The National Institute of Standards and Technology, U.S. Department of Commerce has defined a smart card application. Although not a "national ID card", it is expected to be used widely in the U.S.federal government and its contractors. Cards with this application are commonly referred to as PIV cards.
NIST Spical Publication 800-73-2 (See below) and related documents define PIV. Part 2 of 800-73-2 defines the ADPU commands accepted by the PIV application on the card. The standard does not define all the commands needed to administer a card, leaving this up to the card vendors and card administration software vendors.
The non-administrative commands are standardized, and so any vendor's card with the PIV application should inter operate with any vendor's client software. The pkcs11-tool can be used to read the objects on the card and to change the user PIN.
The piv-tool is provided to allow for some card administration in testing, such as generating a key pair, and loading a certificate or other object on the card. You may need more information from your card vendor.
The PIV is not a PKCS#15 type card, but rather an object based application. OpenSC provides a PKCS#15 emulator to access the four certificates and keys, along with the data objects. Thus for example the "X.509 Certificate for PIV Authentication" can be used with PKCS#11 for login or web access.
OpenSC 0.11.1 did not search arbitrary cards for the PIV application, and set the max_send_size and max_recv_size to low for PIV cards. With 0.11.1 you needed to add the ATR of specific vendor's cards to the opensc.conf. The ATR of your card can be read using the opensc-tool.
OpenSC 0.11.2 added support for certificates that are gzip'ed. But only 1024 bit RSA keys are supported.
OpenSC 0.11.3 added support for 2048 and 3072 bit RSA keys.
OpenSC 0.11.4 added support to read all the objects on the card via PKCS#11, pkcs11-tool and pkcs15-tool.
OpenSC 0.11.5 added support for 800-73-2.
No changes are needed to the opensc.conf file when using 0.11.4 and above, but here are sample changes needed for 0.11.1 in the opensc.conf file to use some GemAalto and Oberthur PIV cards. If other vendors produce PIV cards, you may have to add their ATRs:
... reader_driver xxxxx { ... max_send_size = 255; max_recv_size = 256; ... } ... card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:11:AC:83:00:90:00 { # GemAlto name = "PIV-II"; driver = "piv"; } card_atr 3b:db:96:00:81:b1:fe:45:1f:03:80:f9:a0:00:00:03:08:00:00:10:00:18 { # Oberthur name = "PIV-II"; driver = "piv"; } ... framework pkcs15 { ... emulate PIV-II { } ... } ...
Links
PIV Overview
NIST Special Publications - 800-73-2
Look for 800-73-2. Part 2 has the ADPU commands. All four parts:
http://csrc.nist.gov/publications/nistpubs/800-73-2/sp800-73-2_4parts.zip