eID Wallet: Add passphrase-free eVault recovery via newly generated keys

[plansombl]

Description

Inside the eID Wallet, a new recovery method should be introduced that allows a user to regain access to their eVault without requiring any passphrases. When initiating recovery, the wallet generates a fresh set of cryptographic keys. These new keys are used to re-establish access to the eVault, replacing or supplementing the previous key material — enabling recovery in scenarios where the user has lost their passphrase entirely.

Reference

• Related to the eNotary key binding certificate signing flow (see companion issue), as the newly generated keys during recovery may need to be notary-signed via a key binding certificate.

Acceptance Criteria

• The eID Wallet exposes a distinct "Recover without passphrase" flow in the recovery section of the UI.
• During recovery, the wallet generates a new cryptographic key pair securely on-device.
• The new keys are used to authenticate against and unlock the eVault without requiring the old passphrase.
• The old keys / passphrase are no longer required once recovery is complete.
• The user is clearly informed about what the recovery process entails and any security implications (e.g. re-binding required, notary attestation if applicable).
• Recovery fails safely if the generated keys cannot be validated against the eVault's access policy.
• The feature is covered by appropriate tests (unit + integration / E2E).

Desired Output (may vary)

A user who has lost their passphrase can open the eID Wallet, trigger the new recovery flow, have fresh keys generated, and successfully regain access to their eVault — with no passphrase entry required at any point.