Is it possible to override kSecAttrCanSign for SecKeyCreateSignature?

I am having trouble creating a CSR to renew a SecIdentity whose private SecKey is stored in slot 9d of a smartcard.

For slot 9a, I am able to accomplish this by way of SecKeyCreateSignature using CertificateSigningRequest from a gently-modified fork of swift-certificates/swift-crypto to sort out all the details.

But for the SecKey associated with slot 9d, the Security framework instantly returns an "algorithm not supported by the key" error when I call SecKeyCreateSignature, without even prompting for a PIN.

I believe the difference is that kSecAttrCanSign is true for slot 9a but false for slot 9d. The value makes some sense for day-to-day usage because this identity is usually not used for signing, but if we are to occasionally sign a CSR for this key an exception would need to be made.

Is there any way to basically force this exception with the Security framework? Again the actual private key material is not available so the only access as far as I'm aware is via the enumerated SecKey reference. Is there any way to SecKeyCreateWithData a secondary reference to the same underlying (but unexportable!) key but with allowed-usage attributes of my own choosing?

Could you please point out which algorithm not support when you using the SecKeyCreateSignature API on your mac platform & physical smart card?

My situation is when I set the algorithm to kSecKeyAlgorithmRSASignatureRaw, the error "algorithm not supported by the key" will occur. but is OK for other algorithm like kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256

Is it possible to override kSecAttrCanSign for SecKeyCreateSignature?
 
 
Q