feat(jar): add JWE decryption support for request objects

- Adds :enc key use type to Domain.SigningKey and Storage.Ecto.SigningKeyRecord
- Adds generate_key/1 to Lockspire.Admin.Keys and UI for :enc keys
- Implements Jar.decrypt/2 using JOSE.JWE to decrypt nested JWTs
- Updates RequestObject to decrypt incoming JARs before verification
- Isolates active key fetches in Repository by use type (:sig vs :enc)
- Updates JWKS controller to publish both :sig and :enc keys

Author: szTheory

lib/lockspire/admin.ex

@@ -30,6 +30,7 @@ defmodule Lockspire.Admin do
   defdelegate revoke_token_family(token_id, attrs \\ %{}), to: Tokens
   defdelegate list_keys(opts \\ []), to: Keys
   defdelegate get_key(key_id), to: Keys
+  defdelegate generate_key(use \\ :sig), to: Keys
   defdelegate publish_key(key_id, attrs \\ %{}), to: Keys
   defdelegate activate_key(key_id, attrs \\ %{}), to: Keys
   defdelegate retire_key(key_id, attrs \\ %{}), to: Keys

lib/lockspire/admin/keys.ex

@@ -31,6 +31,44 @@ defmodule Lockspire.Admin.Keys do
     end
   end
 
+  @spec generate_key(SigningKey.use_type()) :: {:ok, key_view()} | {:error, term()}
+  def generate_key(use \\ :sig) do
+    jwk = JOSE.JWK.generate_key({:rsa, 2048})
+    {_, public_jwk_map} = JOSE.JWK.to_map(JOSE.JWK.to_public(jwk))
+    {_, private_jwk_map} = JOSE.JWK.to_map(jwk)
+
+    kid = Base.encode16(:crypto.strong_rand_bytes(8))
+    
+    public_jwk_map =
+      public_jwk_map
+      |> Map.put("use", Atom.to_string(use))
+      |> Map.put("kid", kid)
+      
+    private_jwk_map = Map.put(private_jwk_map, "kid", kid)
+
+    key = %SigningKey{
+      kid: kid,
+      kty: :RSA,
+      alg: "RS256",
+      use: use,
+      public_jwk: public_jwk_map,
+      private_jwk_encrypted: :erlang.term_to_binary(private_jwk_map),
+      status: :upcoming,
+      inserted_at: DateTime.utc_now(),
+      updated_at: DateTime.utc_now()
+    }
+
+    with {:ok, published_key} <- transact_with_audit(
+             fn -> Repository.publish_key(key) end,
+             fn %SigningKey{} = k ->
+               key_audit_event(:key_generated, k, actor_from_attrs(%{}), %{use: use})
+             end
+           ) do
+      emit(:key_generated, published_key, actor_from_attrs(%{}))
+      {:ok, to_view(published_key)}
+    end
+  end
+
   @spec publish_key(integer(), map() | keyword()) :: {:ok, key_view()} | {:error, term()}
   def publish_key(key_id, attrs \\ %{})
 

lib/lockspire/domain/signing_key.ex

@@ -4,7 +4,7 @@ defmodule Lockspire.Domain.SigningKey do
   """
 
   @type key_type :: :RSA | :EC | :OKP
-  @type use_type :: :sig
+  @type use_type :: :sig | :enc
   @type status :: :upcoming | :active | :retiring | :retired
 
   @type t :: %__MODULE__{

lib/lockspire/protocol/jar.ex

@@ -33,6 +33,32 @@ defmodule Lockspire.Protocol.Jar do
   # "none" is never permitted — it would allow unsigned requests to bypass auth.
   @allowed_algorithms ~w(RS256 RS384 RS512 PS256 PS384 PS512 ES256 ES384 ES512 EdDSA)
 
+  @doc """
+  Decrypts a nested JWE request object to return the inner JWS string.
+  If the input is not a JWE (e.g. it is a 3-part JWS), it returns `{:ok, jwt}` immediately.
+  """
+  @spec decrypt(String.t(), [Lockspire.Domain.SigningKey.t()]) :: {:ok, String.t()} | {:error, :decryption_failed}
+  def decrypt(jwt, decryption_keys) when is_binary(jwt) do
+    if length(String.split(jwt, ".")) == 5 do
+      Enum.reduce_while(decryption_keys, {:error, :decryption_failed}, fn key, _acc ->
+        try do
+          jwk_map = :erlang.binary_to_term(key.private_jwk_encrypted)
+          jwk = JOSE.JWK.from_map(jwk_map)
+          case JOSE.JWK.block_decrypt(jwt, jwk) do
+            {plain_text, %JOSE.JWE{}} -> {:halt, {:ok, plain_text}}
+            _ -> {:cont, {:error, :decryption_failed}}
+          end
+        rescue
+          _ -> {:cont, {:error, :decryption_failed}}
+        catch
+          _, _ -> {:cont, {:error, :decryption_failed}}
+        end
+      end)
+    else
+      {:ok, jwt}
+    end
+  end
+
   @doc """
   Decodes a JWT string without signature verification.
   """

lib/lockspire/protocol/request_object.ex

@@ -27,6 +27,7 @@ defmodule Lockspire.Protocol.RequestObject do
   alias Lockspire.Domain.Client
   alias Lockspire.Protocol.AuthorizationRequest.Error
   alias Lockspire.Protocol.Jar
+  alias Lockspire.Storage.Ecto.Repository
 
   @type result ::
           {:ok, map()}
@@ -40,14 +41,30 @@ defmodule Lockspire.Protocol.RequestObject do
     with :ok <- reject_request_uri_collision(params),
          :ok <- reject_outer_param_conflicts(params),
          {:ok, jwt} <- fetch_request(params),
+         {:ok, jws_string} <- decrypt_request(jwt),
          :ok <- require_client_jwks(client),
-         {:ok, %Jar{} = jar} <- decode_and_verify(jwt, client),
+         {:ok, %Jar{} = jar} <- decode_and_verify(jws_string, client),
          :ok <- validate(jar, client, opts),
          {:ok, projected} <- project_to_params(jar, client) do
       {:ok, projected}
     end
   end
 
+  defp decrypt_request(jwt) do
+    with {:ok, dec_keys} <- Repository.list_decryption_keys(),
+         {:ok, jws_string} <- Jar.decrypt(jwt, dec_keys) do
+      {:ok, jws_string}
+    else
+      _ ->
+        {:browser_error,
+         browser_error(
+           :invalid_request_object,
+           "Request object decryption failed",
+           :invalid_request_object_decryption
+         )}
+    end
+  end
+
   defp reject_request_uri_collision(%{"request_uri" => request_uri}) do
     if present?(request_uri) do
       {:browser_error,

lib/lockspire/storage/ecto/repository.ex

@@ -893,10 +893,25 @@ defmodule Lockspire.Storage.Ecto.Repository do
     error -> {:error, error}
   end
 
+  @impl KeyStore
+  def list_decryption_keys do
+    SigningKeyRecord
+    |> where([key], key.use == :enc)
+    |> where([key], key.status in [:active, :retiring])
+    |> order_by([key], asc: key.inserted_at)
+    |> repo().all()
+    |> then(fn records ->
+      {:ok, Enum.map(records, &SigningKeyRecord.to_domain/1)}
+    end)
+  rescue
+    error -> {:error, error}
+  end
+
   @impl KeyStore
   def fetch_active_signing_key do
     SigningKeyRecord
     |> where([key], key.status == :active)
+    |> where([key], key.use == :sig)
     |> order_by([key], asc: key.inserted_at)
     |> limit(1)
     |> repo().one()
@@ -1515,7 +1530,7 @@ defmodule Lockspire.Storage.Ecto.Repository do
     do: repo().rollback(:not_published)
 
   defp activate_signing_key_record(%SigningKeyRecord{} = selected_record, activated_at) do
-    case fetch_active_signing_key_records() do
+    case fetch_active_signing_key_records(selected_record.use) do
       [] ->
         %{
           activated_key: activate_selected_signing_key(selected_record, activated_at),
@@ -1533,9 +1548,10 @@ defmodule Lockspire.Storage.Ecto.Repository do
     end
   end
 
-  defp fetch_active_signing_key_records do
+  defp fetch_active_signing_key_records(use) do
     SigningKeyRecord
     |> where([key], key.status == :active)
+    |> where([key], key.use == ^use)
     |> lock("FOR UPDATE")
     |> repo().all()
   end

lib/lockspire/storage/ecto/signing_key_record.ex

@@ -13,7 +13,7 @@ defmodule Lockspire.Storage.Ecto.SigningKeyRecord do
     field(:kid, :string)
     field(:kty, Ecto.Enum, values: [:RSA, :EC, :OKP])
     field(:alg, :string)
-    field(:use, Ecto.Enum, values: [:sig])
+    field(:use, Ecto.Enum, values: [:sig, :enc])
     field(:public_jwk, :map)
     field(:private_jwk_encrypted, :binary)
     field(:status, Ecto.Enum, values: [:upcoming, :active, :retiring, :retired])

lib/lockspire/storage/key_store.ex

@@ -11,6 +11,7 @@ defmodule Lockspire.Storage.KeyStore do
   @callback list_active_keys() :: {:ok, [SigningKey.t()]} | {:error, store_error()}
   @callback list_signing_keys(keyword()) :: {:ok, [SigningKey.t()]} | {:error, store_error()}
   @callback list_publishable_keys() :: {:ok, [SigningKey.t()]} | {:error, store_error()}
+  @callback list_decryption_keys() :: {:ok, [SigningKey.t()]} | {:error, store_error()}
   @callback fetch_active_signing_key() :: {:ok, SigningKey.t() | nil} | {:error, store_error()}
   @callback fetch_signing_key_by_id(integer()) ::
               {:ok, SigningKey.t() | nil} | {:error, store_error()}

lib/lockspire/web/live/admin/keys_live/index.ex

@@ -29,6 +29,20 @@ defmodule Lockspire.Web.Live.Admin.KeysLive.Index do
      )}
   end
 
+  @impl true
+  def handle_event("generate", %{"use" => use}, socket) do
+    use_atom = String.to_existing_atom(use)
+
+    case Admin.generate_key(use_atom) do
+      {:ok, _key_view} ->
+        keys = load_keys()
+        {:noreply, assign(socket, keys: keys, total_keys: length(keys))}
+
+      {:error, _reason} ->
+        {:noreply, socket}
+    end
+  end
+
   @impl true
   def render(assigns) do
     ~H"""
@@ -37,6 +51,11 @@ defmodule Lockspire.Web.Live.Admin.KeysLive.Index do
         title="Signing key lifecycle"
         subtitle="Inspect upcoming, active, retiring, and retired keys without exposing raw status editing."
       >
+        <div class="lockspire-admin-actions" style="margin-bottom: 1rem; display: flex; gap: 1rem;">
+          <button phx-click="generate" phx-value-use="sig" class="button">Generate Signing Key</button>
+          <button phx-click="generate" phx-value-use="enc" class="button button-secondary">Generate Encryption Key</button>
+        </div>
+
         <p>Total keys in durable storage: {@total_keys}</p>
 
         <%= if @keys == [] do %>
@@ -50,6 +69,7 @@ defmodule Lockspire.Web.Live.Admin.KeysLive.Index do
               <li>
                 <a href={key_show_path(entry.key.id)}>{entry.key.kid}</a>
                 <span>{entry.key.alg} / {entry.key.kty}</span>
+                <span>Use: {entry.key.use}</span>
                 <AdminComponents.status_badge status={entry.key.status} />
                 <span>JWKS {if entry.publishable, do: "visible", else: "hidden"}</span>
                 <span>Next action {format_actions(entry.next_actions)}</span>