Switch to structured "Name" type for certificates and CAs

Replaced plain strings with a new `Name` type containing `cn` (common name) and optional `ou` (organizational unit). Updated frontend components and backend handling to reflect this change, including database, API, and test adjustments. Added support for displaying and optionally editing the `ou` field in relevant forms.

Fixes: #114

Author: Emily Ehlert

backend/src/api.rs

@@ -14,7 +14,7 @@ use crate::constants::VAULTLS_VERSION;
 use crate::data::api::{CallbackQuery, ChangePasswordRequest, CreateCARequest, CreateUserCertificateRequest, CreateUserRequest, DownloadResponse, IsSetupResponse, LoginRequest, SetupRequest};
 use crate::data::enums::{CAType, CertificateType, PasswordRule, TimespanUnit, UserRole};
 use crate::data::error::ApiError;
-use crate::data::objects::{AppState, User};
+use crate::data::objects::{AppState, Name, User};
 use crate::notification::mail::{MailMessage, Mailer};
     use crate::settings::{FrontendSettings, InnerSettings};
 
@@ -83,8 +83,12 @@ pub(crate) async fn setup(
 
     let cert_validity = setup_req.validity_duration.unwrap_or(5);
     let cert_validity_unit = setup_req.validity_unit.unwrap_or(TimespanUnit::Year);
+    let name = Name {
+        cn: setup_req.ca_name.clone(),
+        ou: None
+    };
     let mut ca = TLSCertificateBuilder::new()?
-        .set_name(&setup_req.ca_name)?
+        .set_name(name)?
         .set_valid_until(cert_validity, cert_validity_unit)?
         .build_ca()?;
     ca = state.db.insert_ca(ca).await?;
@@ -292,13 +296,13 @@ pub(crate) async fn create_ca(
             let cert_validity = payload.validity_duration.unwrap_or(5);
             let cert_validity_unit = payload.validity_unit.unwrap_or(TimespanUnit::Year);
             TLSCertificateBuilder::new()?
-                .set_name(&payload.ca_name)?
+                .set_name(payload.ca_name.clone())?
                 .set_valid_until(cert_validity, cert_validity_unit)?
                 .build_ca()?
         },
         CAType::SSH => {
             SSHCertificateBuilder::new()?
-                .set_name(&payload.ca_name)?
+                .set_name(&payload.ca_name.cn)?
                 .build_ca()?
         }
     };
@@ -330,7 +334,7 @@ pub(crate) async fn create_user_certificate(
 
     cert = state.db.insert_user_cert(cert).await?;
 
-    info!(cert=cert.name, "New certificate created.");
+    info!(cert=cert.name.cn, "New certificate created.");
     trace!("{:?}", cert);
 
     if payload.notify_user == Some(true) {
@@ -430,7 +434,7 @@ fn build_ssh_cert(
     is_client: bool,
 ) -> Result<Certificate, ApiError> {
     let mut cert_builder = SSHCertificateBuilder::new()?
-        .set_name(&payload.cert_name)?
+        .set_name(&payload.cert_name.cn)?
         .set_valid_until(validity_duration, validity_unit)?
         .set_renew_method(payload.renew_method.unwrap_or_default())?
         .set_ca(ca)?
@@ -461,7 +465,7 @@ async fn build_tls_cert(
     is_client: bool,
 ) -> Result<Certificate, ApiError> {
     let mut cert_builder = TLSCertificateBuilder::new()?
-        .set_name(&payload.cert_name)?
+        .set_name(payload.cert_name.clone())?
         .set_valid_until(validity_duration, validity_unit)?
         .set_renew_method(payload.renew_method.unwrap_or_default())?
         .set_password(pkcs12_password)?

backend/src/certs/common.rs

@@ -2,12 +2,13 @@ use rocket::serde::{Deserialize, Serialize};
 use rocket_okapi::JsonSchema;
 use passwords::PasswordGenerator;
 use crate::data::enums::{CAType, CertificateRenewMethod, CertificateType};
+use crate::data::objects::Name;
 
 #[derive(Debug, Clone, Default, Serialize, Deserialize, JsonSchema)]
 /// Certificate can be either SSH or TLS certificate.
 pub struct Certificate {
     pub id: i64,
-    pub name: String,
+    pub name: Name,
     pub created_on: i64,
     pub valid_until: i64,
     pub certificate_type: CertificateType,
@@ -23,7 +24,7 @@ pub struct Certificate {
 #[derive(Clone, Serialize, Deserialize, JsonSchema, Debug)]
 pub struct CA {
     pub id: i64,
-    pub name: String,
+    pub name: Name,
     pub created_on: i64,
     pub valid_until: i64,
     pub ca_type: CAType,

backend/src/certs/ssh_cert.rs

@@ -63,7 +63,7 @@ impl SSHCertificateBuilder {
         self.principals = principals
             .iter()
             .filter(|principal| !principal.is_empty())
-            .map(|principal| principal.clone())
+            .cloned()
             .collect();
         Ok(self)
     }
@@ -96,9 +96,11 @@ impl SSHCertificateBuilder {
         let ca_key = PrivateKey::random(&mut OsRng, Algorithm::Ed25519)?;
         let key = ca_key.to_bytes()?.to_vec();
 
+        let name = self.name.unwrap_or_else(|| "CA".to_string()).into();
+
         Ok(CA{
             id: -1,
-            name: self.name.unwrap_or_else(|| "CA".to_string()),
+            name,
             created_on: self.created_on,
             valid_until: -1,
             ca_type: SSH,
@@ -146,7 +148,7 @@ impl SSHCertificateBuilder {
 
         Ok(Certificate {
             id: -1,
-            name,
+            name: name.into(),
             created_on: self.created_on,
             valid_until,
             certificate_type: CertificateType::SSHClient,
@@ -189,7 +191,7 @@ impl SSHCertificateBuilder {
 
         Ok(Certificate {
             id: -1,
-            name,
+            name: name.into(),
             created_on: self.created_on,
             valid_until,
             certificate_type: CertificateType::SSHServer,

backend/src/certs/tls_cert.rs

@@ -22,13 +22,14 @@ use crate::data::enums::CertificateType::{TLSClient, TLSServer};
 use crate::ApiError;
 use crate::certs::common::{Certificate, CA};
 use crate::data::enums::CAType::TLS;
+use crate::data::objects::Name;
 
 pub struct TLSCertificateBuilder {
     x509: X509Builder,
     private_key: PKey<Private>,
     created_on: i64,
     valid_until: Option<i64>,
-    name: Option<String>,
+    name: Option<Name>,
     pkcs12_password: String,
     ca: Option<(i64, X509, PKey<Private>)>,
     user_id: Option<i64>,
@@ -70,7 +71,7 @@ impl TLSCertificateBuilder {
         let validity_d = ((old_cert.valid_until - old_cert.created_on) / 1000 / 60 / 60 / 24).max(14);
 
         Self::new()?
-            .set_name(&old_cert.name)?
+            .set_name(old_cert.name.clone())?
             .set_valid_until(validity_d as u64, TimespanUnit::Day)?
             .set_password(&old_cert.password)?
             .set_renew_method(old_cert.renew_method)?
@@ -84,16 +85,16 @@ impl TLSCertificateBuilder {
         let validity_h = ((old_ca.valid_until - old_ca.created_on) / 1000 / 60 / 60 / 24).max(14);
 
         Self::new()?
-            .set_name(&old_ca.name)?
+            .set_name(old_ca.name.clone())?
             .set_valid_until(validity_h as u64, TimespanUnit::Day)?
             .build_ca()
 
     }
 
-    pub fn set_name(mut self, name: &str) -> Result<Self, anyhow::Error> {
-        self.name = Some(name.to_string());
-        let common_name = create_cn(name)?;
+    pub fn set_name(mut self, name: Name) -> Result<Self, anyhow::Error> {
+        let common_name = create_cn(&name)?;
         self.x509.set_subject_name(&common_name)?;
+        self.name = Some(name);
         Ok(self)
     }
 
@@ -230,7 +231,7 @@ impl TLSCertificateBuilder {
         ca_stack.push(ca_cert.clone())?;
 
         let pkcs12 = Pkcs12::builder()
-            .name(&name)
+            .name(&name.cn)
             .ca(ca_stack)
             .cert(&cert)
             .pkey(&self.private_key)
@@ -298,9 +299,12 @@ fn generate_private_key() -> Result<PKey<Private>, ErrorStack> {
     Ok(server_key)
 }
 
-fn create_cn(ca_name: &str) -> Result<X509Name, ErrorStack> {
+fn create_cn(name: &Name) -> Result<X509Name, ErrorStack> {
     let mut name_builder = X509NameBuilder::new()?;
-    name_builder.append_entry_by_text("CN", ca_name)?;
+    name_builder.append_entry_by_text("CN", &name.cn)?;
+    if let Some(ref ou) = name.ou {
+        name_builder.append_entry_by_text("OU", ou)?;
+    }
     let name = name_builder.build();
     Ok(name)
 }

backend/src/data/api.rs

@@ -9,6 +9,7 @@ use rocket_okapi::{okapi, JsonSchema, OpenApiError};
 use rocket_okapi::okapi::openapi3::{Responses, Response as OAResponse, MediaType, RefOr};
 use rocket_okapi::response::OpenApiResponderInner;
 use crate::data::enums::{CAType, CertificateRenewMethod, CertificateType, TimespanUnit, UserRole};
+use crate::data::objects::Name;
 
 #[derive(Serialize, Deserialize, JsonSchema)]
 pub struct IsSetupResponse {
@@ -47,15 +48,15 @@ pub struct CallbackQuery {
 
 #[derive(Serialize, Deserialize, JsonSchema)]
 pub struct CreateCARequest {
-    pub ca_name: String,
+    pub ca_name: Name,
     pub ca_type: CAType,
     pub validity_duration: Option<u64>,
     pub validity_unit: Option<TimespanUnit>,
 }
 
 #[derive(Serialize, Deserialize, JsonSchema, Debug)]
 pub struct CreateUserCertificateRequest {
-    pub cert_name: String,
+    pub cert_name: Name,
     pub validity_duration: Option<u64>,
     pub validity_unit: Option<TimespanUnit>,
     pub user_id: i64,

backend/src/data/objects.rs

@@ -1,7 +1,10 @@
+use std::fmt;
 use crate::helper;
 use std::sync::Arc;
 use rocket::serde::{Deserialize, Serialize};
 use rocket_okapi::JsonSchema;
+use rusqlite::ToSql;
+use rusqlite::types::{FromSql, FromSqlError, FromSqlResult, ToSqlOutput, ValueRef};
 use tokio::sync::Mutex;
 use crate::auth::oidc_auth::OidcAuth;
 use crate::auth::password_auth::Password;
@@ -29,4 +32,56 @@ pub struct User {
     #[serde(skip)]
     pub oidc_id: Option<String>,
     pub role: UserRole
+}
+
+#[derive(Default, Deserialize, Serialize, JsonSchema, Debug, Clone, PartialEq)]
+pub struct Name {
+    pub cn: String,
+    pub ou: Option<String>
+}
+
+impl ToSql for Name {
+    fn to_sql(&self) -> rusqlite::Result<ToSqlOutput<'_>> {
+        let mut serialized = self.cn.clone();
+        serialized.push('\0');
+        if let Some(ou) = &self.ou {
+            serialized.push_str(ou);
+        }
+        Ok(ToSqlOutput::from(serialized))
+    }
+}
+
+impl FromSql for Name {
+    fn column_result(value: ValueRef<'_>) -> FromSqlResult<Self> {
+        let bytes = value.as_str()?;
+        let parts: Vec<&str> = bytes.split('\0').collect();
+
+        if parts.is_empty() {
+            return Err(FromSqlError::InvalidType);
+        }
+
+        let cn = parts[0].to_string();
+        let ou = parts.get(1).and_then(|s| if s.is_empty() { None } else { Some(s.to_string()) });
+
+
+        Ok(Name { cn, ou })
+    }
+}
+
+impl fmt::Display for Name {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", self.cn)
+    }
+}
+
+impl From<String> for Name {
+    fn from(value: String) -> Self {
+        Self{cn: value, ou: None}
+    }
+}
+
+impl From<&str> for Name {
+    fn from(value: &str) -> Self {
+        value.to_string().into()
+    }
 }

backend/src/db.rs

@@ -1,6 +1,6 @@
 use crate::constants::{DB_FILE_PATH, TEMP_DB_FILE_PATH};
 use crate::data::enums::{CAType, CertificateRenewMethod, CertificateType, UserRole};
-use crate::data::objects::User;
+use crate::data::objects::{Name, User};
 use crate::helper::get_secret;
 use anyhow::anyhow;
 use anyhow::Result;
@@ -301,7 +301,7 @@ impl VaulTLSDB {
 
     /// Retrieve the certificate's cert data with id from the database
     /// Returns the id of the user the certificate belongs to and the cert data
-    pub(crate) async fn get_user_cert_data(&self, id: i64) -> Result<(i64, String, Vec<u8>, CertificateType)> {
+    pub(crate) async fn get_user_cert_data(&self, id: i64) -> Result<(i64, Name, Vec<u8>, CertificateType)> {
         db_do!(self.pool, |conn: &Connection| {
             let mut stmt = conn.prepare("SELECT user_id, name, data, type FROM user_certificates WHERE id = ?1")?;
 

backend/tests/api/api_test_functionality.rs

@@ -147,7 +147,7 @@ async fn test_create_client_certificate() -> Result<()> {
     let valid_until = get_timestamp_ms(1);
 
     assert_eq!(cert.id, 1);
-    assert_eq!(cert.name, TEST_CLIENT_CERT_NAME);
+    assert_eq!(cert.name, TEST_CLIENT_CERT_NAME.into());
     assert!(now > cert.created_on && cert.created_on > now - 10000 /* 10 seconds */);
     assert!(valid_until > cert.valid_until && cert.valid_until > valid_until - 10000 /* 10 seconds */);
     assert_eq!(cert.certificate_type, CertificateType::TLSClient);
@@ -175,7 +175,7 @@ async fn test_fetch_client_certificates() -> Result<()> {
     let valid_until = get_timestamp_ms(1);
 
     assert_eq!(cert.id, 1);
-    assert_eq!(cert.name, TEST_CLIENT_CERT_NAME);
+    assert_eq!(cert.name, TEST_CLIENT_CERT_NAME.into());
     assert!(now > cert.created_on && cert.created_on > now - 10000 /* 10 seconds */);
     assert!(valid_until > cert.valid_until && cert.valid_until > valid_until - 10000 /* 10 seconds */);
     assert_eq!(cert.certificate_type, CertificateType::TLSClient);
@@ -364,7 +364,7 @@ async fn test_create_new_ca() -> Result<()> {
     let valid_until = get_timestamp_ms(15);
 
     assert_eq!(new_cas.len(), 2);
-    assert_eq!(new_cas[1].name, TEST_SECOND_CA_NAME.to_string());
+    assert_eq!(new_cas[1].name, TEST_SECOND_CA_NAME.to_string().into());
     assert_eq!(new_cas[1].id, 2);
     assert!(now >= new_cas[1].created_on && new_cas[1].created_on > now - 10000 /* 10 seconds */);
     assert!(valid_until >= new_cas[1].valid_until && new_cas[1].valid_until > valid_until - 10000 /* 10 seconds */);
@@ -404,7 +404,7 @@ async fn test_create_certificate_with_short_lived_ca() -> Result<()> {
     let client = VaulTLSClient::new_authenticated().await;
 
     let cert_req = CreateUserCertificateRequest {
-        cert_name: TEST_CLIENT_CERT_NAME.to_string(),
+        cert_name: TEST_CLIENT_CERT_NAME.into(),
         validity_duration: Some(2),
         validity_unit: Some(TimespanUnit::Year),
         user_id: 1,
@@ -457,7 +457,7 @@ async fn test_create_ssh_ca() -> Result<()> {
     let now = get_timestamp_ms(0);
 
     assert_eq!(ca.id, 2);
-    assert_eq!(ca.name, TEST_SSH_CA_NAME);
+    assert_eq!(ca.name, TEST_SSH_CA_NAME.into());
     assert!(now > ca.created_on && ca.created_on > now - 10000 /* 10 seconds */);
     assert_eq!(ca.ca_type, CAType::SSH);
     Ok(())
@@ -473,7 +473,7 @@ async fn test_create_ssh_client_certificate() -> Result<()> {
     let valid_until = get_timestamp_ms(1);
 
     assert_eq!(cert.id, 1);
-    assert_eq!(cert.name, TEST_SSH_CLIENT_CERT_NAME);
+    assert_eq!(cert.name, TEST_SSH_CLIENT_CERT_NAME.into());
     assert!(now > cert.created_on && cert.created_on > now - 10000 /* 10 seconds */);
     assert!(valid_until > cert.valid_until && cert.valid_until > valid_until - 10000 /* 10 seconds */);
     assert_eq!(cert.certificate_type, CertificateType::SSHClient);