Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/path_builder.cc

Index: net/cert/internal/path_builder.cc
diff --git a/net/cert/internal/path_builder.cc b/net/cert/internal/path_builder.cc
index 291bcf5360643b4a7a76bc85273fe430c41cae70..11709c318312fa20cc348d0c1b78641233ee2d86 100644
--- a/net/cert/internal/path_builder.cc
+++ b/net/cert/internal/path_builder.cc
@@ -136,7 +136,9 @@ CertIssuersIter::CertIssuersIter(scoped_refptr<ParsedCertificate> in_cert,
 void CertIssuersIter::GetNextIssuer(CertificateOrTrustAnchor* out) {
   if (!did_initial_query_) {
     did_initial_query_ = true;
-    trust_store_->FindTrustAnchorsForCert(cert_, &anchors_);
+    ParsedCertificateList issuers_from_trust_store;
+    trust_store_->FindIssuers(cert_, &anchors_, &issuers_from_trust_store);
+    AddIssuers(std::move(issuers_from_trust_store));
 
     for (auto* cert_issuer_source : *cert_issuer_sources_) {
       ParsedCertificateList new_issuers;
@@ -550,6 +552,9 @@ void CertPathBuilder::DoGetNextPathComplete() {
            << verify_result;
   result_path->path = next_path_;
   DCHECK_EQ(verify_result, !result_path->errors.ContainsHighSeverityErrors());
+
+  // TODO(eroman): Check that none of the certificates are blacklisted.
+
   AddResultPath(std::move(result_path));
 
   if (verify_result) {