ios - Does the flag kSecAttrAccessControl has an effect on the public key when generating the key pair using SecKeyGeneratePair?

Question

I am creating a private/public key pair using the SecKeyGeneratePair method. To be able to do that I create a parameter dictionary with kSecPrivateKeyAttrs and kSecPublicKeyAttrs. In the kSecPrivateKeyAttrs and kSecPublicKeyAttrs (both a dictionary) I add kSecAttrAccessControl to set the protection level of the key (eg. kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly).

var publicKey, privateKey: SecKey?            
let status = SecKeyGeneratePair(params as CFDictionary, &publicKey, &privateKey)

The generation of the keys succeeds but it seams that adding the kSecAttrAccessControl only affects the private key. Is this documented somewhere?

Answer 1

I couldn't find any documentation but what you observe makes sense based on a few things:

• Keychain APIs store secrets on Apple's platforms. The public key is not a secret. Only the private key is. So it makes sense that data protection would only apply to the private key.
• The keychain on iOS is similar to Keychain Access on macOS. In Keychain Access, only private keys have access controls. See attached. That's my for my distribution private key.