Principal Service: Add support for multiple user accounts

services/vanadium/security/wire_blessings.go

Index: services/vanadium/security/wire_blessings.go
diff --git a/services/vanadium/security/wire_blessings.go b/services/vanadium/security/wire_blessings.go
index b724000ceea1ea593829cdf62295e17b982a2a1c..efb0fb51794a3712300075d988f9784491e64356 100644
--- a/services/vanadium/security/wire_blessings.go
+++ b/services/vanadium/security/wire_blessings.go
@@ -54,14 +54,19 @@ type caveat struct {
 	ParamVom []byte   // VOM-encoded bytes of the parameters to be provided to the validation function.
 }
 
-func newBlessing(wb *wireBlessings) *vpkg.Blessing {
+func newBlessing(wb *wireBlessings) vpkg.Blessing {
+	if wb == nil || len(wb.CertificateChains) == 0 {
+		return vpkg.Blessing{}
+	}
 	// TODO(ataly, gauthamt): Below we only consider the first certificate chain
 	// in the wireBlessings object. We should handle the case when the wireBlessings
-	// object has more than one certificate chain.
-	// TODO(ataly, gauthamt): We should validate all caveats present in the certificates.
+	// object has more than one certificate chain. This issue would become moot
+	// if the vpkg.Blessing type matched the wireBlessing type.
+	// TODO(ataly, gauthamt): We should validate all caveats present in the
+	// certificates.
 	var chain []vpkg.Certificate
 	for _, c := range wb.CertificateChains[0] {
 		chain = append(chain, vpkg.Certificate{Extension: c.Extension})
 	}
-	return &vpkg.Blessing{chain}
+	return vpkg.Blessing{chain}
 }