Certificate path builder for new certificate verification library

net/cert/internal/trust_store.cc

Index: net/cert/internal/trust_store.cc
diff --git a/net/cert/internal/trust_store.cc b/net/cert/internal/trust_store.cc
index 892698ba5f6928fd3a64929a739c630bf64dac25..9eee6314db7687cdcbf700c5caac2dbd7be5cc47 100644
--- a/net/cert/internal/trust_store.cc
+++ b/net/cert/internal/trust_store.cc
@@ -24,7 +24,7 @@ void TrustStore::AddTrustedCertificate(
 
 void TrustStore::FindTrustAnchorsByNormalizedName(
     const der::Input& normalized_name,
-    std::vector<scoped_refptr<ParsedCertificate>>* matches) const {
+    ParsedCertificateList* matches) const {
   auto range = anchors_.equal_range(normalized_name.AsStringPiece());
   for (auto it = range.first; it != range.second; ++it)
     matches->push_back(it->second);
@@ -33,9 +33,13 @@ void TrustStore::FindTrustAnchorsByNormalizedName(
 bool TrustStore::IsTrustedCertificate(const ParsedCertificate* cert) const {
   auto range = anchors_.equal_range(cert->normalized_subject().AsStringPiece());
   for (auto it = range.first; it != range.second; ++it) {
-    // First compare the ParsedCertificate pointers as an optimization, fall
-    // back to comparing full DER encoding.
-    if (it->second == cert || it->second->der_cert() == cert->der_cert())
+    // First compare the ParsedCertificate pointers as an optimization.
+    if (it->second == cert ||
+        // Trust check is based on Name+SPKI match. This could match the same
+        // certificate stored in a different ParsedCertificate object, or a
+        // different cert that has the same Name+SPKI.
+        (it->second->normalized_subject() == cert->normalized_subject() &&
+         it->second->tbs().spki_tlv == cert->tbs().spki_tlv))
       return true;
   }
   return false;