The idea for a cryptolayer was born when we started to introduce one new private key every two weeks during the design of the batchprocessor. OpenCA needs today up to four different private keys - CA, logging, batchprocessor, key backup. Additionally we need a cryptoengine for the generation of private keys in the script basic_csr.
If a script or function needs a special key then it calls getToken an receives a loaded object for the appropriate key. The key must be activated by useKey because some tokens can be used without an authentication if the private key is not used. Such a "key" is a software token which is handled by OpenCA::Token::OpenSSL.
The tokens can fallback to the defaulttoken if they don't implemenent a functionality. The token class OpenCA::Token::Empty is only a logical class which automatically falls back to the default token which must be specified in etc/token.xml.
Today there are two additional classes beside the classes for empty and software keys - LunaCA3 and OpenSC. The class LunaCA3 can manage SafeNet LunaCA3 and Luna SA (former Rainbow former Chrysalis-ITS) devices. This module supports the daemon and session mode too. These modes allow the activation of the module for a complete session or forever (daemon mode). The session ends if the user logs out. This is of course critical but the user decides what he want. The daemon mode activates the HSM and runs it until there is an exlicit shutdown for the HSM via an interface. The class OpenSC can use any OpenSC smartcard as a HSM but it can also be used to integrate every other PKCS#11 device if you don't use the keygeneration of this class. The keygeneration is specific for OpenSC. The other stuff bases on OpenSC's PKCS#11 engine for OpenSSL which uses the PKCS#11 module of OpenSC. You can replace OpenSC's PKCS#11 library by any other PKCS#11 library.