Certificate path builder for new certificate verification library

net/cert/internal/trust_store.cc

Index: net/cert/internal/trust_store.cc
diff --git a/net/cert/internal/trust_store.cc b/net/cert/internal/trust_store.cc
index 892698ba5f6928fd3a64929a739c630bf64dac25..d148188d58a2d0e7f263c877a06e6d09860befd8 100644
--- a/net/cert/internal/trust_store.cc
+++ b/net/cert/internal/trust_store.cc
@@ -33,9 +33,13 @@ void TrustStore::FindTrustAnchorsByNormalizedName(
 bool TrustStore::IsTrustedCertificate(const ParsedCertificate* cert) const {
   auto range = anchors_.equal_range(cert->normalized_subject().AsStringPiece());
   for (auto it = range.first; it != range.second; ++it) {
-    // First compare the ParsedCertificate pointers as an optimization, fall
-    // back to comparing full DER encoding.
-    if (it->second == cert || it->second->der_cert() == cert->der_cert())
+    // First compare the ParsedCertificate pointers as an optimization.
+    if (it->second == cert ||
+        // Trust check is based on Name+SPKI match. This could match the same
+        // certificate stored in a different ParsedCertificate object, or a
+        // different cert that has the same Name+SPKI.
+        (it->second->normalized_subject() == cert->normalized_subject() &&
+         it->second->tbs().spki_tlv == cert->tbs().spki_tlv))
       return true;
   }
   return false;