User Profile

Thank you, Eskimo.! So, kSecAccessControlPrivateKeyUsage is supposed to be used only for Secure Enclave items. I some how missed this and was thinking to use it for RSA key which can't be used in secure enclave at all.

Hi Eskimo,Just updating the keyType to kSecAttrKeyTypeEC or kSecAttrKeyTypeECSECPrimeRandom still gives the error (-25293).But if I update both keyType and kSecAttrTokenID (kSecAttrTokenIDSecureEnclave), code works fine. Below is the snippetsacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlTouchIDCurrentSet | kSecAccessControlPrivateKeyUsage, &error); // Create parameters dictionary for key generation. NSDictionary *parameters = @{ //(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrTokenID: (id)kSecAttrTokenIDSecureEnclave, (id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC, (id)kSecAttrKeySizeInBits: @256, (id)kSecAttrLabel: @"my-se-key", (id)kSecPrivateKeyAttrs: @{ (id)kSecAttrAccessControl: (__bridge_transfer id)sacObject, (id)kSecAttrIsPermanent: @YES, } };I believe "kSecAccessControlPrivateKeyUsage" only works with setting TokenID set as "kSecAttrTokenIDSecureEnclave".So, in my use case of RSA keyPair, I'm generating the keypair which are stored in keychain and when i try to access the key, i get the TouchID/ FaceID prompt since I'm using the access control flag "kSecAccessControlTouchIDCurrentSet".What actually is "kSecAccessControlPrivateKeyUsage" for ? and even if it works only with Secure enclave, why should we set that value ?

Hello Eskimo,1.It's for iOS.2. I did try out using SecKeyCreateRandomKey. But that gives the same -25293 status if i try with the combination of using "kSecAccessControlPrivateKeyUsage" in accessControlFlags. But if i remove setting this accessControl flag, code works fine and generates private key.Again, I'm trying to generate RSA keys (so keytype is kSecAttrKeyTypeRSA). So, i can't be using the option of kSecAttrTokenIDSecureEnclave.1. My question was to know the significance of "kSecAccessControlPrivateKeyUsage" in access control flags and should it be set only when we use SecureEnclave as clearly it isn't working for RSA keys? Didn't find any documentation on it.2.With just setting access control flag with kSecAccessControlTouchIDCurrentSet, I'm able to generate private key and when i try to access the key through SecItemCopyMatching, I'm seeing the TouchID/ FaceID prompt.So, what additional advantage/ security does setting access control as below (kSecAccessControlTouchIDCurrentSet | kSecAccessControlPrivateKeyUsage) gives.?sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlTouchIDCurrentSet | kSecAccessControlPrivateKeyUsage, &error);3. You recommended using SecKeyCreateRandomKey over "SecKeyGeneratePair". I get that, using it is a lot simpler than SecGeneratePair. In my usecase, I already have code for SecGeneratePair and I'm just trying to protect the keys with accessControl so that user will be prompted with Biometrics when we try to access the key.Based on documentation for "SecKeyGeneratePair", it just talks about "kSecAttrIsPermanent" which isn't respected on MacOS. As i want to store the key in keychain, i believe the behavior is same on iOS, macOS, tvOS and watchOS.Apart from this, what other advantages does using SecKeyCreateRandomKey provides ? Is SecKeyGeneratePair any weaker with respect to Security ?NOTE: The function always saves keys in the keychain on macOS and as such attribute kSecAttrIsPermanent is ignored. The function respects attribute kSecAttrIsPermanent on iOS, tvOS and watchOS.