In JDK 7, we have two types of trust managers, X509TrustManager and X509ExtendedTrustManager. X509ExtendedTrustManager is introduced in JDK 7 in order to support TLS 1.2. Oracle provider will use X509ExtendedTrustManager in JDK 7. Applications may still use X509TrustManager as the super class as their customized trust manager. For compatibility, we have to wrap these trust managers into X509ExtendedTrustManager so that they can work with TLS 1.2.
Additional constraints checks may be performed by the customized trust manager. But some other customized trust managers may not perform the constraints check in their implementation. So we may need the additional checking to ensure the wrapped trust manager also do the constraints checking properly, although it may have been done in the customized trust manager.
The issue here is that for customized trust manager, we also check the constraints for trust anchors. So when a trust anchor is MD2 algorithm signed, it will be denied by the wrapped trust manager.