Please take a review at https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
PKCS12KeyStore now can find certificate issuers more precisely using SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using CertPath builder or checking signatures but those changes are too much. Thanks, Max
