Java Card

Hi folks,

I wonder if someone could point me in the right direction.

We are developing an application to manage JCOP smartcards outside of the JCOP shell etc... The final part of this is the putkey command which we must perform using full secure comms etc...

The cards we are using are JCOP31 cards GP2.1.1 SCP02.

We have working ext-auth, MACing and full message encryption functions which work flawlessly in any order on all commands we have tried... except the putkey command.

We have successfully loaded keys on to the card using no MAC and authenticated against these so presumably our key encryption and command format are correct.

When applying a MAC to the working put key command (with modified header, length and encrypted ICV etc... etc...) we receive a 6982 response.

Is the MAC generation for the putkey command the same as all others?
Should the MAC be calculated from the full command with the keys already encrypted? (have tried both before key encryption and after with no luck)

Is there anything you can think of that we may not have done?

We are starting with straight out of the box JCOP cards with the engineering keys and simply going : init-update, ext-auth (mac) then putkey.
init-update, ext-auth (mac or full secure comms) then any other command e.g. applet load works correctly.
init-update, ext-auth (plain) then putkey (without mac) works correctly.

Help!

Thankyou!