7 changed files with 64 additions and 181 deletions
--- a/fyne_ui.go
+++ b/fyne_ui.go
@ -86,7 +86,7 @@ func NewUI() (stprageDir string, window fyne.Window) {
 // ShowPasswordVaultDialog zobrazí moderní odemykací / registrační dialog s countdown animací při špatném hesle.
 // Callback je zavolán pouze při úspěchu (ne při neplatném hesle). Zrušení vrací password="".
-func ShowPasswordVaultDialog(w fyne.Window, vaultPath string, onResult func(create bool, password string, commonName string)) {
+func ShowPasswordVaultDialog(w fyne.Window, vaultPath string, onResult func(create bool, password string)) {
 	modeCreate := false
 	if _, err := os.Stat(vaultPath); err != nil {
 		modeCreate = true
@ -104,8 +104,6 @@ func ShowPasswordVaultDialog(w fyne.Window, vaultPath string, onResult func(crea
 	createPw1.SetPlaceHolder("Heslo…")
 	createPw2 := widget.NewPasswordEntry()
 	createPw2.SetPlaceHolder("Znovu heslo…")
 	commonNameEntry := widget.NewEntry()
 	commonNameEntry.SetPlaceHolder("Jméno identity (např. Alice)…")
 	strengthBar := widget.NewProgressBar()
 	strengthBar.Min = 0
 	strengthBar.Max = 100
@ -129,7 +127,6 @@ func ShowPasswordVaultDialog(w fyne.Window, vaultPath string, onResult func(crea
 	// Obě pole stejné šířky – žádné tlačítko uvnitř prvního řádku
 	form := widget.NewForm(
 		widget.NewFormItem("Jméno", commonNameEntry),
 		widget.NewFormItem("Heslo", createPw1),
 		widget.NewFormItem("Potvrzení", createPw2),
 	)
@ -211,7 +208,7 @@ func ShowPasswordVaultDialog(w fyne.Window, vaultPath string, onResult func(crea
 			return
 		}
 		completed = true
-		onResult(false, pw, "")
+		onResult(false, pw)
 		d.Hide()
 	}
 	createBtn.OnTapped = func() {
@ -227,8 +224,7 @@ func ShowPasswordVaultDialog(w fyne.Window, vaultPath string, onResult func(crea
 			return
 		}
 		completed = true
-		cn := strings.TrimSpace(commonNameEntry.Text)
+		onResult(true, pw1)
 		onResult(true, pw1, cn)
 		d.Hide()
 	}
 	body := container.NewVBox(header, container.NewPadded(stack), statusLabel)
@ -238,7 +234,7 @@ func ShowPasswordVaultDialog(w fyne.Window, vaultPath string, onResult func(crea
 			close(countdownCancel)
 		}
 		if !completed {
-			onResult(false, "", "")
+			onResult(false, "")
 		}
 	})
 	d.Resize(fyne.NewSize(480, 320))
--- a/go.mod
+++ b/go.mod
@ -4,10 +4,7 @@ go 1.24.0
 require (
 	fyne.io/fyne/v2 v2.6.3
 	github.com/liyue201/goqr v0.0.0-20200803022322-df443203d4ea
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/spf13/cobra v1.10.1
 	golang.org/x/crypto v0.42.0
 )
 require (
@ -31,15 +28,18 @@ require (
 	github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade // indirect
 	github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/liyue201/goqr v0.0.0-20200803022322-df443203d4ea // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/nicksnyder/go-i18n/v2 v2.5.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rymdport/portal v0.4.1 // indirect
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
 	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/yuin/goldmark v1.7.8 // indirect
 	golang.org/x/crypto v0.42.0 // indirect
 	golang.org/x/image v0.24.0 // indirect
 	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -84,10 +84,16 @@ golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
 golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
 golang.org/x/image v0.24.0 h1:AN7zRgVsbvmTfNyqIbbOraYL8mSwcKncEj8ofjgzcMQ=
 golang.org/x/image v0.24.0/go.mod h1:4b/ITuLfqYq1hqZcjofwctIhi7sZh2WaCjvsBNjjya8=
 golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
 golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
 golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
 golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
 golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/lib/crypto_storage.go
+++ b/lib/crypto_storage.go
@ -100,7 +100,7 @@ const (
 )
 // CreateEncryptedStore vytvoří nový soubor; error pokud již existuje.
-func CreateEncryptedStore(path, password string, generateIdentity bool, commonName string) (SecureJSONStore, error) {
+func CreateEncryptedStore(path, password string, generateIdentity bool) (SecureJSONStore, error) {
 	if err := validatePasswordStrength(password); err != nil {
 		return nil, err
 	}
@ -116,7 +116,7 @@ func CreateEncryptedStore(path, password string, generateIdentity bool, commonNa
 		kdfP:  defaultKDFP,
 		plain: internalPlain{Updated: time.Now().UTC(), Data: make(map[string]json.RawMessage)},
 	}
-	if err := s.initNew(password, generateIdentity, commonName); err != nil {
+	if err := s.initNew(password, generateIdentity); err != nil {
 		return nil, err
 	}
 	if err := s.Flush(); err != nil {
@ -141,7 +141,7 @@ func OpenEncryptedStore(path, password string) (SecureJSONStore, error) {
 }
 // initNew vytvoří salt, odvodí klíč a vytvoří identitu pokud je třeba.
-func (s *secureJSONStore) initNew(password string, generateIdentity bool, commonName string) error {
+func (s *secureJSONStore) initNew(password string, generateIdentity bool) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	salt := make([]byte, 16)
@ -155,14 +155,14 @@ func (s *secureJSONStore) initNew(password string, generateIdentity bool, common
 	s.salt = salt
 	s.key = key
 	if generateIdentity {
-		if err := s.generateIdentityLocked(commonName); err != nil {
+		if err := s.generateIdentityLocked(); err != nil {
 			return err
 		}
 	}
 	return nil
 }
-func (s *secureJSONStore) generateIdentityLocked(commonName string) error {
+func (s *secureJSONStore) generateIdentityLocked() error {
 	// RSA 2048
 	pk, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
@ -171,11 +171,8 @@ func (s *secureJSONStore) generateIdentityLocked(commonName string) error {
 	privPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(pk)})
 	pubASN1, _ := x509.MarshalPKIXPublicKey(&pk.PublicKey)
 	pubPEM := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: pubASN1})
-	// Optional self-signed cert s CommonName uživatele (fallback pokud prázdný)
+	// Optional self-signed cert s rozumným CommonName (lze upravit později UI)
-	if strings.TrimSpace(commonName) == "" {
+	certPEM, _ := generateSelfSignedCert(pk, "Local User")
 		commonName = "Local User"
 	}
 	certPEM, _ := generateSelfSignedCert(pk, commonName)
 	_ = s.putLocked("_identity_private_pem", string(privPEM))
 	_ = s.putLocked("_identity_public_pem", string(pubPEM))
 	_ = s.putLocked("_identity_cert_pem", string(certPEM))
--- a/main.go
+++ b/main.go
@ -47,7 +47,7 @@ func runFyne() {
 	w.SetContent(placeholder)
 	showDialog := func() {
-		ShowPasswordVaultDialog(w, vaultPath, func(create bool, password string, commonName string) {
+		ShowPasswordVaultDialog(w, vaultPath, func(create bool, password string) {
 			if password == "" { // Cancel nebo zavření dialogu => ukonči app
 				fyne.CurrentApp().Quit()
 				return
@ -55,7 +55,7 @@ func runFyne() {
 			var store encrypt.SecureJSONStore
 			var err error
 			if create {
-				store, err = encrypt.CreateEncryptedStore(vaultPath, password, true, commonName)
+				store, err = encrypt.CreateEncryptedStore(vaultPath, password, true)
 			} else {
 				store, err = encrypt.OpenEncryptedStore(vaultPath, password)
 				if err != nil {
@ -95,7 +95,7 @@ func RunWebApp() {
 	}
 	var store encrypt.SecureJSONStore
 	if _, statErr := os.Stat(vaultPath); os.IsNotExist(statErr) {
-		s, err := encrypt.CreateEncryptedStore(vaultPath, pw, true, "")
+		s, err := encrypt.CreateEncryptedStore(vaultPath, pw, true)
 		if err != nil {
 			log.Fatal(err)
 		}
--- a/ui.go
+++ b/ui.go
@ -36,9 +36,6 @@ type uiParts struct {
 	showPeerQR    bool
 	payloadQR     *canvas.Image
 	showPayloadQR bool
 	peerContactID string // ID kontaktu vloženého do šifrování (pro přesnou identifikaci i při duplicitním CN)
 	// callback nastavený v buildEncryptTab pro aktualizaci hlavičky peeru z jiných tabů (kontakty)
 	updatePeerInfo func()
 }
 func buildEntries() *uiParts {
@ -265,47 +262,6 @@ func copyClip(s string, parts *uiParts) {
 func buildEncryptTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 	parts.cipherOut.Disable()
 	// Jeden společný dynamický label (zabrání rozlámaní po znacích)
 	peerHeaderLabel := widget.NewLabel("Veřejný klíč příjemce:")
 	peerHeaderLabel.Wrapping = fyne.TextWrapOff
 	// helper: najde kontakt podle přesného matchu certu/public key (nebo substringu) a vrátí zobrazení
 	updatePeerInfo := func() {
 		text := strings.TrimSpace(parts.peer.Text)
 		if text == "" {
 			peerHeaderLabel.SetText("Veřejný klíč příjemce:")
 			return
 		}
 		cn := extractCN(text)
 		var contactName string
 		if list, err := svc.ListContacts(); err == nil {
 			for _, c := range list {
 				if parts.peerContactID != "" && c.ID == parts.peerContactID { // prefer explicit ID
 					contactName = c.Name
 					break
 				}
 				if c.Cert == text { // přesný match obsahu
 					contactName = c.Name
 					parts.peerContactID = c.ID
 					break
 				}
 				if contactName == "" && parts.peerContactID == "" && cn != "" && extractCN(c.Cert) == cn { // fallback podle CN
 					contactName = c.Name
 					parts.peerContactID = c.ID
 				}
 			}
 		}
 		var suffix string
 		if contactName != "" && cn != "" {
 			suffix = fmt.Sprintf(" %s (%s)", contactName, cn)
 		} else if contactName != "" {
 			suffix = " " + contactName
 		} else if cn != "" {
 			suffix = " CN: " + cn
 		}
 		peerHeaderLabel.SetText("Veřejný klíč příjemce:" + suffix)
 	}
 	// Peer section with QR/Text toggle
 	peerContainer := container.NewVBox()
 	peerToggleAction := widget.NewToolbarAction(theme.VisibilityOffIcon(), nil)
@ -457,13 +413,12 @@ func buildEncryptTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 		if parts.showPeerQR {
 			updatePeerQR(parts.peer.Text)
 		}
 		updatePeerInfo()
 		encAction()
 	}
 	// Sections
 	peerSection := container.NewVBox(
-		container.NewHBox(peerHeaderLabel, layout.NewSpacer(), peerToolbar),
+		container.NewHBox(widget.NewLabel("Veřejný klíč příjemce"), layout.NewSpacer(), peerToolbar),
 		peerContainer,
 	)
 	msgSection := container.NewVBox(
@ -482,10 +437,6 @@ func buildEncryptTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 		peerSection,
 		split,
 	)
 	// expose callback pro ostatní taby (Kontakty -> Použít ve Šifrování)
 	parts.updatePeerInfo = updatePeerInfo
 	// počáteční pokus o naplnění labelu pokud něco už je
 	updatePeerInfo()
 	return group
 }
@ -691,13 +642,7 @@ func buildContactsTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 					if strings.TrimSpace(name) == "" {
 						name = "(nový)"
 					}
-					// include CN from draft cert if any
+					o.(*widget.Label).SetText("✳ " + name + " (nový)")
 					cn := extractCN(draft.Cert)
 					if cn != "" {
 						o.(*widget.Label).SetText(fmt.Sprintf("✳ %s (nový) (%s)", name, cn))
 					} else {
 						o.(*widget.Label).SetText("✳ " + name + " (nový)")
 					}
 					return
 				}
 				// shift index for real contacts
@ -707,12 +652,7 @@ func buildContactsTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 					if name == "" {
 						name = "(bez názvu)"
 					}
-					cn := extractCN(filtered[real].Cert)
+					o.(*widget.Label).SetText(name)
 					if cn != "" {
 						o.(*widget.Label).SetText(fmt.Sprintf("%s (%s)", name, cn))
 					} else {
 						o.(*widget.Label).SetText(name)
 					}
 				}
 				return
 			}
@ -722,12 +662,7 @@ func buildContactsTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 				if name == "" {
 					name = "(bez názvu)"
 				}
-				cn := extractCN(filtered[i].Cert)
+				o.(*widget.Label).SetText(name)
 				if cn != "" {
 					o.(*widget.Label).SetText(fmt.Sprintf("%s (%s)", name, cn))
 				} else {
 					o.(*widget.Label).SetText(name)
 				}
 			}
 		},
 	)
@ -756,20 +691,12 @@ func buildContactsTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 	certEntry := widget.NewMultiLineEntry()
 	certEntry.SetMinRowsVisible(8)
 	certEntry.Wrapping = fyne.TextWrapWord
 	// (Původní okamžité dotazování na CN při vložení zrušeno – nyní se ptáme až při ukládání)
 	// Detail toolbar
 	pasteAction := widget.NewToolbarAction(theme.ContentPasteIcon(), func() {
 		clip := fyne.CurrentApp().Clipboard().Content()
 		if strings.TrimSpace(clip) == "" {
 			parts.showToast("Schránka prázdná")
 			return
 		}
 		certEntry.SetText(clip)
 		parts.showToast("Vloženo ze schránky")
 	})
 	certToolbar := widget.NewToolbar(
 		widget.NewToolbarAction(theme.ContentCopyIcon(), func() { copyClip(certEntry.Text, parts) }),
-		pasteAction,
+		widget.NewToolbarAction(theme.ContentPasteIcon(), func() {
 			certEntry.SetText(fyne.CurrentApp().Clipboard().Content())
 		}),
 		widget.NewToolbarAction(theme.ContentClearIcon(), func() { certEntry.SetText("") }),
 	)
 	// helper pro generování default názvu
@ -808,67 +735,32 @@ func buildContactsTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 			parts.showToast("Chybí cert")
 			return
 		}
-		cn := extractCN(cert)
+		if name == "" || name == "Kontakt" || name == "Nový kontakt" {
-		// always ask if CN exists and (a) name empty/reserved OR (b) name differs from CN
+			name = makeDefaultName()
 		shouldAsk := cn != "" && (name == "" || name == "Kontakt" || name == "Nový kontakt" || name != cn)
 		proceed := func(finalName string) {
 			if finalName == "" || finalName == "Kontakt" || finalName == "Nový kontakt" {
 				finalName = makeDefaultName()
 			}
 			if draft != nil { // saving draft as new contact
 				_ = svc.SaveContact(Contact{Name: finalName, Cert: cert})
 				draft = nil
 				searchQuery = "" // clear filter to show new
 				search.SetText("")
 			} else if selected < 0 || selected >= len(filtered) { // new without draft (fallback)
 				_ = svc.SaveContact(Contact{Name: finalName, Cert: cert})
 				searchQuery = ""
 				search.SetText("")
 			} else { // update existing
 				c := filtered[selected]
 				c.Name = finalName
 				c.Cert = cert
 				_ = svc.SaveContact(c)
 			}
 			load()
 			applyFilter(searchQuery)
 			list.Refresh()
 			updateEmptyState()
 			parts.showToast("Uloženo")
 		}
-		if shouldAsk {
+		if draft != nil { // saving draft as new contact
-			// build message depending on situation
+			_ = svc.SaveContact(Contact{Name: name, Cert: cert})
-			msg := fmt.Sprintf("Certifikát obsahuje Common Name:\n\n%s\n\nPoužít ho jako název kontaktu? (Aktuálně: %q)", cn, name)
+			draft = nil
-			dialog.NewCustomConfirm("Common Name", "Použít", "Ponechat", widget.NewLabel(msg), func(ok bool) {
+			searchQuery = "" // clear filter to show new
-				if ok {
+			search.SetText("")
-					proceed(cn)
+		} else if selected < 0 || selected >= len(filtered) { // new without draft (fallback)
-				} else {
+			_ = svc.SaveContact(Contact{Name: name, Cert: cert})
-					proceed(name)
+			searchQuery = ""
-				}
+			search.SetText("")
-			}, fyne.CurrentApp().Driver().AllWindows()[0]).Show()
+		} else { // update existing
-			return
+			c := filtered[selected]
 			c.Name = name
 			c.Cert = cert
 			_ = svc.SaveContact(c)
 		}
-		proceed(name)
+		load()
 		applyFilter(searchQuery)
 		list.Refresh()
 		updateEmptyState()
 		parts.showToast("Uloženo")
 	})
 	useBtn := widget.NewButtonWithIcon("Použít ve Šifrování", theme.ConfirmIcon(), func() {
-		// Určit aktuální kontakt (draft nebo vybraný reálný)
+		parts.peer.SetText(certEntry.Text)
 		var currentID string
 		if draft != nil && selected == -1 {
 			currentID = draft.ID
 		} else if selected >= 0 && selected < len(filtered) {
 			currentID = filtered[selected].ID
 		}
 		// Vždy vynutit změnu: smazat a hned nastavit
 		parts.peer.SetText("")
 		parts.peerContactID = "" // reset aby updatePeerInfo neukazoval staré jméno
 		fyne.Do(func() {
 			parts.peer.SetText(certEntry.Text)
 			parts.peerContactID = currentID
 			// Force refresh hlavičky peeru i v případě, že se formát certu liší (trim apod.)
 			if parts.updatePeerInfo != nil {
 				parts.updatePeerInfo()
 			}
 		})
 		parts.showToast("Kontakt vložen do Šifrování")
 	})
@ -939,10 +831,6 @@ func buildContactsTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 		draft = &Contact{ID: "__draft__", Name: makeDefaultName(), Cert: ""}
 		nameEntry.SetText(draft.Name)
 		certEntry.SetText("")
 		// Pokud je ve schránce PEM / CERT, automaticky ho vlož
 		if clip := fyne.CurrentApp().Clipboard().Content(); strings.Contains(clip, "BEGIN ") && strings.Contains(clip, "PUBLIC") || strings.Contains(clip, "CERTIFICATE") {
 			certEntry.SetText(clip)
 		}
 		// auto select all text in name so user can immediately přepsat
 		fyne.CurrentApp().Driver().CanvasForObject(nameEntry).Focus(nameEntry)
 		nameEntry.TypedShortcut(&fyne.ShortcutSelectAll{})
@ -963,10 +851,12 @@ func buildContactsTab(parts *uiParts, svc ServiceFacade) fyne.CanvasObject {
 			defer r.Close()
 			b, _ := io.ReadAll(r)
 			txt := string(b)
-			certEntry.SetText(txt) // OnChanged will offer CN usage if present
+			nm := extractCN(txt)
-			if extractCN(txt) == "" && strings.TrimSpace(nameEntry.Text) == "" {
+			if nm == "" {
-				nameEntry.SetText("Nový kontakt")
+				nm = "Nový kontakt"
 			}
 			nameEntry.SetText(nm)
 			certEntry.SetText(txt)
 			selected = -1
 		}, fyne.CurrentApp().Driver().AllWindows()[0])
 		fd.Show()
--- a/vault_service.go
+++ b/vault_service.go
@ -166,20 +166,14 @@ func generateUniqueContactID(existing []Contact) string {
 }
 func extractCN(pemText string) string {
-	// Support multiple concatenated PEM blocks (public key + cert, or chain)
+	block, _ := pem.Decode([]byte(pemText))
-	rest := []byte(pemText)
+	if block == nil {
-	for len(rest) > 0 {
+		return ""
-		var block *pem.Block
+	}
-		block, rest = pem.Decode(rest)
+	if block.Type == "CERTIFICATE" {
-		if block == nil {
+		if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
-			break
+			return cert.Subject.CommonName
 		}
 		if block.Type == "CERTIFICATE" {
 			if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
 				return cert.Subject.CommonName
 			}
 		}
 		// continue to next block until certificate found
 	}
 	return ""
 }