WIP: Explore Hardware Decryption

pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java

@@ -48,6 +48,7 @@ public class ConsumerOptions {
 
     // Session key for decryption without passphrase/key
     private SessionKey sessionKey = null;
+    private HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = null;
 
     private final Map<PGPSecretKeyRing, SecretKeyRingProtector> decryptionKeys = new HashMap<>();
     private final Set<Passphrase> decryptionPassphrases = new HashSet<>();
@@ -238,6 +239,11 @@ public class ConsumerOptions {
         return this;
     }
 
+    public ConsumerOptions setHardwareDecryptionCallback(HardwareSecurity.DecryptionCallback callback) {
+        this.hardwareDecryptionCallback = callback;
+        return this;
+    }
+
     public @Nonnull Set<PGPSecretKeyRing> getDecryptionKeys() {
         return Collections.unmodifiableSet(decryptionKeys.keySet());
     }

pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java

@@ -0,0 +1,27 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
+import org.pgpainless.util.SessionKey;
+
+public class HardwareSecurity {
+
+    public interface DecryptionCallback {
+
+        /**
+         * Delegate decryption of a Public-Key-Encrypted-Session-Key (PKESK) to an external API for dealing with
+         * hardware security modules such as smartcards or TPMs.
+         *
+         * If decryption fails for some reason, a subclass of the {@link HardwareSecurityException} is thrown.
+         *
+         * @param pkesk public-key-encrypted session key
+         * @return decrypted session key
+         * @throws HardwareSecurityException exception
+         */
+        SessionKey decryptSessionKey(PGPPublicKeyEncryptedData pkesk) throws HardwareSecurityException;
+
+    }
+
+    public static class HardwareSecurityException extends Exception {
+
+    }
+}