Index: net/cert/internal/trust_store.cc |
diff --git a/net/cert/internal/trust_store.cc b/net/cert/internal/trust_store.cc |
index 892698ba5f6928fd3a64929a739c630bf64dac25..9eee6314db7687cdcbf700c5caac2dbd7be5cc47 100644 |
--- a/net/cert/internal/trust_store.cc |
+++ b/net/cert/internal/trust_store.cc |
@@ -24,7 +24,7 @@ void TrustStore::AddTrustedCertificate( |
void TrustStore::FindTrustAnchorsByNormalizedName( |
const der::Input& normalized_name, |
- std::vector<scoped_refptr<ParsedCertificate>>* matches) const { |
+ ParsedCertificateList* matches) const { |
auto range = anchors_.equal_range(normalized_name.AsStringPiece()); |
for (auto it = range.first; it != range.second; ++it) |
matches->push_back(it->second); |
@@ -33,9 +33,13 @@ void TrustStore::FindTrustAnchorsByNormalizedName( |
bool TrustStore::IsTrustedCertificate(const ParsedCertificate* cert) const { |
auto range = anchors_.equal_range(cert->normalized_subject().AsStringPiece()); |
for (auto it = range.first; it != range.second; ++it) { |
- // First compare the ParsedCertificate pointers as an optimization, fall |
- // back to comparing full DER encoding. |
- if (it->second == cert || it->second->der_cert() == cert->der_cert()) |
+ // First compare the ParsedCertificate pointers as an optimization. |
+ if (it->second == cert || |
+ // Trust check is based on Name+SPKI match. This could match the same |
+ // certificate stored in a different ParsedCertificate object, or a |
+ // different cert that has the same Name+SPKI. |
+ (it->second->normalized_subject() == cert->normalized_subject() && |
+ it->second->tbs().spki_tlv == cert->tbs().spki_tlv)) |
return true; |
} |
return false; |