Secure Enclave: update SecAccessControlCreateFlags after key creation

Question

I am wondering if anyone knows whether its possible to update the flags after the key creation inside the Secure Enclave or not? Here's how I am creating the key:

let access = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                             kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
                                             [SecAccessControlCreateFlags.userPresence, 
                                              SecAccessControlCreateFlags.privateKeyUsage],
                                              nil)!
let attributes: [String: Any] = [
    kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
    kSecAttrKeySizeInBits as String: 256,
    kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave,
    kSecPrivateKeyAttrs as String: [
        kSecAttrIsPermanent as String: true,
        kSecAttrApplicationTag as String: "stacksometimesoverflow",
        kSecAttrAccessControl as String: access
    ]
]

var error: Unmanaged<CFError>?
guard SecKeyCreateRandomKey(attributes as CFDictionary, &error) != nil else {
    throw error!.takeRetainedValue() as Error
}

As you can see, the key is created with

SecAccessControlCreateFlags.userPresence, SecAccessControlCreateFlags.privateKeyUsage

My question is, is it possible to update the access flag of the key (same key), say I want to remove SecAccessControlCreateFlags.userPresence

All the best!

Johnny

Answer 1

I don't think that's possible. According to Apple's documentation:

... because its backing storage is physically part of the Secure Enclave, you can never inspect the key’s data.

I think the best way is to delete your key with SecItemDelete(_:) and then create new key without the .userPresence flag.