KerberosTicket does not properly handle renewable tickets at the end of their lifetime

FULL PRODUCT VERSION :
Reproed on JDK7 but can see that the code is still the same in JDK9-dev

ADDITIONAL OS VERSION INFORMATION :
RHEL 7.3

A DESCRIPTION OF THE PROBLEM :
KerberosTicket.init() has the following code which assumes that, if a ticket has the RENEWABLE flag set, it must also have a renewTill date:

        if (this.flags[RENEWABLE_TICKET_FLAG]) {
           if (renewTill == null) {
               throw new IllegalArgumentException("The renewable period "
                       + "end time cannot be null for renewable tickets.");
           }
           this.renewTill = new Date(renewTill.getTime());
        }

However, this is not actually the case, at least in Kerberos 1.14 as installed on RHEL7.

1) Here at 18:39:00 we renew a Kerberos ticket and show the ticket cache. The resulting ticket has a renewTill = 18:39:31. The lifetime on this system has been configured to 30 seconds, so the ticket expires at 18:39:30 (1 second before the renewTill date)

$ kinit -R ; klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM

Valid starting Expires Service principal
08/21/2017 18:39:00 08/21/2017 18:39:30 krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
renew until 08/21/2017 18:39:31, Flags: FRIT

2) If we wait another second and renew again, we can see that the resulting ticket has no 'renewTill' date, but still has the R (RENEWABLE) flag:

[root@impala-sasl-1 ~]# kinit -R ; klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM

Valid starting Expires Service principal
08/21/2017 18:39:01 08/21/2017 18:39:31 krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
Flags: FRIT
[root@impala-sasl-1 ~]#

When I try to load this ticket cache from a Java program, it fails with the above-mentioned IllegalArgumentException.

  [1] javax.security.auth.kerberos.KerberosTicket.init (KerberosTicket.java:306)
  [2] javax.security.auth.kerberos.KerberosTicket.init (KerberosTicket.java:259)
  [3] javax.security.auth.kerberos.KerberosTicket.<init> (KerberosTicket.java:241)
  [4] sun.security.jgss.krb5.Krb5Util.credsToTicket (Krb5Util.java:342)
  [5] com.sun.security.auth.module.Krb5LoginModule.commit (Krb5LoginModule.java:1,028)
  [6] sun.reflect.NativeMethodAccessorImpl.invoke0 (native method)
  [7] sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:57)
  [8] sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
  [9] java.lang.reflect.Method.invoke (Method.java:606)
  [10] javax.security.auth.login.LoginContext.invoke (LoginContext.java:762)


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Configure a KDC with renew_lifetime =1m and ticket_lifetime = 30s
2) obtain a ticket
3) wait 35 seconds
4) renew the ticket
5) try to login from the ticket cache using Krb5LoginModule

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The kerberos ticket should load successfully and be treated the same as a non-renewable ticket.
ACTUAL -
An IAE is thrown by the Krb5LoginModule

ERROR MESSAGES/STACK TRACES THAT OCCUR :
>>>DEBUG <CCacheInputStream> client principal is kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Mon Aug 21 18:37:00 PDT 2017
>>>DEBUG <CCacheInputStream> start time: Mon Aug 21 18:37:30 PDT 2017
>>>DEBUG <CCacheInputStream> end time: Mon Aug 21 18:38:00 PDT 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL;
Ticket could not be renewed : null
Principal is null


REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
We are planning to work around the issue by not renewing tickets using 'kinit' when the remaining life is less than one renewal period.