Guidance to provision custom SCP03 keys

Rutwik0409 · ‎10-02-2025

I’m working with an ESP32 host and SE050C1. Environment details:

Plug & Trust: v3.0.6 (Mini)
SE050 applet version: 03 01 01 6F FF 01 0B
I can open a secure channel using the default keys, generate an EC keypair on the SE, and create a CSR successfully.

Now I’d like to provision my own SCP03 keyset (ENC/MAC/DEK, AES-256) once, store it on the SE050 under a new key version, and thereafter always open the SCP03 session using that version.

What I need from you:

API / Example for PUT KEY in v3.0.6 (Mini)
- In my Mini drop I see INS_GP_PUT_KEY defined, but I don’t find a higher-level helper like Se05x_API_PutKeys(), nxScp03_ChangeKeys(), or an ex_scp03_change_keys example.
- Could you confirm whether Mini v3.0.6 includes an SCP03 key-rotation helper?
  - If yes: which source file(s) and function(s) should I call, and what headers do I include?
  - If no: please share the recommended way (and a minimal code sample) to send GlobalPlatform PUT KEY (CLA=0x80, INS=0xD8) over an already-open SCP03 session using the Mini APDU transport (e.g., Se05x_API_Transceive/Se05x_API_SendAPDU), including the expected TLV format for ENC/MAC/DEK and KCV calculation .
Auth context structure for AES (SCP03) in v3.0.6
- My boot context is gex_sss_boot_ctx.ex_se05x_auth.
  
  ex_se05x_auth.param.scp03.ex_static.Enc/Mac/Dek ex_se05x_auth.param.scp03.keyVer
- I select AES via argv (--auth aes) and load keys into ex_static.{Enc,Mac,Dek} and the version into keyVer.
- Please confirm the correct field names for v3.0.6 Mini so I don’t rely on trial-and-error.
Reference implementation / paths
- If there is an example in the full Plug & Trust (non-Mini) that demonstrates SCP03 key update, could you point me to the exact path and function name so I can mirror that logic in Mini? Typical names I looked for:
  - examples/sss/ex_scp03_change_keys.*
  - hostlib/hostLib/libCommon/scp/nxScp03.*
  - hostlib/hostLib/libSE05X/src/*scp03* or any usage of INS_GP_PUT_KEY.
Versioning & key length
- I plan to use AES-256 (32-byte keys) and a new key version (e.g., 0x11). Any constraints or best practices you recommend for key version selection or minimum key length on applet 03 01 01 6F FF 01 0B?
Tooling alternative
- If the recommended path is to provision once using and then switch my firmware to always open with the new keys, could you share the tool name/command (and where to get it).

My immediate blocker is the lack of a callable helper for PUT KEY in Mini; I’m happy to implement a raw APDU if you can share the exact APDU build and send sequence expected by the SE050 in this applet version.

Thanks a lot for your guidance!

Best regards,
Reddy

Kan_Li

Hi @Rutwik0409 ,

So far we just provide PlatformSCP key rotation demo in the full version and nano version of the MW, but I think you just need to run this kind of application once per device life, so you may try to port the nano package to your platform as a quick solution. Please kindly refer to https://github.com/NXPPlugNTrust/nano-package/tree/master/examples/se05x_rotate_scp03_keys for details.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Guidance to provision custom SCP03 keys

Guidance to provision custom SCP03 keys

A71CH

SE050