyParentsSQL
, sizeof(copyParentsSQL
),
175 SQLITE_PREPARE_PERSISTENT
, &ts
->copyParents
, NULL
);
176 if (create
&& s3e
== SQLITE_ERROR
) {
177 /* sqlite3_prepare returns SQLITE_ERROR if the table we are
178 compiling this statement for doesn't exist. */
180 s3e
= sqlite3_exec(ts
->s3h
,
181 "CREATE TABLE tsettings("
182 "sha1 BLOB NOT NULL DEFAULT '',"
183 "subj BLOB NOT NULL DEFAULT '',"
188 "CREATE INDEX isubj ON tsettings(subj);"
189 , NULL
, NULL
, &errmsg
);
191 secwarning("CREATE TABLE cert: %s", errmsg
);
192 sqlite3_free(errmsg
);
194 require_noerr(s3e
, errOut
);
195 s3e
= sqlite3_prepare_v3(ts
->s3h
, copyParentsSQL
, sizeof(copyParentsSQL
),
196 SQLITE_PREPARE_PERSISTENT
, &ts
->copyParents
, NULL
);
198 require_noerr(s3e
, errOut
);
199 require_noerr(s3e
= sqlite3_prepare_v3(ts
->s3h
, containsSQL
, sizeof(containsSQL
), SQLITE_PREPARE_PERSISTENT
,
200 &ts
->contains
, NULL
), errOut
);
202 if (SecTrustStoreCountAll(ts
) == 0) {
203 ts
->containsSettings
= false;
205 /* In the error case where SecTrustStoreCountAll returns a negative result,
206 * we'll pretend there are contents in the trust store so that we still do
208 ts
->containsSettings
= true;
215 sqlite3_close(ts
->s3h
);
216 dispatch_release_safe(ts
->queue
);
219 secerror("Failed to create trust store database: %d", s3e
);
220 TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore
, TAOperationCreate
, TAFatalError
, s3e
);
225 static bool SecExtractFilesystemPathForKeychainFile(CFStringRef file
, UInt8
*buffer
, CFIndex maxBufLen
)
227 bool translated
= false;
228 CFURLRef fileURL
= SecCopyURLForFileInKeychainDirectory(file
);
230 if (fileURL
&& CFURLGetFileSystemRepresentation(fileURL
, false, buffer
, maxBufLen
))
232 CFReleaseSafe(fileURL
);
237 static void SecTrustStoreInitUser(void) {
238 const char path
[MAXPATHLEN
];
240 if (SecExtractFilesystemPathForKeychainFile(kTrustStoreFileName
, (UInt8
*) path
, (CFIndex
) sizeof(path
)))
242 kSecTrustStoreUser
= SecTrustStoreCreate(path
, true);
243 if (kSecTrustStoreUser
)
244 kSecTrustStoreUser
->readOnly
= false;
248 /* AUDIT[securityd](done):
249 domainName (ok) is a caller provided string of any length (might be 0), only
250 its cf type has been checked.
252 SecTrustStoreRef
SecTrustStoreForDomainName(CFStringRef domainName
, CFErrorRef
*error
) {
253 if (CFEqual(CFSTR("user"), domainName
)) {
254 dispatch_once(&kSecTrustStoreUserOnce
, ^{ SecTrustStoreInitUser(); });
255 return kSecTrustStoreUser
;
257 SecError(errSecParam
, error
, CFSTR("unknown domain: %@"), domainName
);
262 /* AUDIT[securityd](done):
263 ts (ok) might be NULL.
264 certificate (ok) is a valid SecCertificateRef.
265 trustSettingsDictOrArray (checked by CFPropertyListCreateXMLData) is either
266 NULL, a dictionary or an array, but its contents have not been checked.
268 bool _SecTrustStoreSetTrustSettings(SecTrustStoreRef ts
,
269 SecCertificateRef certificate
,
270 CFTypeRef tsdoa
, CFErrorRef
*error
) {
272 require_action_quiet(ts
, errOutNotLocked
, ok
= SecError(errSecParam
, error
, CFSTR("truststore is NULL")));
273 require_action_quiet(!ts
->readOnly
, errOutNotLocked
, ok
= SecError(errSecReadOnly
, error
, CFSTR("truststore is readOnly")));
274 dispatch_sync(ts
->queue
, ^{
275 CFTypeRef trustSettingsDictOrArray
= tsdoa
;
276 sqlite3_stmt
*insert
= NULL
;
277 CFDataRef xmlData
= NULL
;
278 CFArrayRef array
= NULL
;
281 require_action_quiet(subject
= SecCertificateGetNormalizedSubjectContent(certificate
),
282 errOut
, ok
= SecError(errSecParam
, error
, CFSTR("get normalized subject failed")));
284 require_action_quiet(digest
= SecCertificateGetSHA1Digest(certificate
), errOut
, ok
= SecError(errSecParam
, error
, CFSTR("get sha1 digest failed")));
286 /* Do some basic checks on the trust settings passed in. */
287 if (trustSettingsDictOrArray
== NULL
) {
288 require_action_quiet(array
= CFArrayCreate(NULL
, NULL
, 0, &kCFTypeArrayCallBacks
), errOut
, ok
= SecError(errSecAllocate
, error
, CFSTR("CFArrayCreate failed")));
289 trustSettingsDictOrArray
= array
;
291 else if(CFGetTypeID(trustSettingsDictOrArray
) == CFDictionaryGetTypeID()) {
293 array
= CFArrayCreate(NULL
, &trustSettingsDictOrArray
, 1,
294 &kCFTypeArrayCallBacks
);
295 trustSettingsDictOrArray
= array
;
298 require_action_quiet(CFGetTypeID(trustSettingsDictOrArray
) == CFArrayGetTypeID(), errOut
, ok
= SecError(errSecParam
, error
, CFSTR("trustSettingsDictOrArray neither dict nor array")));
301 require_action_quiet(xmlData
= CFPropertyListCreateXMLData(kCFAllocatorDefault
,
302 trustSettingsDictOrArray
), errOut
, ok
= SecError(errSecParam
, error
, CFSTR("xml encode failed")));
304 int s3e
= sqlite3_exec(ts
->s3h
, "BEGIN EXCLUSIVE TRANSACTION", NULL
, NULL
, NULL
);
305 require_action_quiet(s3e
== SQLITE_OK
, errOut
, ok
= SecError(errSecInternal
, error
, CFSTR("sqlite3 error: %d"), s3e
));
307 /* Parameter order is sha1,subj,tset,data. */
308 require_noerr_action_quiet(s3e
= sqlite3_prepare_v2(ts
->s3h
, insertSQL
, sizeof(insertSQL
),
309 &insert
, NULL
), errOutSql
, ok
= SecError(errSecInternal
, error
, CFSTR("sqlite3 error: %d"), s3e
));
310 require_noerr_action_quiet(s3e
= sqlite3_bind_blob_wrapper(insert
, 1,
311 CFDataGetBytePtr(digest
), CFDataGetLength(digest
), SQLITE_STATIC
),
312 errOutSql
, ok
= SecError(errSecInternal
, error
, CFSTR("sqlite3 error: %d"), s3e
));
313 require_noerr_action_quiet(s3e
= sqlite3_bind_blob_wrapper(insert
, 2,
314 CFDataGetBytePtr(subject
), CFDataGetLength(subject
),
315 SQLITE_STATIC
), errOutSql
, ok
= SecError(errSecInternal
, error
, CFSTR("sqlite3 error: %d"), s3e
));
316 require_noerr_action_quiet(s3e
= sqlite3_bind_blob_wrapper(insert
, 3,
317 CFDataGetBytePtr(xmlData
), CFDataGetLength(xmlData
),
318 SQLITE_STATIC
), errOutSql
, ok
= SecError(errSecInternal
, error
, CFSTR("sqlite3 error: %d"), s3e
));
319 require_noerr_action_quiet(s3e
= sqlite3_bind_blob_wrapper(insert
, 4,
320 SecCertificateGetBytePtr(certificate
),
321 SecCertificateGetLength(certificate
), SQLITE_STATIC
), errOutSql
, ok
= SecError(errSecInternal
, error
, CFSTR("sqlite3 error: %d"), s3e
));
322 s3e
= sqlite3_step(insert
);
323 if (s3e
== SQLITE_DONE
) {
324 /* Great the insert worked. */
326 ts
->containsSettings
= true;
328 require_noerr_action_quiet(s3e
, errOutSql
, ok
= SecError(errSecInternal
, error
, CFSTR("sqlite3 error: %d"), s3e
));
334 s3e
= sqlite3_finalize(insert
);
337 if (ok
&& s3e
== SQLITE_OK
) {
338 s3e
= sqlite3_exec(ts
->s3h
, "COMMIT TRANSACTION", NULL
, NULL
, NULL
);
341 if (!ok
|| s3e
!= SQLITE_OK
) {
342 secerror("Failed to update trust store: (%d) %@", s3e
, error
? *error
: NULL
);
343 TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore
, TAOperationWrite
, TAFatalError
, s3e
);
344 sqlite3_exec(ts
->s3h
, "ROLLBACK TRANSACTION", NULL
, NULL
, NULL
);
346 ok
= SecError(errSecInternal
, error
, CFSTR("sqlite3 error: %d"), s3e
);
351 CFReleaseSafe(xmlData
);
352 CFReleaseSafe(array
);
358 /* AUDIT[securityd](done):
359 ts (ok) might be NULL.
360 digest (ok) is a data of any length (might be 0).
362 bool SecTrustStoreRemoveCertificateWithDigest(SecTrustStoreRef ts
,
363 CFDataRef digest
, CFErrorRef
*error
) {
364 require_quiet(ts
, errOutNotLocked
);
365 require(!ts
->readOnly
, errOutNotLocked
);
366 dispatch_sync(ts
->queue
, ^{
368 sqlite3_stmt
*deleteStmt
= NULL
;
370 require_noerr(s3e
= sqlite3_prepare_v2(ts
->s3h
, deleteSQL
, sizeof(deleteSQL
),
371 &deleteStmt
, NULL
), errOut
);
372 require_noerr(s3e
= sqlite3_bind_blob_wrapper(deleteStmt
, 1,
373 CFDataGetBytePtr(digest
), CFDataGetLength(digest
), SQLITE_STATIC
),
375 s3e
= sqlite3_step(deleteStmt
);
379 verify_noerr(sqlite3_finalize(deleteStmt
));
381 if (s3e
!= SQLITE_OK
&& s3e
!= SQLITE_DONE
) {
382 secerror("Removal of certificate from trust store failed: %d", s3e
);
383 TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore
, TAOperationWrite
, TAFatalError
, s3e
);
390 bool _SecTrustStoreRemoveAll(SecTrustStoreRef ts
, CFErrorRef
*error
)
392 __block
bool removed_all
= false;
393 require(ts
, errOutNotLocked
);
394 require(!ts
->readOnly
, errOutNotLocked
);
395 dispatch_sync(ts
->queue
, ^{
396 int s3e
=sqlite3_exec(ts
->s3h
, deleteAllSQL
, NULL
, NULL
, NULL
);
397 if (s3e
== SQLITE_OK
) {
399 ts
->containsSettings
= false;
401 secerror("Clearing of trust store failed: %d", s3e
);
402 TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore
, TAOperationWrite
, TAFatalError
, s3e
);
405 /* prepared statements become unusable after deleteAllSQL, reset them */
407 sqlite3_finalize(ts
->copyParents
);
408 sqlite3_prepare_v3(ts
->s3h
, copyParentsSQL
, sizeof(copyParentsSQL
), SQLITE_PREPARE_PERSISTENT
,
409 &ts
->copyParents
, NULL
);
411 sqlite3_finalize(ts
->contains
);
412 sqlite3_prepare_v3(ts
->s3h
, containsSQL
, sizeof(containsSQL
), SQLITE_PREPARE_PERSISTENT
,
413 &ts
->contains
, NULL
);
419 CFArrayRef
SecTrustStoreCopyParents(SecTrustStoreRef ts
,
420 SecCertificateRef certificate
, CFErrorRef
*error
) {
421 __block CFMutableArrayRef parents
= NULL
;
422 require(ts
, errOutNotLocked
);
423 dispatch_sync(ts
->queue
, ^{
425 require_quiet(ts
->containsSettings
, ok
);
427 require(issuer
= SecCertificateGetNormalizedIssuerContent(certificate
),
429 /* @@@ Might have to use SQLITE_TRANSIENT */
430 require_noerr(s3e
= sqlite3_bind_blob_wrapper(ts
->copyParents
, 1,
431 CFDataGetBytePtr(issuer
), CFDataGetLength(issuer
),
432 SQLITE_STATIC
), errOut
);
434 require(parents
= CFArrayCreateMutable(kCFAllocatorDefault
, 0,
435 &kCFTypeArrayCallBacks
), errOut
);
437 s3e
= sqlite3_step(ts
->copyParents
);
438 if (s3e
== SQLITE_ROW
) {
439 SecCertificateRef cert
;
440 require(cert
= SecCertificateCreateWithBytes(kCFAllocatorDefault
,
441 sqlite3_column_blob(ts
->copyParents
, 0),
442 sqlite3_column_bytes(ts
->copyParents
, 0)), errOut
);
443 CFArrayAppendValue(parents
, cert
);
446 require(s3e
== SQLITE_DONE
|| s3e
== SQLITE_OK
, errOut
);
453 secerror("Failed to read parents from trust store: %d", s3e
);
454 TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore
, TAOperationRead
, TAFatalError
, s3e
);
460 verify_noerr(sqlite3_reset(ts
->copyParents
));
461 verify_noerr(sqlite3_clear_bindings(ts
->copyParents
));
467 static bool SecTrustStoreQueryCertificateWithDigest(SecTrustStoreRef ts
,
468 CFDataRef digest
, bool *contains
, CFArrayRef
*usageConstraints
, CFErrorRef
*error
) {
471 __block
bool ok
= true;
472 require_action_quiet(ts
, errOutNotLocked
, ok
= SecError(errSecParam
, error
, CFSTR("ts is NULL")));
473 dispatch_sync(ts
->queue
, ^{
474 CFDataRef xmlData
= NULL
;
475 CFPropertyListRef trustSettings
= NULL
;
477 require_action_quiet(ts
->containsSettings
, errOut
, ok
= true);
478 require_noerr_action(s3e
= sqlite3_bind_blob_wrapper(ts
->contains
, 1,
479 CFDataGetBytePtr(digest
), CFDataGetLength(digest
), SQLITE_STATIC
),
480 errOut
, ok
= SecDbErrorWithStmt(s3e
, ts
->contains
, error
, CFSTR("sqlite3_bind_blob failed")));
481 s3e
= sqlite3_step(ts
->contains
);
482 if (s3e
== SQLITE_ROW
) {
485 if (usageConstraints
) {
486 require_action(xmlData
= CFDataCreate(NULL
,
487 sqlite3_column_blob(ts
->contains
, 0),
488 sqlite3_column_bytes(ts
->contains
, 0)), errOut
, ok
= false);
489 require_action(trustSettings
= CFPropertyListCreateWithData(NULL
,
491 kCFPropertyListImmutable
,
492 NULL
, error
), errOut
, ok
= false);
493 require_action(CFGetTypeID(trustSettings
) == CFArrayGetTypeID(), errOut
, ok
= false);
494 *usageConstraints
= CFRetain(trustSettings
);
497 require_action(s3e
== SQLITE_DONE
|| s3e
== SQLITE_OK
, errOut
,
498 ok
= SecDbErrorWithStmt(s3e
, ts
->contains
, error
, CFSTR("sqlite3_step failed")));
503 secerror("Failed to query for cert in trust store: %d", s3e
);
504 TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore
, TAOperationRead
, TAFatalError
, s3e
);
506 verify_noerr(sqlite3_reset(ts
->contains
));
507 verify_noerr(sqlite3_clear_bindings(ts
->contains
));
508 CFReleaseNull(xmlData
);
509 CFReleaseNull(trustSettings
);
515 bool SecTrustStoreContainsCertificateWithDigest(SecTrustStoreRef ts
,
516 CFDataRef digest
, bool *contains
, CFErrorRef
*error
) {
517 return SecTrustStoreQueryCertificateWithDigest(ts
, digest
, contains
, NULL
, error
);
520 bool _SecTrustStoreCopyUsageConstraints(SecTrustStoreRef ts
,
521 CFDataRef digest
, CFArrayRef
*usageConstraints
, CFErrorRef
*error
) {
522 return SecTrustStoreQueryCertificateWithDigest(ts
, digest
, NULL
, usageConstraints
, error
);
525 bool _SecTrustStoreCopyAll(SecTrustStoreRef ts
, CFArrayRef
*trustStoreContents
, CFErrorRef
*error
) {
526 __block
bool ok
= true;
527 __block CFMutableArrayRef CertsAndSettings
= NULL
;
528 require_action_quiet(ts
, errOutNotLocked
, ok
= SecError(errSecParam
, error
, CFSTR("ts is NULL")));
529 require_action_quiet(trustStoreContents
, errOutNotLocked
, ok
= SecError(errSecParam
, error
, CFSTR("trustStoreContents is NULL")));
530 dispatch_sync(ts
->queue
, ^{
531 sqlite3_stmt
*copyAllStmt
= NULL
;
532 CFDataRef cert
= NULL
;
533 CFDataRef xmlData
= NULL
;
534 CFPropertyListRef trustSettings
= NULL
;
535 CFArrayRef certSettingsPair
= NULL
;
537 require_noerr(s3e
= sqlite3_prepare_v2(ts
->s3h
, copyAllSQL
, sizeof(copyAllSQL
),
538 ©AllStmt
, NULL
), errOut
);
539 require(CertsAndSettings
= CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
), errOut
);
541 s3e
= sqlite3_step(copyAllStmt
);
542 if (s3e
== SQLITE_ROW
) {
543 require(cert
= CFDataCreate(kCFAllocatorDefault
,
544 sqlite3_column_blob(copyAllStmt
, 0),
545 sqlite3_column_bytes(copyAllStmt
, 0)), errOut
);
546 require(xmlData
= CFDataCreate(NULL
,
547 sqlite3_column_blob(copyAllStmt
, 1),
548 sqlite3_column_bytes(copyAllStmt
, 1)), errOut
);
549 require(trustSettings
= CFPropertyListCreateWithData(NULL
,
551 kCFPropertyListImmutable
,
552 NULL
, error
), errOut
);
553 const void *pair
[] = { cert
, trustSettings
};
554 require(certSettingsPair
= CFArrayCreate(NULL
, pair
, 2, &kCFTypeArrayCallBacks
), errOut
);
555 CFArrayAppendValue(CertsAndSettings
, certSettingsPair
);
558 CFReleaseNull(xmlData
);
559 CFReleaseNull(trustSettings
);
560 CFReleaseNull(certSettingsPair
);
562 require_action(s3e
== SQLITE_DONE
|| s3e
== SQLITE_OK
, errOut
, ok
= SecDbErrorWithStmt(s3e
, copyAllStmt
, error
, CFSTR("sqlite3_step failed")));
569 secerror("Failed to query for all certs in trust store: %d", s3e
);
570 TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore
, TAOperationRead
, TAFatalError
, s3e
);
572 CFReleaseNull(xmlData
);
573 CFReleaseNull(trustSettings
);
574 CFReleaseNull(certSettingsPair
);
577 verify_noerr(sqlite3_finalize(copyAllStmt
));
579 if (CertsAndSettings
) {
580 *trustStoreContents
= CertsAndSettings
;