User Profile

Hello,I'm generating RSA keypair using "SecKeyGeneratePair" method with access control flags (kSecAccessControlTouchIDCurrentSet) and when i try to access the private key through "SecItemCopyMatching" method, I'm getting TouchID/ FaceID prompt.1. if the user gives wrong finger for TouchID prompt, we get the status as -25293. This is expected as user gave wrong fingerprint. errSecAuthFailed = -25293, /* The user name or passphrase you entered is not correct. */2. If the user has locked out Touch ID with Max failure attempts, TouchID prompt does not show up when I call "SecItemCopyMatching". It just fails with the same -25293 status as above. My question is, how can we differentiate between 1st and 2nd scenario. In first case, as the TouchID prompt appears, it's evident with TouchID prompt messages and we can handle the error status. Is there anyway to know the TouchID lock out scenario when we use access control for Keychain items.When we use LocalAuthentication framework, we get the status as "LAErrorAuthenticationFailed" for 1st scenario and "LAErrorBiometryLockout" for 2nd.

I'm trying to generate RSA private-public(kSecAttrKeyTypeRSA) keypair with access control.Below code works fine when i just set "kSecAccessControlTouchIDCurrentSet" in access control flags. Private-Public Keys are generated and when i'm trying to access Private Key, I'm getting the TouchID/ FaceID prompt when i call "SecItemCopyMatching". This works fine.But if i set "kSecAccessControlPrivateKeyUsage" or "kSecAccessControlTouchIDCurrentSet | kSecAccessControlPrivateKeyUsage", SecKeyGeneratePair returns "-25293".I am not using the SecureEnclave option as I want to generate RSA keys.Can you please let me know the importance of "kSecAccessControlPrivateKeyUsage" while setting access control and when should it be used .?Does it not work for RSA keys ?SecAccessControlRef sacRef; CFErrorRef err = NULL; //Gets our Security Access Control ref for user presence policy (requires user AuthN) sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,kSecAccessControlTouchIDCurrentSet | kSecAccessControlPrivateKeyUsage, &err); CurrentSet | kSecAccessControlPrivateKeyUsage, NSMutableDictionary * privateKeyAttr = [[NSMutableDictionary alloc] init]; NSMutableDictionary * publicKeyAttr = [[NSMutableDictionary alloc] init]; NSMutableDictionary * keyPairAttr = [[NSMutableDictionary alloc] init]; // Set top level dictionary for the keypair. [keyPairAttr setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType]; [keyPairAttr setObject:[NSNumber numberWithUnsignedInteger:2048] forKey:(__bridge id)kSecAttrKeySizeInBits]; [keyPairAttr setObject:(__bridge id)kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly forKey:(__bridge id)kSecAttrAccessible]; // Set the private key dictionary. [privateKeyAttr setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecAttrIsPermanent]; [privateKeyAttr setObject:privateTag forKey:(__bridge id)kSecAttrApplicationTag]; [privateKeyAttr setObject:(__bridge_transfer id)sacRef forKey:(__bridge id)kSecAttrAccessControl]; // Set the public key dictionary. [publicKeyAttr setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecAttrIsPermanent]; [publicKeyAttr setObject:publicTag forKey:(__bridge id)kSecAttrApplicationTag]; // Set attributes to top level dictionary. [keyPairAttr setObject:privateKeyAttr forKey:(__bridge id)kSecPrivateKeyAttrs]; [keyPairAttr setObject:publicKeyAttr forKey:(__bridge id)kSecPublicKeyAttrs]; dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ OSStatus sanityCheck = noErr; SecKeyRef publicKey = NULL; SecKeyRef privateKey = NULL; sanityCheck = SecKeyGeneratePair((__bridge CFDictionaryRef)keyPairAttr, &publicKey, &privateKey);