Unable to build certificate path with link certificates that could be resolved until JDK8u362

Issue

• The following exception is thrown when upgrading to JDK8u372 or later. The application does not throw the exception until JDK8u362.

Exception in thread "main" sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at CertPath.validateCertification(CertPath.java:41)
    at CertPath.main(CertPath.java:10)

• The CertStore stores leaf certificates and two linked certificates, OldWithNew and NewWithOld, as follows:

  • leaf certificate, signed by old root CA:
    • Subject: C = JP, O = "Red Hat,Inc", CN = test
    • Issuer: C = JP, O = Test Organization, OU = Test OrganizationUnit
  • link-certificate OldWithNew, signed by new root CA
    • Subject: C = JP, O = Test Organization, OU = Test OrganizationUnit
    • Issuer: C = JP, O = Test Organization, OU = Test OrganizationUnit (signed by new CA)
  • link-certificate NewWithOld, signed by old root CA
    • Subject: C = JP, O = Test Organization, OU = Test OrganizationUnit
    • Issuer: C = JP, O = Test Organization, OU = Test OrganizationUnit (singed by old CA)

• The trust anchor in the trusted store is the new root CA certificate as NewWithNew:

  • Subject: C = JP, O = Test Organization, OU = Test OrganizationUnit
  • Issuer: C = JP, O = Test Organization, OU = Test OrganizationUnit (self-signed)

• The expected certification path is [leaf] -> [OldWithNew] -> [NewWithNew].

• The PKI infrastructure is based on RFE 4210, and issues link certificates OldWithNew and NewWithOld with the same Issuer and Subject when renewing the root ca private key.