Merge branch 'policy-constraints'

Fixes handling of invalid policies in end entity certificates by not rejecting
the full certificate, but just invalidating the affected policy. Additionally
adds a bunch of unit tests for the constraints plugin, and some minor fixes
to the nameConstraints handling.

Currently we still reject CAs that use invalid policy mapping; we should accept
such certificates and just invalid affected policies in a next iteration.

Fixes #453.