Currently we have:
The class should be: org.opensaml.security.trust.impl.ExplicitKeyTrustEngine.
The X509 certificate one compares the entire certificate for equality. We just want the keys compared, not the whole cert. We have never really used the certificate one, I just implemented it way back in the early days of pre-2.0, b/c it was easy.
This is a divergence from v2 (see the schema type "security:MetadataExplicitKey", and the MetadataExplicitKeyTrustEngineBeanDefinitionParser and related FactoryBean).