Differentiate ECC keys KeyChain

I was wondering if there is a way to determine the curve of an ECC key when/after stored in the KeyChain.

Code Block swift
let ed25519 = Curve25519.Signing.PrivateKey().rawRepresentation
let p256 = P256.Signing.PrivateKey().rawRepresentation

As these keys have the same size (256 bits), it's very confusing. I would be able to differentiate between P256, P384 and P521 using the key size, but is there a way to tell the difference between the Curve25519 and P256 variant, or maybe an attribute providing the used curve when stored in the Keychain?
Answered by DTS Engineer in 662294022
Quoting from Storing CryptoKit Keys in the Keychain here:

Some of these key types, like P256.Signing.PrivateKey, correspond to
items that the Keychain Services API stores natively as SecKey
instances. Other key types, like Curve25519.Signing.PrivateKey, have
no direct keychain corollary. To store these kinds of keys, you
package them as generic passwords.

If you get a SecKey value (kSecClass is kSecClassKey) then it’s a P256 [1]. OTOH, a Curve25519 ends up being stored as a generic password ( kSecClass is kSecClassGenericPassword). If you need to further distinguish within that group, you can store a marker in the kSecAttrGeneric attribute.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

[1] Assuming that it’s an EC key (kSecAttrKeyType is kSecAttrKeyTypeECSECPrimeRandom) with a key size of 256 (kSecAttrKeySizeInBits).
Accepted Answer
Quoting from Storing CryptoKit Keys in the Keychain here:

Some of these key types, like P256.Signing.PrivateKey, correspond to
items that the Keychain Services API stores natively as SecKey
instances. Other key types, like Curve25519.Signing.PrivateKey, have
no direct keychain corollary. To store these kinds of keys, you
package them as generic passwords.

If you get a SecKey value (kSecClass is kSecClassKey) then it’s a P256 [1]. OTOH, a Curve25519 ends up being stored as a generic password ( kSecClass is kSecClassGenericPassword). If you need to further distinguish within that group, you can store a marker in the kSecAttrGeneric attribute.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

[1] Assuming that it’s an EC key (kSecAttrKeyType is kSecAttrKeyTypeECSECPrimeRandom) with a key size of 256 (kSecAttrKeySizeInBits).
Are you aware of any improvements to the SecKey interfacing that will allow to store keys properly? A generic password is very different from a SecKey

Are you aware of any improvements to the SecKey interfacing that
will allow to store keys properly?

The doc I referenced above is still the state of the art )-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Differentiate ECC keys KeyChain
 
 
Q