Our implementation of CertPathValidator (sun.security.provider.certpath.PKIXCertPathValidator) should check whether the proposed final certificate matches the CertSelector provided as the targetCertConstraints parameter of the PKIXParameters object (if any). Instead, it only checks certain fields (subject, key usage, extended key usage, and subject alternative names).

Also, our implementation of CertPathBuilder (sun.security.provider.certpath.SunCertPathBuilder) throws a ClassCastException if the CertSelector provided as the targetCertConstraints parameter of the PKIXParameters object isn't an X509CertSelector. It should throw an InvalidAlgorithmParameterException instead.