Remove trust from any certs in ScopedTestDB before closing it.

Otherwise NSS may cache verification results even after the test DB is gone.

BUG=569657
TEST=net_unittests --gtest_filter='CertDatabaseNSSTest.ImportCaAndServerCert:TestRootCertsTest.OverrideTrust' --gtest_shuffle --gtest_repeat=25

Review URL: https://codereview.chromium.org/1532223005

Cr-Commit-Position: refs/heads/master@{#367016}

crypto/scoped_test_nss_db.cc

@@ -4,6 +4,8 @@
 
 #include "crypto/scoped_test_nss_db.h"
 
+#include <cert.h>
+
 #include "base/logging.h"
 #include "base/threading/thread_restrictions.h"
 #include "crypto/nss_util.h"
@@ -26,6 +28,22 @@ ScopedTestNSSDB::ScopedTestNSSDB() {
 }
 
 ScopedTestNSSDB::~ScopedTestNSSDB() {
+  // Remove trust from any certs in the test DB before closing it. Otherwise NSS
+  // may cache verification results even after the test DB is gone.
+  if (slot_) {
+    CERTCertList* cert_list = PK11_ListCertsInSlot(slot_.get());
+    for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
+         !CERT_LIST_END(node, cert_list);
+         node = CERT_LIST_NEXT(node)) {
+      CERTCertTrust trust = {0};
+      if (CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), node->cert, &trust) !=
+          SECSuccess) {
+        LOG(ERROR) << "CERT_ChangeCertTrust failed: " << PORT_GetError();
+      }
+    }
+    CERT_DestroyCertList(cert_list);
+  }
+
   // Don't close when NSS is < 3.15.1, because it would require an additional
   // sleep for 1 second after closing the database, due to
   // http://bugzil.la/875601.