Fix a problem that cert trust change needs a chrome restart to be effective.

This seems to be caused by CertVerifier's verification result cache.
- Added a new OnCertTrustChanged to CertDatabase::Observer;
- For NSS cert database, SetCertTrust triggers OnCertTrustChanged;
- Clear CertVerifier's result cache when OnCertDatabaseChanged is fired;

BUG=chromium-os:7988
TEST=Verify #2 issue in chromium-os:7988 where cert trust change only takes
effect after chrome restart.

Review URL: http://codereview.chromium.org/6816035

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81433 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 26 insertions, 4 deletions

diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc
index 1f8a76c..966dc69 100644
--- a/net/socket/client_socket_factory.cc
+++ b/net/socket/client_socket_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -41,7 +41,14 @@ class DefaultClientSocketFactory : public ClientSocketFactory,
     CertDatabase::RemoveObserver(this);
   }
 
-  virtual void OnUserCertAdded(X509Certificate* cert) {
+  virtual void OnUserCertAdded(const X509Certificate* cert) {
+    ClearSSLSessionCache();
+  }
+
+  virtual void OnCertTrustChanged(const X509Certificate* cert) {
+    // Per wtc, we actually only need to flush when trust is reduced.
+    // Always flush now because OnCertTrustChanged does not tell us this.
+    // See comments in ClientSocketPoolManager::OnCertTrustChanged.
     ClearSSLSessionCache();
   }
 
diff --git a/net/socket/client_socket_pool_manager.cc b/net/socket/client_socket_pool_manager.cc
index d9a2225..de29bd5 100644
--- a/net/socket/client_socket_pool_manager.cc
+++ b/net/socket/client_socket_pool_manager.cc
@@ -580,7 +580,21 @@ Value* ClientSocketPoolManager::SocketPoolInfoToValue() const {
   return list;
 }
 
-void ClientSocketPoolManager::OnUserCertAdded(X509Certificate* cert) {
+void ClientSocketPoolManager::OnUserCertAdded(const X509Certificate* cert) {
+  FlushSocketPools();
+}
+
+void ClientSocketPoolManager::OnCertTrustChanged(const X509Certificate* cert) {
+  // We should flush the socket pools if we removed trust from a
+  // cert, because a previously trusted server may have become
+  // untrusted.
+  //
+  // We should not flush the socket pools if we added trust to a
+  // cert.
+  //
+  // Since the OnCertTrustChanged method doesn't tell us what
+  // kind of trust change it is, we have to flush the socket
+  // pools to be safe.
   FlushSocketPools();
 }
 
diff --git a/net/socket/client_socket_pool_manager.h b/net/socket/client_socket_pool_manager.h
index ca580e4..54b13f7 100644
--- a/net/socket/client_socket_pool_manager.h
+++ b/net/socket/client_socket_pool_manager.h
@@ -150,7 +150,8 @@ class ClientSocketPoolManager : public base::NonThreadSafe,
   Value* SocketPoolInfoToValue() const;
 
   // CertDatabase::Observer methods:
-  virtual void OnUserCertAdded(X509Certificate* cert);
+  virtual void OnUserCertAdded(const X509Certificate* cert);
+  virtual void OnCertTrustChanged(const X509Certificate* cert);
 
  private:
   friend class HttpNetworkSessionPeer;