Guidance to provision custom SCP03 keys

Hi @Kan_Li,

I’m working with an ESP32 host and SE050C1. Environment details:

• Plug & Trust: v3.0.6 (Mini)

• SE050 applet version: 03 01 01 6F FF 01 0B

• I can open a secure channel using the default keys, generate an EC keypair on the SE, and create a CSR successfully.

Now I’d like to provision my own SCP03 keyset (ENC/MAC/DEK, AES-256) once, store it on the SE050 under a new key version, and thereafter always open the SCP03 session using that version.

What I need from you:

1. API / Example for PUT KEY in  v3.0.6 (Mini)

   • In my Mini drop I see INS_GP_PUT_KEY defined, but I don’t find a higher-level helper like Se05x_API_PutKeys(), nxScp03_ChangeKeys(), or an ex_scp03_change_keys example.

   • Could you confirm whether Mini v3.0.6 includes an SCP03 key-rotation helper?

     • If yes: which source file(s) and function(s) should I call, and what headers do I include?

     • If no: please share the recommended way (and a minimal code sample) to send GlobalPlatform PUT KEY (CLA=0x80, INS=0xD8) over an already-open SCP03 session using the Mini APDU transport (e.g., Se05x_API_Transceive/Se05x_API_SendAPDU), including the expected TLV format for ENC/MAC/DEK and KCV calculation .

2. Auth context structure for AES (SCP03) in v3.0.6

   • My boot context is gex_sss_boot_ctx.ex_se05x_auth.

      

     ex_se05x_auth.param.scp03.ex_static.Enc/Mac/Dek ex_se05x_auth.param.scp03.keyVer

   • I select AES via argv (--auth aes) and load keys into ex_static.{Enc,Mac,Dek} and the version into keyVer.

   • Please confirm the correct field names for v3.0.6 Mini so I don’t rely on trial-and-error.

3. Reference implementation / paths

   • If there is an example in the full Plug & Trust (non-Mini) that demonstrates SCP03 key update, could you point me to the exact path and function name so I can mirror that logic in Mini? Typical names I looked for:

     • examples/sss/ex_scp03_change_keys.*

     • hostlib/hostLib/libCommon/scp/nxScp03.*

     • hostlib/hostLib/libSE05X/src/*scp03* or any usage of INS_GP_PUT_KEY.

4. Versioning & key length

   • I plan to use AES-256 (32-byte keys) and a new key version (e.g., 0x11). Any constraints or best practices you recommend for key version selection or minimum key length on applet 03 01 01 6F FF 01 0B?

5. Tooling alternative

   • If the recommended path is to provision once using and then switch my firmware to always open with the new keys, could you share the tool name/command (and where to get it).

My immediate blocker is the lack of a callable helper for PUT KEY in Mini; I’m happy to implement a raw APDU if you can share the exact APDU build and send sequence expected by the SE050 in this applet version.

Thanks a lot for your guidance!

Best regards,
Reddy