Remove trust from any certs in ScopedTestDB before closing it.

crypto/scoped_test_nss_db.cc

Index: crypto/scoped_test_nss_db.cc
diff --git a/crypto/scoped_test_nss_db.cc b/crypto/scoped_test_nss_db.cc
index 452c26d73e50500dd820b58f3821387404414448..dc58031ce5dd63ea11f1c704c711df545442c081 100644
--- a/crypto/scoped_test_nss_db.cc
+++ b/crypto/scoped_test_nss_db.cc
@@ -4,6 +4,8 @@
 
 #include "crypto/scoped_test_nss_db.h"
 
+#include <cert.h>
+
 #include "base/logging.h"
 #include "base/threading/thread_restrictions.h"
 #include "crypto/nss_util.h"
@@ -26,6 +28,22 @@ ScopedTestNSSDB::ScopedTestNSSDB() {
 }
 
 ScopedTestNSSDB::~ScopedTestNSSDB() {
+  // Remove trust from any certs in the test DB before closing it. Otherwise NSS
+  // may cache verification results even after the test DB is gone.
+  if (slot_) {
+    CERTCertList* cert_list = PK11_ListCertsInSlot(slot_.get());
+    for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
+         !CERT_LIST_END(node, cert_list);
+         node = CERT_LIST_NEXT(node)) {
+      CERTCertTrust trust = {0};
+      if (CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), node->cert, &trust) !=
+          SECSuccess) {
+        LOG(ERROR) << "CERT_ChangeCertTrust failed: " << PORT_GetError();
+      }
+    }
+    CERT_DestroyCertList(cert_list);
+  }
+
   // Don't close when NSS is < 3.15.1, because it would require an additional
   // sleep for 1 second after closing the database, due to
   // http://bugzil.la/875601.