apple
diff --git a/‎Sources/X509/CMakeLists.txt
+2 b/‎Sources/X509/CMakeLists.txt
+2
diff --git a/‎Sources/X509/CryptographicMessageSyntax/CMSOperations.swift
+23-19 b/‎Sources/X509/CryptographicMessageSyntax/CMSOperations.swift
+23-19
diff --git a/‎Sources/X509/OCSP/OCSPPolicy.swift
+5-6 b/‎Sources/X509/OCSP/OCSPPolicy.swift
+5-6
diff --git a/‎Sources/X509/Verifier/AnyPolicy.swift
+103 b/‎Sources/X509/Verifier/AnyPolicy.swift
+103
@@ -81,7 +81,9 @@ add_library(X509
   "SEC1PrivateKey.swift"
   "Signature.swift"
   "SignatureAlgorithm.swift"
+  "Verifier/AnyPolicy.swift"
   "Verifier/CertificateStore.swift"
+  "Verifier/PolicyBuilder.swift"
   "Verifier/RFC5280/BasicConstraintsPolicy.swift"
   "Verifier/RFC5280/DNSNames.swift"
   "Verifier/RFC5280/DirectoryNames.swift"
 
@@ -93,13 +93,16 @@ public enum CMS {
         signatureBytes: SignatureBytes,
         additionalIntermediateCertificates: [Certificate] = [],
         trustRoots: CertificateStore,
-        policy: PolicySet
-    ) async -> SignatureVerificationResult {
+        @PolicyBuilder policy: () throws -> some VerifierPolicy
+    ) async rethrows -> SignatureVerificationResult {
+        let signedData: CMSSignedData
+        let signingCert: Certificate
         do {
             let parsedSignature = try CMSContentInfo(derEncoded: ArraySlice(signatureBytes))
-            guard let signedData = try parsedSignature.signedData else {
+            guard let _signedData = try parsedSignature.signedData else {
                 return .failure(.init(invalidCMSBlockReason: "Unable to parse signed data"))
             }
+            signedData = _signedData
 
             // We have a bunch of very specific requirements here: in particular, we need to have only one signature. We also only want
             // to tolerate v1 signatures and detached signatures.
@@ -134,9 +137,10 @@ public enum CMS {
 
             // Ok, now we need to find the signer. We expect to find them in the list of certificates provided
             // in the signature.
-            guard let signingCert = try signedData.certificates?.certificate(signerInfo: signer) else {
+            guard let _signingCert = try signedData.certificates?.certificate(signerInfo: signer) else {
                 return .failure(.init(invalidCMSBlockReason: "Unable to locate signing certificate"))
             }
+            signingCert = _signingCert
 
             // Ok at this point we've done the cheap stuff and we're fairly confident we have the entity who should have
             // done the signing. Our next step is to confirm that they did in fact sign the data. For that we have to compute
@@ -145,24 +149,24 @@ public enum CMS {
             guard signingCert.publicKey.isValidSignature(signature, for: dataBytes, signatureAlgorithm: signatureAlgorithm) else {
                 return .failure(.init(invalidCMSBlockReason: "Invalid signature from signing certificate: \(signingCert)"))
             }
-
-            // Ok, the signature was signed by the private key associated with this cert. Now we need to validate the certificate.
-            // This force-unwrap is safe: we know there are certificates because we've located at least one certificate from this set!
-            var untrustedIntermediates = CertificateStore(signedData.certificates!)
-            untrustedIntermediates.insert(contentsOf: additionalIntermediateCertificates)
-            
-            var verifier = Verifier(rootCertificates: trustRoots, policy: policy)
-            let result = await verifier.validate(leafCertificate: signingCert, intermediates: untrustedIntermediates)
-
-            switch result {
-            case .validCertificate:
-                return .success(.init(signer: signingCert))
-            case .couldNotValidate(let validationFailures):
-                return .failure(.unableToValidateSigner(.init(validationFailures: validationFailures, signer: signingCert)))
-            }
         } catch {
             return .failure(.invalidCMSBlock(.init(reason: String(describing: error))))
         }
+
+        // Ok, the signature was signed by the private key associated with this cert. Now we need to validate the certificate.
+        // This force-unwrap is safe: we know there are certificates because we've located at least one certificate from this set!
+        var untrustedIntermediates = CertificateStore(signedData.certificates!)
+        untrustedIntermediates.insert(contentsOf: additionalIntermediateCertificates)
+        
+        var verifier = try Verifier(rootCertificates: trustRoots, policy: policy)
+        let result = await verifier.validate(leafCertificate: signingCert, intermediates: untrustedIntermediates)
+
+        switch result {
+        case .validCertificate:
+            return .success(.init(signer: signingCert))
+        case .couldNotValidate(let validationFailures):
+            return .failure(.unableToValidateSigner(.init(validationFailures: validationFailures, signer: signingCert)))
+        }
     }
 
     @_spi(CMS)
 
@@ -401,12 +401,11 @@ extension OCSPVerifierPolicy.Storage {
         }
 
         var verifier = Verifier(
-            rootCertificates: CertificateStore([issuer]),
-            policy: PolicySet(policies: [
-                OCSPResponderSigningPolicy(issuer: issuer),
-                RFC5280Policy(validationTime: validationTime),
-            ])
-        )
+            rootCertificates: CertificateStore([issuer])
+        ) {
+            OCSPResponderSigningPolicy(issuer: issuer)
+            RFC5280Policy(validationTime: validationTime)
+        }
 
         let validationResult = await verifier.validate(leafCertificate: leafCertificate, intermediates: CertificateStore())
 
 
@@ -0,0 +1,103 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftCertificates open source project
+//
+// Copyright (c) 2022-2023 Apple Inc. and the SwiftCertificates project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftCertificates project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+import SwiftASN1
+
+
+/// ``AnyPolicy`` can be used to erase the concrete type of some ``VerifierPolicy``.
+///  Only use ``AnyPolicy`` if type erasure is necessary.
+///  Instead try to use conditional inclusion of different policies using ``PolicyBuilder``.
+///
+/// Use ``AnyPolicy`` at the top level during construction of a ``Verifier`` to get a ``Verifier`` of type `Verifier<AnyPolicy>` e.g.:
+/// ```swift
+/// let verifier = Verifier(rootCertificates: CertificateStore()) {
+///     AnyPolicy {
+///         RFC5280Policy(validationTime: Date())
+///     }
+/// }
+/// ```
+public struct AnyPolicy: VerifierPolicy {
+    @usableFromInline
+    var policy: any VerifierPolicy
+    
+    
+    @inlinable
+    /// Erases the type of some ``VerifierPolicy`` to ``AnyPolicy``.
+    /// - Parameter policy: the concrete ``VerifierPolicy``
+    public init(_ policy: some VerifierPolicy) {
+        self.policy = policy
+    }
+    
+    /// Erases the type of some ``VerifierPolicy`` to ``AnyPolicy``.
+    /// - Parameter policy: the ``VerifierPolicy`` constructed using the ``PolicyBuilder`` DSL.
+    @inlinable
+    public init(@PolicyBuilder makePolicy: () throws -> some VerifierPolicy) rethrows {
+        self.init(try makePolicy())
+    }
+    
+    @inlinable
+    public var verifyingCriticalExtensions: [SwiftASN1.ASN1ObjectIdentifier] {
+        policy.verifyingCriticalExtensions
+    }
+    
+    @inlinable
+    public mutating func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
+        await policy.chainMeetsPolicyRequirements(chain: chain)
+    }
+}
+
+struct LegacyPolicySet: VerifierPolicy {
+    let verifyingCriticalExtensions: [ASN1ObjectIdentifier]
+
+    var policies: [any VerifierPolicy]
+
+    init(policies: [any VerifierPolicy]) {
+        self.policies = policies
+
+        var extensions: [ASN1ObjectIdentifier] = []
+        extensions.reserveCapacity(policies.reduce(into: 0, { $0 += $1.verifyingCriticalExtensions.count }))
+
+        for policy in policies {
+            extensions.append(contentsOf: policy.verifyingCriticalExtensions)
+        }
+
+        self.verifyingCriticalExtensions = extensions
+    }
+
+    mutating func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
+        var policyIndex = self.policies.startIndex
+
+        while policyIndex < self.policies.endIndex {
+            switch await self.policies[policyIndex].chainMeetsPolicyRequirements(chain: chain) {
+            case .meetsPolicy:
+                ()
+            case .failsToMeetPolicy(reason: let reason):
+                return .failsToMeetPolicy(reason: reason)
+            }
+
+            self.policies.formIndex(after: &policyIndex)
+        }
+
+        return .meetsPolicy
+    }
+}
+
+@available(*, deprecated, message: "use PolicyBuilder to construct a custom policy")
+public typealias PolicySet = AnyPolicy
+
+extension AnyPolicy {
+    @available(*, deprecated, message: "use PolicyBuilder to construct a custom policy")
+    public init(policies: [any VerifierPolicy]) {
+        self.init(LegacyPolicySet(policies: policies))
+    }
+}