It's probably a known issue (at least someone on stackoverflow has faced it: http://stackoverflow.com/questions/7966829/seckeyrawsign-osx-with-ec-cert) but it's apparently not covered in the forums (*).
Problem:
When SecTransformExecute is called and the user denies access to the keychain, the returned data is not NULL. The error is NULL.
This is not at all what the documentation states.
Question:
How are we supposed to know that we're in this case from the returned values of SecTransformExecute? Are we supposed to assume that chacking whether we received a 32KB zeroed data ref is the sign the access was denied?
* Tried looking for "SecTransform deny keychain": no results and it was suggested I may have meant "Spectra, deny, sketching". Sigh.