I'm trying to wrap my head around Secure Channel Protocol because I would like to to establish secure communication between my app and GIDS. Unfortunately all the SCP documentation is extremely vague. After reading it thoroughly I still do not understand clearly who it is who supports SCP on the card - applet or card's operating system.
Having examined GIDS's source code I don't see anything looking like SCP support but I'm not sure if it is GIDS drawback which I need to correct myself or it is a normal thing because SCP is supported somewhere else on the card and I only need to establish secure communication with a security domain for example. Can anyone please give me some explanation?
The operating system is supporting SCP. It can be completely agnostic to the applet if SCP is supported by the card. SCP is mainly used only for the card content management, i.e. installation, deletion, personalization of applets.
However, the GP JC API defines integration points how applets can leverage some functions, e.g PIN management and also secure content management.
To stick with the example of the secure content management, e.g. if the applet implements org.globalplatform.Application then a GP STORE DATA[for personalization] APDU can be handled.
This method must then be implemented:
public void processData(byte[] apduBuffer, short offset, short length)
To use this method a secure channel would be created, then a STORE DATA[for personalization] with the AID of the applet and the wrapped data would be called.
The data would then be processed by:
SecureChannel secureChannel = GPSystem.getSecureChannel()
and a call unwrap on the channel.
So, the answer to your question is that the GIDS applet could be extended to use the GP SCP. But GIDS is a specification. If the specification does not define the usage of GP SCP then your changes will not be compliant. In addition GIDS is already covering the security aspects by using an own approach.