// Copyright 2015 The Vanadium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// This file was auto-generated by the vanadium vdl tool.
// Package: security

package security

import (
	"fmt"
	"time"
	"v.io/v23/context"
	"v.io/v23/i18n"
	"v.io/v23/uniqueid"
	"v.io/v23/vdl"
	vdltime "v.io/v23/vdlroot/time"
	"v.io/v23/verror"
	"v.io/v23/vom"
)

var _ = __VDLInit() // Must be first; see __VDLInit comments for details.

//////////////////////////////////////////////////
// Type definitions

type nonce [16]byte

func (nonce) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.nonce"`
}) {
}

func (x nonce) VDLIsZero() bool {
	return x == nonce{}
}

func (x nonce) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_array_1); err != nil {
		return err
	}
	if err := enc.EncodeBytes([]byte(x[:])); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *nonce) VDLRead(dec vdl.Decoder) error {
	if err := dec.StartValue(__VDLType_array_1); err != nil {
		return err
	}
	bytes := x[:]
	if err := dec.DecodeBytes(16, &bytes); err != nil {
		return err
	}
	return dec.FinishValue()
}

// Caveat is a condition on the validity of a blessing/discharge.
//
// These conditions are provided when asking a principal to create
// a blessing/discharge and are verified when extracting blessings
// (Blessings.ForName in the Go API).
//
// Given a Hash, the message digest of a caveat is:
// Hash(Hash(Id), Hash(ParamVom))
type Caveat struct {
	Id       uniqueid.Id // The identifier of the caveat validation function.
	ParamVom []byte      // VOM-encoded bytes of the parameters to be provided to the validation function.
}

func (Caveat) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.Caveat"`
}) {
}

func (x Caveat) VDLIsZero() bool {
	if x.Id != (uniqueid.Id{}) {
		return false
	}
	if len(x.ParamVom) != 0 {
		return false
	}
	return true
}

func (x Caveat) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_2); err != nil {
		return err
	}
	if x.Id != (uniqueid.Id{}) {
		if err := enc.NextField("Id"); err != nil {
			return err
		}
		if err := x.Id.VDLWrite(enc); err != nil {
			return err
		}
	}
	if len(x.ParamVom) != 0 {
		if err := enc.NextField("ParamVom"); err != nil {
			return err
		}
		if err := enc.StartValue(__VDLType_list_4); err != nil {
			return err
		}
		if err := enc.EncodeBytes(x.ParamVom); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *Caveat) VDLRead(dec vdl.Decoder) error {
	*x = Caveat{}
	if err := dec.StartValue(__VDLType_struct_2); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "Id":
			if err := x.Id.VDLRead(dec); err != nil {
				return err
			}
		case "ParamVom":
			if err := dec.StartValue(__VDLType_list_4); err != nil {
				return err
			}
			if err := dec.DecodeBytes(-1, &x.ParamVom); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

// ThirdPartyRequirements specifies the information required by the third-party
// that will issue discharges for third-party caveats.
//
// These requirements are typically used to construct a DischargeImpetus, which
// will be sent to the third-party.
type ThirdPartyRequirements struct {
	ReportServer    bool // The blessings presented by the server of an IPC call.
	ReportMethod    bool // The name of the method being invoked.
	ReportArguments bool // Arguments to the method being invoked.
}

func (ThirdPartyRequirements) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.ThirdPartyRequirements"`
}) {
}

func (x ThirdPartyRequirements) VDLIsZero() bool {
	return x == ThirdPartyRequirements{}
}

func (x ThirdPartyRequirements) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_5); err != nil {
		return err
	}
	if x.ReportServer {
		if err := enc.NextField("ReportServer"); err != nil {
			return err
		}
		if err := enc.StartValue(vdl.BoolType); err != nil {
			return err
		}
		if err := enc.EncodeBool(x.ReportServer); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if x.ReportMethod {
		if err := enc.NextField("ReportMethod"); err != nil {
			return err
		}
		if err := enc.StartValue(vdl.BoolType); err != nil {
			return err
		}
		if err := enc.EncodeBool(x.ReportMethod); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if x.ReportArguments {
		if err := enc.NextField("ReportArguments"); err != nil {
			return err
		}
		if err := enc.StartValue(vdl.BoolType); err != nil {
			return err
		}
		if err := enc.EncodeBool(x.ReportArguments); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *ThirdPartyRequirements) VDLRead(dec vdl.Decoder) error {
	*x = ThirdPartyRequirements{}
	if err := dec.StartValue(__VDLType_struct_5); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "ReportServer":
			if err := dec.StartValue(vdl.BoolType); err != nil {
				return err
			}
			var err error
			if x.ReportServer, err = dec.DecodeBool(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "ReportMethod":
			if err := dec.StartValue(vdl.BoolType); err != nil {
				return err
			}
			var err error
			if x.ReportMethod, err = dec.DecodeBool(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "ReportArguments":
			if err := dec.StartValue(vdl.BoolType); err != nil {
				return err
			}
			var err error
			if x.ReportArguments, err = dec.DecodeBool(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

// publicKeyThirdPartyCaveatParam represents a third-party caveat that requires
// PublicKeyDischarge(s) to be issued by a principal identified by a public key.
//
// The Id of the caveat is base64-encoded:
// hash(hash(Nonce), hash(DischargerKey), hash(Caveats[0]), hash(Caveats[1]), ...)
// where hash is a cryptographic hash function with a security strength
// equivalent to that of the DischargerKey. For example, if DischargerKey
// represents an ECDSA public key with the P384 curve, then hash should be
// SHA384.
type publicKeyThirdPartyCaveatParam struct {
	// Nonce specifies a cryptographically random nonce associated with an
	// instance of the caveat. This prevents discharge replays, where
	// discharges for ThirdPartyCaveats embedded in the certificates for
	// one blessing can be used for another blessing.
	//
	// Whether discharge re-use is a desired or un-desired property is
	// still under debate. Till the debate is settled, we err on the side
	// of discouraging re-use.
	Nonce nonce
	// Caveats specifies the caveats that have to be validated
	// before minting a discharge for a publicKeyCaveat.
	Caveats []Caveat
	// DER-encoded PKIX public key of the principal that can issue discharges.
	DischargerKey []byte
	// Object name where the third-party that can issue discharges can be found.
	DischargerLocation string
	// Information required by the third-party in order to issue a discharge.
	DischargerRequirements ThirdPartyRequirements
}

func (publicKeyThirdPartyCaveatParam) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.publicKeyThirdPartyCaveatParam"`
}) {
}

func (x publicKeyThirdPartyCaveatParam) VDLIsZero() bool {
	if x.Nonce != (nonce{}) {
		return false
	}
	if len(x.Caveats) != 0 {
		return false
	}
	if len(x.DischargerKey) != 0 {
		return false
	}
	if x.DischargerLocation != "" {
		return false
	}
	if x.DischargerRequirements != (ThirdPartyRequirements{}) {
		return false
	}
	return true
}

func (x publicKeyThirdPartyCaveatParam) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_6); err != nil {
		return err
	}
	if x.Nonce != (nonce{}) {
		if err := enc.NextField("Nonce"); err != nil {
			return err
		}
		if err := x.Nonce.VDLWrite(enc); err != nil {
			return err
		}
	}
	if len(x.Caveats) != 0 {
		if err := enc.NextField("Caveats"); err != nil {
			return err
		}
		if err := __VDLWriteAnon_list_1(enc, x.Caveats); err != nil {
			return err
		}
	}
	if len(x.DischargerKey) != 0 {
		if err := enc.NextField("DischargerKey"); err != nil {
			return err
		}
		if err := enc.StartValue(__VDLType_list_4); err != nil {
			return err
		}
		if err := enc.EncodeBytes(x.DischargerKey); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if x.DischargerLocation != "" {
		if err := enc.NextField("DischargerLocation"); err != nil {
			return err
		}
		if err := enc.StartValue(vdl.StringType); err != nil {
			return err
		}
		if err := enc.EncodeString(x.DischargerLocation); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if x.DischargerRequirements != (ThirdPartyRequirements{}) {
		if err := enc.NextField("DischargerRequirements"); err != nil {
			return err
		}
		if err := x.DischargerRequirements.VDLWrite(enc); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func __VDLWriteAnon_list_1(enc vdl.Encoder, x []Caveat) error {
	if err := enc.StartValue(__VDLType_list_7); err != nil {
		return err
	}
	if err := enc.SetLenHint(len(x)); err != nil {
		return err
	}
	for i := 0; i < len(x); i++ {
		if err := enc.NextEntry(false); err != nil {
			return err
		}
		if err := x[i].VDLWrite(enc); err != nil {
			return err
		}
	}
	if err := enc.NextEntry(true); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *publicKeyThirdPartyCaveatParam) VDLRead(dec vdl.Decoder) error {
	*x = publicKeyThirdPartyCaveatParam{}
	if err := dec.StartValue(__VDLType_struct_6); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "Nonce":
			if err := x.Nonce.VDLRead(dec); err != nil {
				return err
			}
		case "Caveats":
			if err := __VDLReadAnon_list_1(dec, &x.Caveats); err != nil {
				return err
			}
		case "DischargerKey":
			if err := dec.StartValue(__VDLType_list_4); err != nil {
				return err
			}
			if err := dec.DecodeBytes(-1, &x.DischargerKey); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "DischargerLocation":
			if err := dec.StartValue(vdl.StringType); err != nil {
				return err
			}
			var err error
			if x.DischargerLocation, err = dec.DecodeString(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "DischargerRequirements":
			if err := x.DischargerRequirements.VDLRead(dec); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

func __VDLReadAnon_list_1(dec vdl.Decoder, x *[]Caveat) error {
	if err := dec.StartValue(__VDLType_list_7); err != nil {
		return err
	}
	switch len := dec.LenHint(); {
	case len > 0:
		*x = make([]Caveat, 0, len)
	default:
		*x = nil
	}
	for {
		switch done, err := dec.NextEntry(); {
		case err != nil:
			return err
		case done:
			return dec.FinishValue()
		}
		var elem Caveat
		if err := elem.VDLRead(dec); err != nil {
			return err
		}
		*x = append(*x, elem)
	}
}

// Hash identifies a cryptographic hash function approved for use in signature algorithms.
type Hash string

func (Hash) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.Hash"`
}) {
}

func (x Hash) VDLIsZero() bool {
	return x == ""
}

func (x Hash) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_string_8); err != nil {
		return err
	}
	if err := enc.EncodeString(string(x)); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *Hash) VDLRead(dec vdl.Decoder) error {
	if err := dec.StartValue(__VDLType_string_8); err != nil {
		return err
	}
	tmp, err := dec.DecodeString()
	if err != nil {
		return err
	}
	*x = Hash(tmp)
	return dec.FinishValue()
}

// Signature represents a digital signature.
type Signature struct {
	// Purpose of the signature. Can be used to prevent type attacks.
	// (See Section 4.2 of http://www-users.cs.york.ac.uk/~jac/PublishedPapers/reviewV1_1997.pdf for example).
	// The actual signature (R, S values for ECDSA keys) is produced by signing: Hash(Hash(message), Hash(Purpose)).
	Purpose []byte
	// Cryptographic hash function applied to the message before computing the signature.
	Hash Hash
	// Pair of integers that make up an ECDSA signature.
	R []byte
	S []byte
}

func (Signature) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.Signature"`
}) {
}

func (x Signature) VDLIsZero() bool {
	if len(x.Purpose) != 0 {
		return false
	}
	if x.Hash != "" {
		return false
	}
	if len(x.R) != 0 {
		return false
	}
	if len(x.S) != 0 {
		return false
	}
	return true
}

func (x Signature) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_9); err != nil {
		return err
	}
	if len(x.Purpose) != 0 {
		if err := enc.NextField("Purpose"); err != nil {
			return err
		}
		if err := enc.StartValue(__VDLType_list_4); err != nil {
			return err
		}
		if err := enc.EncodeBytes(x.Purpose); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if x.Hash != "" {
		if err := enc.NextField("Hash"); err != nil {
			return err
		}
		if err := x.Hash.VDLWrite(enc); err != nil {
			return err
		}
	}
	if len(x.R) != 0 {
		if err := enc.NextField("R"); err != nil {
			return err
		}
		if err := enc.StartValue(__VDLType_list_4); err != nil {
			return err
		}
		if err := enc.EncodeBytes(x.R); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if len(x.S) != 0 {
		if err := enc.NextField("S"); err != nil {
			return err
		}
		if err := enc.StartValue(__VDLType_list_4); err != nil {
			return err
		}
		if err := enc.EncodeBytes(x.S); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *Signature) VDLRead(dec vdl.Decoder) error {
	*x = Signature{}
	if err := dec.StartValue(__VDLType_struct_9); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "Purpose":
			if err := dec.StartValue(__VDLType_list_4); err != nil {
				return err
			}
			if err := dec.DecodeBytes(-1, &x.Purpose); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "Hash":
			if err := x.Hash.VDLRead(dec); err != nil {
				return err
			}
		case "R":
			if err := dec.StartValue(__VDLType_list_4); err != nil {
				return err
			}
			if err := dec.DecodeBytes(-1, &x.R); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "S":
			if err := dec.StartValue(__VDLType_list_4); err != nil {
				return err
			}
			if err := dec.DecodeBytes(-1, &x.S); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

// PublicKeyDischarge represents a discharge for third party caveats that
// require a signature from a third-party's public key.
//
// The message digest of this structure is computed as follows:
// hash(hash(ThirdPartyCaveatId), hash(Caveats[0]), hash(Caveats[1]), ...),
// where hash is a cryptographic hash function with a security strength
// equivalent to the strength of the public key of the principal issuing the
// discharge.
type PublicKeyDischarge struct {
	ThirdPartyCaveatId string    // Id of the third party caveat for which this discharge was issued.
	Caveats            []Caveat  // Caveats on the use of this discharge.
	Signature          Signature // Signature of the content hash of this discharge by the discharger.
}

func (PublicKeyDischarge) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.PublicKeyDischarge"`
}) {
}

func (x PublicKeyDischarge) VDLIsZero() bool {
	if x.ThirdPartyCaveatId != "" {
		return false
	}
	if len(x.Caveats) != 0 {
		return false
	}
	if !x.Signature.VDLIsZero() {
		return false
	}
	return true
}

func (x PublicKeyDischarge) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_10); err != nil {
		return err
	}
	if x.ThirdPartyCaveatId != "" {
		if err := enc.NextField("ThirdPartyCaveatId"); err != nil {
			return err
		}
		if err := enc.StartValue(vdl.StringType); err != nil {
			return err
		}
		if err := enc.EncodeString(x.ThirdPartyCaveatId); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if len(x.Caveats) != 0 {
		if err := enc.NextField("Caveats"); err != nil {
			return err
		}
		if err := __VDLWriteAnon_list_1(enc, x.Caveats); err != nil {
			return err
		}
	}
	if !x.Signature.VDLIsZero() {
		if err := enc.NextField("Signature"); err != nil {
			return err
		}
		if err := x.Signature.VDLWrite(enc); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *PublicKeyDischarge) VDLRead(dec vdl.Decoder) error {
	*x = PublicKeyDischarge{}
	if err := dec.StartValue(__VDLType_struct_10); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "ThirdPartyCaveatId":
			if err := dec.StartValue(vdl.StringType); err != nil {
				return err
			}
			var err error
			if x.ThirdPartyCaveatId, err = dec.DecodeString(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "Caveats":
			if err := __VDLReadAnon_list_1(dec, &x.Caveats); err != nil {
				return err
			}
		case "Signature":
			if err := x.Signature.VDLRead(dec); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

// BlessingPattern is a pattern that is matched by specific blessings.
//
// A pattern can either be a blessing (slash-separated human-readable string)
// or a blessing ending in "/$". A pattern ending in "/$" is matched exactly
// by the blessing specified by the pattern string with the "/$" suffix stripped
// out. For example, the pattern "a/b/c/$" is matched by exactly by the blessing
// "a/b/c".
//
// A pattern not ending in "/$" is more permissive, and is also matched by blessings
// that are extensions of the pattern (including the pattern itself). For example, the
// pattern "a/b/c" is matched by the blessings "a/b/c", "a/b/c/x", "a/b/c/x/y", etc.
//
// TODO(ataly, ashankar): Define a formal BNF grammar for blessings and blessing patterns.
type BlessingPattern string

func (BlessingPattern) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.BlessingPattern"`
}) {
}

func (x BlessingPattern) VDLIsZero() bool {
	return x == ""
}

func (x BlessingPattern) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_string_11); err != nil {
		return err
	}
	if err := enc.EncodeString(string(x)); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *BlessingPattern) VDLRead(dec vdl.Decoder) error {
	if err := dec.StartValue(__VDLType_string_11); err != nil {
		return err
	}
	tmp, err := dec.DecodeString()
	if err != nil {
		return err
	}
	*x = BlessingPattern(tmp)
	return dec.FinishValue()
}

// DischargeImpetus encapsulates the motivation for a discharge being sought.
//
// These values are reported by a principal that is requesting a Discharge for
// a third-party caveat on one of its blessings. The third-party issues
// discharges cannot safely assume that all these values are provided, or that
// they are provided honestly.
//
// Implementations of services that issue discharges are encouraged to add
// caveats to the discharge that bind the discharge to the impetus, thereby
// rendering the discharge unsuable for any other purpose.
type DischargeImpetus struct {
	Server    []BlessingPattern // The client intends to use the discharge to communicate with a server that has a blessing matching one of the patterns in this set.
	Method    string            // Name of the method being invoked by the client.
	Arguments []*vom.RawBytes   // Arguments to the method invocation.
}

func (DischargeImpetus) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.DischargeImpetus"`
}) {
}

func (x DischargeImpetus) VDLIsZero() bool {
	if len(x.Server) != 0 {
		return false
	}
	if x.Method != "" {
		return false
	}
	if len(x.Arguments) != 0 {
		return false
	}
	return true
}

func (x DischargeImpetus) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_12); err != nil {
		return err
	}
	if len(x.Server) != 0 {
		if err := enc.NextField("Server"); err != nil {
			return err
		}
		if err := __VDLWriteAnon_list_2(enc, x.Server); err != nil {
			return err
		}
	}
	if x.Method != "" {
		if err := enc.NextField("Method"); err != nil {
			return err
		}
		if err := enc.StartValue(vdl.StringType); err != nil {
			return err
		}
		if err := enc.EncodeString(x.Method); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if len(x.Arguments) != 0 {
		if err := enc.NextField("Arguments"); err != nil {
			return err
		}
		if err := __VDLWriteAnon_list_3(enc, x.Arguments); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func __VDLWriteAnon_list_2(enc vdl.Encoder, x []BlessingPattern) error {
	if err := enc.StartValue(__VDLType_list_13); err != nil {
		return err
	}
	if err := enc.SetLenHint(len(x)); err != nil {
		return err
	}
	for i := 0; i < len(x); i++ {
		if err := enc.NextEntry(false); err != nil {
			return err
		}
		if err := x[i].VDLWrite(enc); err != nil {
			return err
		}
	}
	if err := enc.NextEntry(true); err != nil {
		return err
	}
	return enc.FinishValue()
}

func __VDLWriteAnon_list_3(enc vdl.Encoder, x []*vom.RawBytes) error {
	if err := enc.StartValue(__VDLType_list_14); err != nil {
		return err
	}
	if err := enc.SetLenHint(len(x)); err != nil {
		return err
	}
	for i := 0; i < len(x); i++ {
		if err := enc.NextEntry(false); err != nil {
			return err
		}
		if x[i] == nil {
			if err := enc.NilValue(vdl.AnyType); err != nil {
				return err
			}
		} else {
			if err := x[i].VDLWrite(enc); err != nil {
				return err
			}
		}
	}
	if err := enc.NextEntry(true); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *DischargeImpetus) VDLRead(dec vdl.Decoder) error {
	*x = DischargeImpetus{}
	if err := dec.StartValue(__VDLType_struct_12); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "Server":
			if err := __VDLReadAnon_list_2(dec, &x.Server); err != nil {
				return err
			}
		case "Method":
			if err := dec.StartValue(vdl.StringType); err != nil {
				return err
			}
			var err error
			if x.Method, err = dec.DecodeString(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "Arguments":
			if err := __VDLReadAnon_list_3(dec, &x.Arguments); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

func __VDLReadAnon_list_2(dec vdl.Decoder, x *[]BlessingPattern) error {
	if err := dec.StartValue(__VDLType_list_13); err != nil {
		return err
	}
	switch len := dec.LenHint(); {
	case len > 0:
		*x = make([]BlessingPattern, 0, len)
	default:
		*x = nil
	}
	for {
		switch done, err := dec.NextEntry(); {
		case err != nil:
			return err
		case done:
			return dec.FinishValue()
		}
		var elem BlessingPattern
		if err := elem.VDLRead(dec); err != nil {
			return err
		}
		*x = append(*x, elem)
	}
}

func __VDLReadAnon_list_3(dec vdl.Decoder, x *[]*vom.RawBytes) error {
	if err := dec.StartValue(__VDLType_list_14); err != nil {
		return err
	}
	switch len := dec.LenHint(); {
	case len > 0:
		*x = make([]*vom.RawBytes, 0, len)
	default:
		*x = nil
	}
	for {
		switch done, err := dec.NextEntry(); {
		case err != nil:
			return err
		case done:
			return dec.FinishValue()
		}
		var elem *vom.RawBytes
		elem = new(vom.RawBytes)
		if err := elem.VDLRead(dec); err != nil {
			return err
		}
		*x = append(*x, elem)
	}
}

// Certificate represents the cryptographic proof of the binding of
// extensions of a blessing held by one principal to another (represented by
// a public key) under specific caveats.
//
// For example, if a principal P1 has a blessing "alice", then it can
// extend it with a Certificate to generate the blessing "alice/friend" for
// another principal P2.
type Certificate struct {
	Extension string    // Human-readable string extension bound to PublicKey.
	PublicKey []byte    // DER-encoded PKIX public key.
	Caveats   []Caveat  // Caveats on the binding of Name to PublicKey.
	Signature Signature // Signature by the blessing principal that binds the extension to the public key.
}

func (Certificate) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.Certificate"`
}) {
}

func (x Certificate) VDLIsZero() bool {
	if x.Extension != "" {
		return false
	}
	if len(x.PublicKey) != 0 {
		return false
	}
	if len(x.Caveats) != 0 {
		return false
	}
	if !x.Signature.VDLIsZero() {
		return false
	}
	return true
}

func (x Certificate) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_15); err != nil {
		return err
	}
	if x.Extension != "" {
		if err := enc.NextField("Extension"); err != nil {
			return err
		}
		if err := enc.StartValue(vdl.StringType); err != nil {
			return err
		}
		if err := enc.EncodeString(x.Extension); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if len(x.PublicKey) != 0 {
		if err := enc.NextField("PublicKey"); err != nil {
			return err
		}
		if err := enc.StartValue(__VDLType_list_4); err != nil {
			return err
		}
		if err := enc.EncodeBytes(x.PublicKey); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if len(x.Caveats) != 0 {
		if err := enc.NextField("Caveats"); err != nil {
			return err
		}
		if err := __VDLWriteAnon_list_1(enc, x.Caveats); err != nil {
			return err
		}
	}
	if !x.Signature.VDLIsZero() {
		if err := enc.NextField("Signature"); err != nil {
			return err
		}
		if err := x.Signature.VDLWrite(enc); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *Certificate) VDLRead(dec vdl.Decoder) error {
	*x = Certificate{}
	if err := dec.StartValue(__VDLType_struct_15); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "Extension":
			if err := dec.StartValue(vdl.StringType); err != nil {
				return err
			}
			var err error
			if x.Extension, err = dec.DecodeString(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "PublicKey":
			if err := dec.StartValue(__VDLType_list_4); err != nil {
				return err
			}
			if err := dec.DecodeBytes(-1, &x.PublicKey); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "Caveats":
			if err := __VDLReadAnon_list_1(dec, &x.Caveats); err != nil {
				return err
			}
		case "Signature":
			if err := x.Signature.VDLRead(dec); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

// CaveatDescriptor defines an association between a caveat validation function
// (addressed by globally unique identifier) and the data needed by the
// validation function.
//
// For a validator to be invoked, a validation function must be registered with
// the validator description in the language that the function is defined in.
type CaveatDescriptor struct {
	Id        uniqueid.Id // The identifier of the caveat validation function.
	ParamType *vdl.Type   // The type of the parameter expected by the validation function.
}

func (CaveatDescriptor) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.CaveatDescriptor"`
}) {
}

func (x CaveatDescriptor) VDLIsZero() bool {
	if x.Id != (uniqueid.Id{}) {
		return false
	}
	if x.ParamType != nil && x.ParamType != vdl.AnyType {
		return false
	}
	return true
}

func (x CaveatDescriptor) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_16); err != nil {
		return err
	}
	if x.Id != (uniqueid.Id{}) {
		if err := enc.NextField("Id"); err != nil {
			return err
		}
		if err := x.Id.VDLWrite(enc); err != nil {
			return err
		}
	}
	if x.ParamType != nil && x.ParamType != vdl.AnyType {
		if err := enc.NextField("ParamType"); err != nil {
			return err
		}
		if err := x.ParamType.VDLWrite(enc); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *CaveatDescriptor) VDLRead(dec vdl.Decoder) error {
	*x = CaveatDescriptor{
		ParamType: vdl.AnyType,
	}
	if err := dec.StartValue(__VDLType_struct_16); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "Id":
			if err := x.Id.VDLRead(dec); err != nil {
				return err
			}
		case "ParamType":
			if err := dec.StartValue(vdl.TypeObjectType); err != nil {
				return err
			}
			var err error
			if x.ParamType, err = dec.DecodeTypeObject(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

// WireBlessings encapsulates wire format of a set of blessings and the
// corresponding cryptographic proof that binds them to a principal
// (identified by a public key).
//
// This structure is the "wire" format for sending and receiving blessings
// in RPCs or marshaling to persistent storage. Typically, languages will
// provide a factory function that converts this wire representation to
// a more usable object to inspect and manipulate these blessings.
type WireBlessings struct {
	// CertificateChains is an array of chains of certificates that bind
	// a blessing to the public key in the last certificate of the chain.
	CertificateChains [][]Certificate
}

func (WireBlessings) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.WireBlessings"`
}) {
}

func (x WireBlessings) VDLIsZero() bool {
	if len(x.CertificateChains) != 0 {
		return false
	}
	return true
}

func (x WireBlessings) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_17); err != nil {
		return err
	}
	if len(x.CertificateChains) != 0 {
		if err := enc.NextField("CertificateChains"); err != nil {
			return err
		}
		if err := __VDLWriteAnon_list_4(enc, x.CertificateChains); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func __VDLWriteAnon_list_4(enc vdl.Encoder, x [][]Certificate) error {
	if err := enc.StartValue(__VDLType_list_18); err != nil {
		return err
	}
	if err := enc.SetLenHint(len(x)); err != nil {
		return err
	}
	for i := 0; i < len(x); i++ {
		if err := enc.NextEntry(false); err != nil {
			return err
		}
		if err := __VDLWriteAnon_list_5(enc, x[i]); err != nil {
			return err
		}
	}
	if err := enc.NextEntry(true); err != nil {
		return err
	}
	return enc.FinishValue()
}

func __VDLWriteAnon_list_5(enc vdl.Encoder, x []Certificate) error {
	if err := enc.StartValue(__VDLType_list_19); err != nil {
		return err
	}
	if err := enc.SetLenHint(len(x)); err != nil {
		return err
	}
	for i := 0; i < len(x); i++ {
		if err := enc.NextEntry(false); err != nil {
			return err
		}
		if err := x[i].VDLWrite(enc); err != nil {
			return err
		}
	}
	if err := enc.NextEntry(true); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *WireBlessings) VDLRead(dec vdl.Decoder) error {
	*x = WireBlessings{}
	if err := dec.StartValue(__VDLType_struct_17); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "CertificateChains":
			if err := __VDLReadAnon_list_4(dec, &x.CertificateChains); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

func __VDLReadAnon_list_4(dec vdl.Decoder, x *[][]Certificate) error {
	if err := dec.StartValue(__VDLType_list_18); err != nil {
		return err
	}
	switch len := dec.LenHint(); {
	case len > 0:
		*x = make([][]Certificate, 0, len)
	default:
		*x = nil
	}
	for {
		switch done, err := dec.NextEntry(); {
		case err != nil:
			return err
		case done:
			return dec.FinishValue()
		}
		var elem []Certificate
		if err := __VDLReadAnon_list_5(dec, &elem); err != nil {
			return err
		}
		*x = append(*x, elem)
	}
}

func __VDLReadAnon_list_5(dec vdl.Decoder, x *[]Certificate) error {
	if err := dec.StartValue(__VDLType_list_19); err != nil {
		return err
	}
	switch len := dec.LenHint(); {
	case len > 0:
		*x = make([]Certificate, 0, len)
	default:
		*x = nil
	}
	for {
		switch done, err := dec.NextEntry(); {
		case err != nil:
			return err
		case done:
			return dec.FinishValue()
		}
		var elem Certificate
		if err := elem.VDLRead(dec); err != nil {
			return err
		}
		*x = append(*x, elem)
	}
}

type (
	// WireDischarge represents any single field of the WireDischarge union type.
	//
	// WireDischarge encapsulates the wire format of a third-party caveat
	// Discharge.
	WireDischarge interface {
		// Index returns the field index.
		Index() int
		// Interface returns the field value as an interface.
		Interface() interface{}
		// Name returns the field name.
		Name() string
		// __VDLReflect describes the WireDischarge union type.
		__VDLReflect(__WireDischargeReflect)
		VDLIsZero() bool
		VDLWrite(vdl.Encoder) error
	}
	// WireDischargePublicKey represents field PublicKey of the WireDischarge union type.
	WireDischargePublicKey struct{ Value PublicKeyDischarge } // Discharge for PublicKeyThirdPartyCaveat
	// __WireDischargeReflect describes the WireDischarge union type.
	__WireDischargeReflect struct {
		Name  string `vdl:"v.io/v23/security.WireDischarge"`
		Type  WireDischarge
		Union struct {
			PublicKey WireDischargePublicKey
		}
	}
)

func (x WireDischargePublicKey) Index() int                          { return 0 }
func (x WireDischargePublicKey) Interface() interface{}              { return x.Value }
func (x WireDischargePublicKey) Name() string                        { return "PublicKey" }
func (x WireDischargePublicKey) __VDLReflect(__WireDischargeReflect) {}

func (x WireDischargePublicKey) VDLIsZero() bool {
	return x.Value.VDLIsZero()
}

func (x WireDischargePublicKey) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_union_20); err != nil {
		return err
	}
	if err := enc.NextField("PublicKey"); err != nil {
		return err
	}
	if err := x.Value.VDLWrite(enc); err != nil {
		return err
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func VDLReadWireDischarge(dec vdl.Decoder, x *WireDischarge) error {
	if err := dec.StartValue(__VDLType_union_20); err != nil {
		return err
	}
	f, err := dec.NextField()
	if err != nil {
		return err
	}
	switch f {
	case "PublicKey":
		var field WireDischargePublicKey
		if err := field.Value.VDLRead(dec); err != nil {
			return err
		}
		*x = field
	case "":
		return fmt.Errorf("missing field in union %T, from %v", x, dec.Type())
	default:
		return fmt.Errorf("field %q not in union %T, from %v", f, x, dec.Type())
	}
	switch f, err := dec.NextField(); {
	case err != nil:
		return err
	case f != "":
		return fmt.Errorf("extra field %q in union %T, from %v", f, x, dec.Type())
	}
	return dec.FinishValue()
}

// RejectedBlessing describes why a blessing failed validation.
type RejectedBlessing struct {
	Blessing string
	Err      error
}

func (RejectedBlessing) __VDLReflect(struct {
	Name string `vdl:"v.io/v23/security.RejectedBlessing"`
}) {
}

func (x RejectedBlessing) VDLIsZero() bool {
	return x == RejectedBlessing{}
}

func (x RejectedBlessing) VDLWrite(enc vdl.Encoder) error {
	if err := enc.StartValue(__VDLType_struct_21); err != nil {
		return err
	}
	if x.Blessing != "" {
		if err := enc.NextField("Blessing"); err != nil {
			return err
		}
		if err := enc.StartValue(vdl.StringType); err != nil {
			return err
		}
		if err := enc.EncodeString(x.Blessing); err != nil {
			return err
		}
		if err := enc.FinishValue(); err != nil {
			return err
		}
	}
	if x.Err != nil {
		if err := enc.NextField("Err"); err != nil {
			return err
		}
		if err := verror.VDLWrite(enc, x.Err); err != nil {
			return err
		}
	}
	if err := enc.NextField(""); err != nil {
		return err
	}
	return enc.FinishValue()
}

func (x *RejectedBlessing) VDLRead(dec vdl.Decoder) error {
	*x = RejectedBlessing{}
	if err := dec.StartValue(__VDLType_struct_21); err != nil {
		return err
	}
	for {
		f, err := dec.NextField()
		if err != nil {
			return err
		}
		switch f {
		case "":
			return dec.FinishValue()
		case "Blessing":
			if err := dec.StartValue(vdl.StringType); err != nil {
				return err
			}
			var err error
			if x.Blessing, err = dec.DecodeString(); err != nil {
				return err
			}
			if err := dec.FinishValue(); err != nil {
				return err
			}
		case "Err":
			if err := verror.VDLRead(dec, &x.Err); err != nil {
				return err
			}
		default:
			if err := dec.SkipValue(); err != nil {
				return err
			}
		}
	}
}

// Type-check native conversion functions.
var (
	_ func(WireBlessings, *Blessings) error = WireBlessingsToNative
	_ func(*WireBlessings, Blessings) error = WireBlessingsFromNative
	_ func(WireDischarge, *Discharge) error = WireDischargeToNative
	_ func(*WireDischarge, Discharge) error = WireDischargeFromNative
)

//////////////////////////////////////////////////
// Const definitions

// ConstCaveat represents a caveat that either always validates or never validates.
var ConstCaveat = CaveatDescriptor{
	ParamType: vdl.BoolType,
}

// ExpiryCaveat represents a caveat that validates iff the current time is no later
// the specified time.Time.
var ExpiryCaveat = CaveatDescriptor{
	Id: uniqueid.Id{
		166,
		76,
		45,
		1,
		25,
		251,
		163,
		52,
		128,
		113,
		254,
		235,
		47,
		48,
		128,
		0,
	},
	ParamType: __VDLType_struct_22,
}

// MethodCaveat represents a caveat that validates iff the method being
// invoked is included in this list. An empty list implies that the caveat is invalid.
var MethodCaveat = CaveatDescriptor{
	Id: uniqueid.Id{
		84,
		166,
		118,
		57,
		129,
		55,
		24,
		126,
		205,
		178,
		109,
		45,
		105,
		186,
		0,
		3,
	},
	ParamType: __VDLType_list_23,
}
var PublicKeyThirdPartyCaveat = CaveatDescriptor{
	Id: uniqueid.Id{
		121,
		114,
		206,
		23,
		74,
		123,
		169,
		63,
		121,
		84,
		125,
		118,
		156,
		145,
		128,
		0,
	},
	ParamType: __VDLType_struct_6,
}

// PeerBlessingsCaveat represents a caveat that validates iff the peer being communicated
// with (local end of the call) has a blessing name matching at least one of the patterns
// in the list. An empty list implies that the caveat is invalid.
var PeerBlessingsCaveat = CaveatDescriptor{
	Id: uniqueid.Id{
		5,
		119,
		248,
		86,
		76,
		142,
		95,
		254,
		255,
		142,
		43,
		31,
		77,
		109,
		128,
		0,
	},
	ParamType: __VDLType_list_13,
}

// NoExtension is an optional terminator for a blessing pattern indicating that the pattern
// cannot match any extensions of the blessing from that point onwards.
const NoExtension = BlessingPattern("$")

// TODO(ataly, ashankar): The semantics of AllPrincipals breaks monotonicity in
// AccessLists with NotIn clauses. For instance, the AccessList "In: {AllPrincipals}, NotIn: {"foo"}
// matches the principal that presents no recognizable blessings ([]) however does not
// match the principal that presents "foo" as the only recognizable blessings (["foo"])
// We need to sort this out.
const AllPrincipals = BlessingPattern("...")  // Glob pattern that matches all blessings.
const ChainSeparator = ":"                    // ChainSeparator joins blessing names to form a blessing chain name.
const SHA1Hash = Hash("SHA1")                 // SHA1 cryptographic hash function defined in RFC3174.
const SHA256Hash = Hash("SHA256")             // SHA256 cryptographic hash function defined  in FIPS 180-4.
const SHA384Hash = Hash("SHA384")             // SHA384 cryptographic hash function defined in FIPS 180-2.
const SHA512Hash = Hash("SHA512")             // SHA512 cryptographic hash function defined in FIPS 180-2.
const SignatureForMessageSigning = "S1"       // Signature.Purpose used by a Principal to sign arbitrary messages.
const SignatureForBlessingCertificates = "B1" // Signature.Purpose used by a Principal when signing Certificates for creating blessings.
const SignatureForDischarge = "D1"            // Signature.Purpose used by a Principal when signing discharges for public-key based third-party caveats.

//////////////////////////////////////////////////
// Error definitions

var (
	ErrCaveatNotRegistered           = verror.Register("v.io/v23/security.CaveatNotRegistered", verror.NoRetry, "{1:}{2:} no validation function registered for caveat id {3}")
	ErrCaveatParamAny                = verror.Register("v.io/v23/security.CaveatParamAny", verror.NoRetry, "{1:}{2:} caveat {3} uses illegal param type any")
	ErrCaveatParamTypeMismatch       = verror.Register("v.io/v23/security.CaveatParamTypeMismatch", verror.NoRetry, "{1:}{2:} bad param type: caveat {3} got {4}, want {5}")
	ErrCaveatParamCoding             = verror.Register("v.io/v23/security.CaveatParamCoding", verror.NoRetry, "{1:}{2:} unable to encode/decode caveat param(type={4}) for caveat {3}: {5}")
	ErrCaveatValidation              = verror.Register("v.io/v23/security.CaveatValidation", verror.NoRetry, "{1:}{2:} caveat validation failed: {3}")
	ErrConstCaveatValidation         = verror.Register("v.io/v23/security.ConstCaveatValidation", verror.NoRetry, "{1:}{2:} false const caveat always fails validation")
	ErrExpiryCaveatValidation        = verror.Register("v.io/v23/security.ExpiryCaveatValidation", verror.NoRetry, "{1:}{2:} now({3}) is after expiry({4})")
	ErrMethodCaveatValidation        = verror.Register("v.io/v23/security.MethodCaveatValidation", verror.NoRetry, "{1:}{2:} method {3} not in list {4}")
	ErrPeerBlessingsCaveatValidation = verror.Register("v.io/v23/security.PeerBlessingsCaveatValidation", verror.NoRetry, "{1:}{2:} patterns in peer blessings caveat {4} not matched by the peer {3}")
	ErrUnrecognizedRoot              = verror.Register("v.io/v23/security.UnrecognizedRoot", verror.NoRetry, "{1:}{2:} unrecognized public key {3} in root certificate{:4}")
	ErrAuthorizationFailed           = verror.Register("v.io/v23/security.AuthorizationFailed", verror.NoRetry, "{1:}{2:} principal with blessings {3} (rejected {4}) is not authorized by principal with blessings {5}")
	ErrInvalidSigningBlessingCaveat  = verror.Register("v.io/v23/security.InvalidSigningBlessingCaveat", verror.NoRetry, "{1:}{2:} blessing has caveat with UUID {3} which makes it unsuitable for signing -- please use blessings with just Expiry caveats")
	ErrPublicKeyNotAllowed           = verror.Register("v.io/v23/security.PublicKeyNotAllowed", verror.NoRetry, "{1:}{2:} peer has public key {3}, not the authorized public key {4}")
	ErrEndpointAuthorizationFailed   = verror.Register("v.io/v23/security.EndpointAuthorizationFailed", verror.NoRetry, "{1:}{2:} blessings in endpoint {3} not matched by blessings presented: {4} (rejected {5})")
)

// NewErrCaveatNotRegistered returns an error with the ErrCaveatNotRegistered ID.
func NewErrCaveatNotRegistered(ctx *context.T, id uniqueid.Id) error {
	return verror.New(ErrCaveatNotRegistered, ctx, id)
}

// NewErrCaveatParamAny returns an error with the ErrCaveatParamAny ID.
func NewErrCaveatParamAny(ctx *context.T, id uniqueid.Id) error {
	return verror.New(ErrCaveatParamAny, ctx, id)
}

// NewErrCaveatParamTypeMismatch returns an error with the ErrCaveatParamTypeMismatch ID.
func NewErrCaveatParamTypeMismatch(ctx *context.T, id uniqueid.Id, got *vdl.Type, want *vdl.Type) error {
	return verror.New(ErrCaveatParamTypeMismatch, ctx, id, got, want)
}

// NewErrCaveatParamCoding returns an error with the ErrCaveatParamCoding ID.
func NewErrCaveatParamCoding(ctx *context.T, id uniqueid.Id, typ *vdl.Type, err error) error {
	return verror.New(ErrCaveatParamCoding, ctx, id, typ, err)
}

// NewErrCaveatValidation returns an error with the ErrCaveatValidation ID.
func NewErrCaveatValidation(ctx *context.T, err error) error {
	return verror.New(ErrCaveatValidation, ctx, err)
}

// NewErrConstCaveatValidation returns an error with the ErrConstCaveatValidation ID.
func NewErrConstCaveatValidation(ctx *context.T) error {
	return verror.New(ErrConstCaveatValidation, ctx)
}

// NewErrExpiryCaveatValidation returns an error with the ErrExpiryCaveatValidation ID.
func NewErrExpiryCaveatValidation(ctx *context.T, currentTime time.Time, expiryTime time.Time) error {
	return verror.New(ErrExpiryCaveatValidation, ctx, currentTime, expiryTime)
}

// NewErrMethodCaveatValidation returns an error with the ErrMethodCaveatValidation ID.
func NewErrMethodCaveatValidation(ctx *context.T, invokedMethod string, permittedMethods []string) error {
	return verror.New(ErrMethodCaveatValidation, ctx, invokedMethod, permittedMethods)
}

// NewErrPeerBlessingsCaveatValidation returns an error with the ErrPeerBlessingsCaveatValidation ID.
func NewErrPeerBlessingsCaveatValidation(ctx *context.T, peerBlessings []string, permittedPatterns []BlessingPattern) error {
	return verror.New(ErrPeerBlessingsCaveatValidation, ctx, peerBlessings, permittedPatterns)
}

// NewErrUnrecognizedRoot returns an error with the ErrUnrecognizedRoot ID.
func NewErrUnrecognizedRoot(ctx *context.T, rootKey string, details error) error {
	return verror.New(ErrUnrecognizedRoot, ctx, rootKey, details)
}

// NewErrAuthorizationFailed returns an error with the ErrAuthorizationFailed ID.
func NewErrAuthorizationFailed(ctx *context.T, remote []string, remoteErr []RejectedBlessing, local []string) error {
	return verror.New(ErrAuthorizationFailed, ctx, remote, remoteErr, local)
}

// NewErrInvalidSigningBlessingCaveat returns an error with the ErrInvalidSigningBlessingCaveat ID.
func NewErrInvalidSigningBlessingCaveat(ctx *context.T, id uniqueid.Id) error {
	return verror.New(ErrInvalidSigningBlessingCaveat, ctx, id)
}

// NewErrPublicKeyNotAllowed returns an error with the ErrPublicKeyNotAllowed ID.
func NewErrPublicKeyNotAllowed(ctx *context.T, got string, want string) error {
	return verror.New(ErrPublicKeyNotAllowed, ctx, got, want)
}

// NewErrEndpointAuthorizationFailed returns an error with the ErrEndpointAuthorizationFailed ID.
func NewErrEndpointAuthorizationFailed(ctx *context.T, endpoint string, remote []string, rejected []RejectedBlessing) error {
	return verror.New(ErrEndpointAuthorizationFailed, ctx, endpoint, remote, rejected)
}

// Hold type definitions in package-level variables, for better performance.
var (
	__VDLType_array_1   *vdl.Type
	__VDLType_struct_2  *vdl.Type
	__VDLType_array_3   *vdl.Type
	__VDLType_list_4    *vdl.Type
	__VDLType_struct_5  *vdl.Type
	__VDLType_struct_6  *vdl.Type
	__VDLType_list_7    *vdl.Type
	__VDLType_string_8  *vdl.Type
	__VDLType_struct_9  *vdl.Type
	__VDLType_struct_10 *vdl.Type
	__VDLType_string_11 *vdl.Type
	__VDLType_struct_12 *vdl.Type
	__VDLType_list_13   *vdl.Type
	__VDLType_list_14   *vdl.Type
	__VDLType_struct_15 *vdl.Type
	__VDLType_struct_16 *vdl.Type
	__VDLType_struct_17 *vdl.Type
	__VDLType_list_18   *vdl.Type
	__VDLType_list_19   *vdl.Type
	__VDLType_union_20  *vdl.Type
	__VDLType_struct_21 *vdl.Type
	__VDLType_struct_22 *vdl.Type
	__VDLType_list_23   *vdl.Type
)

var __VDLInitCalled bool

// __VDLInit performs vdl initialization.  It is safe to call multiple times.
// If you have an init ordering issue, just insert the following line verbatim
// into your source files in this package, right after the "package foo" clause:
//
//    var _ = __VDLInit()
//
// The purpose of this function is to ensure that vdl initialization occurs in
// the right order, and very early in the init sequence.  In particular, vdl
// registration and package variable initialization needs to occur before
// functions like vdl.TypeOf will work properly.
//
// This function returns a dummy value, so that it can be used to initialize the
// first var in the file, to take advantage of Go's defined init order.
func __VDLInit() struct{} {
	if __VDLInitCalled {
		return struct{}{}
	}
	__VDLInitCalled = true

	// Register native type conversions first, so that vdl.TypeOf works.
	vdl.RegisterNative(WireBlessingsToNative, WireBlessingsFromNative)
	vdl.RegisterNative(WireDischargeToNative, WireDischargeFromNative)

	// Register types.
	vdl.Register((*nonce)(nil))
	vdl.Register((*Caveat)(nil))
	vdl.Register((*ThirdPartyRequirements)(nil))
	vdl.Register((*publicKeyThirdPartyCaveatParam)(nil))
	vdl.Register((*Hash)(nil))
	vdl.Register((*Signature)(nil))
	vdl.Register((*PublicKeyDischarge)(nil))
	vdl.Register((*BlessingPattern)(nil))
	vdl.Register((*DischargeImpetus)(nil))
	vdl.Register((*Certificate)(nil))
	vdl.Register((*CaveatDescriptor)(nil))
	vdl.Register((*WireBlessings)(nil))
	vdl.Register((*WireDischarge)(nil))
	vdl.Register((*RejectedBlessing)(nil))

	// Initialize type definitions.
	__VDLType_array_1 = vdl.TypeOf((*nonce)(nil))
	__VDLType_struct_2 = vdl.TypeOf((*Caveat)(nil)).Elem()
	__VDLType_array_3 = vdl.TypeOf((*uniqueid.Id)(nil))
	__VDLType_list_4 = vdl.TypeOf((*[]byte)(nil))
	__VDLType_struct_5 = vdl.TypeOf((*ThirdPartyRequirements)(nil)).Elem()
	__VDLType_struct_6 = vdl.TypeOf((*publicKeyThirdPartyCaveatParam)(nil)).Elem()
	__VDLType_list_7 = vdl.TypeOf((*[]Caveat)(nil))
	__VDLType_string_8 = vdl.TypeOf((*Hash)(nil))
	__VDLType_struct_9 = vdl.TypeOf((*Signature)(nil)).Elem()
	__VDLType_struct_10 = vdl.TypeOf((*PublicKeyDischarge)(nil)).Elem()
	__VDLType_string_11 = vdl.TypeOf((*BlessingPattern)(nil))
	__VDLType_struct_12 = vdl.TypeOf((*DischargeImpetus)(nil)).Elem()
	__VDLType_list_13 = vdl.TypeOf((*[]BlessingPattern)(nil))
	__VDLType_list_14 = vdl.TypeOf((*[]*vom.RawBytes)(nil))
	__VDLType_struct_15 = vdl.TypeOf((*Certificate)(nil)).Elem()
	__VDLType_struct_16 = vdl.TypeOf((*CaveatDescriptor)(nil)).Elem()
	__VDLType_struct_17 = vdl.TypeOf((*WireBlessings)(nil)).Elem()
	__VDLType_list_18 = vdl.TypeOf((*[][]Certificate)(nil))
	__VDLType_list_19 = vdl.TypeOf((*[]Certificate)(nil))
	__VDLType_union_20 = vdl.TypeOf((*WireDischarge)(nil))
	__VDLType_struct_21 = vdl.TypeOf((*RejectedBlessing)(nil)).Elem()
	__VDLType_struct_22 = vdl.TypeOf((*vdltime.Time)(nil)).Elem()
	__VDLType_list_23 = vdl.TypeOf((*[]string)(nil))

	// Set error format strings.
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatNotRegistered.ID), "{1:}{2:} no validation function registered for caveat id {3}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamAny.ID), "{1:}{2:} caveat {3} uses illegal param type any")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamTypeMismatch.ID), "{1:}{2:} bad param type: caveat {3} got {4}, want {5}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamCoding.ID), "{1:}{2:} unable to encode/decode caveat param(type={4}) for caveat {3}: {5}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatValidation.ID), "{1:}{2:} caveat validation failed: {3}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrConstCaveatValidation.ID), "{1:}{2:} false const caveat always fails validation")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrExpiryCaveatValidation.ID), "{1:}{2:} now({3}) is after expiry({4})")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrMethodCaveatValidation.ID), "{1:}{2:} method {3} not in list {4}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrPeerBlessingsCaveatValidation.ID), "{1:}{2:} patterns in peer blessings caveat {4} not matched by the peer {3}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrUnrecognizedRoot.ID), "{1:}{2:} unrecognized public key {3} in root certificate{:4}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrAuthorizationFailed.ID), "{1:}{2:} principal with blessings {3} (rejected {4}) is not authorized by principal with blessings {5}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrInvalidSigningBlessingCaveat.ID), "{1:}{2:} blessing has caveat with UUID {3} which makes it unsuitable for signing -- please use blessings with just Expiry caveats")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrPublicKeyNotAllowed.ID), "{1:}{2:} peer has public key {3}, not the authorized public key {4}")
	i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrEndpointAuthorizationFailed.ID), "{1:}{2:} blessings in endpoint {3} not matched by blessings presented: {4} (rejected {5})")

	return struct{}{}
}