Refactor how Chrome Root Store is enabled in builds where it is optional

Previously the choice to use CRS is locked in by
cert_verifier_configuration.cc on the first time it is initialized.
However this would be problematic for enterprise policies especially on
chromeos where the profile policies won't be loaded during the login
screen, so the wrong value could get locked in. Make the policy support
dynamic_refresh, so that it would be applied once the profile policy
loads. Making it support dynamic_refresh also makes the policy more
user-friendly in other scenarios too.

To do this the CRS boolean is added as another parameter to the
CertVerifierWithUpdatableProc factory, so that the factory can create a
new verifier with or without CRS when the parameter changes. The
parameter is saved by the CertVerifierServiceFactory so that all
verifiers created by the factory will use the same setting, and any
existing verifiers created by the factory will be updated to use the new
setting if it changes.

Bug: 1340420, 1352171
Change-Id: I4a6ad6abffb1036ab47db1795ed81c7adfaac7a5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4390596


Reviewed-by: Demetrios Papadopoulos <dpapad@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Rakina Zata Amni <rakina@chromium.org>
Reviewed-by: Sorin Jianu <sorin@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1128702}