NameConstraintsExtension.verify(GeneralNameInterface name) does not properly handle the case where a name to be verified matches or narrows one of the permitted names, but widens or does not match (SAME_TYPE) a subsequent permitted name. It should return true, indicating that the name is OK. Instead, it returns false. This causes our CertPathValidator and CertPathBuilder implementations to reject the name (and therefore the path).

The problem only occurs if the NameConstraintsExtension has more than
one permitted name of the same type.