Differentiate ECC keys KeyChain

I was wondering if there is a way to determine the curve of an ECC key when/after stored in the KeyChain.

Code Block swift
let ed25519 = Curve25519.Signing.PrivateKey().rawRepresentation
let p256 = P256.Signing.PrivateKey().rawRepresentation

As these keys have the same size (256 bits), it's very confusing. I would be able to differentiate between P256, P384 and P521 using the key size, but is there a way to tell the difference between the Curve25519 and P256 variant, or maybe an attribute providing the used curve when stored in the Keychain?
Up vote post of Craz1k0ek Down vote post of Craz1k0ek
1.2k views
Posted by
Craz1k0ek
Reply
Add a Comment

Accepted Reply

Quoting from Storing CryptoKit Keys in the Keychain here:

Some of these key types, like P256.Signing.PrivateKey, correspond to
items that the Keychain Services API stores natively as SecKey
instances. Other key types, like Curve25519.Signing.PrivateKey, have
no direct keychain corollary. To store these kinds of keys, you
package them as generic passwords.

If you get a SecKey value (kSecClass is kSecClassKey) then it’s a P256 [1]. OTOH, a Curve25519 ends up being stored as a generic password ( kSecClass is kSecClassGenericPassword). If you need to further distinguish within that group, you can store a marker in the kSecAttrGeneric attribute.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

[1] Assuming that it’s an EC key (kSecAttrKeyType is kSecAttrKeyTypeECSECPrimeRandom) with a key size of 256 (kSecAttrKeySizeInBits).
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Quoting from Storing CryptoKit Keys in the Keychain here:

Some of these key types, like P256.Signing.PrivateKey, correspond to
items that the Keychain Services API stores natively as SecKey
instances. Other key types, like Curve25519.Signing.PrivateKey, have
no direct keychain corollary. To store these kinds of keys, you
package them as generic passwords.

If you get a SecKey value (kSecClass is kSecClassKey) then it’s a P256 [1]. OTOH, a Curve25519 ends up being stored as a generic password ( kSecClass is kSecClassGenericPassword). If you need to further distinguish within that group, you can store a marker in the kSecAttrGeneric attribute.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

[1] Assuming that it’s an EC key (kSecAttrKeyType is kSecAttrKeyTypeECSECPrimeRandom) with a key size of 256 (kSecAttrKeySizeInBits).
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
Are you aware of any improvements to the SecKey interfacing that will allow to store keys properly? A generic password is very different from a SecKey
Posted by
Craz1k0ek
Up vote reply of Craz1k0ek Down vote reply of Craz1k0ek
Add a Comment

Are you aware of any improvements to the SecKey interfacing that
will allow to store keys properly?

The doc I referenced above is still the state of the art )-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment