Bug 987816 - test certificateUsageVerifyCA can return success. r=dkeeler

--HG--
rename : toolkit/library/libxul.mk => toolkit/library/Makefile.in
rename : toolkit/library/libxul.mozbuild => toolkit/library/moz.build
extra : rebase_source : 145fd4fce17325ca9e34681f3451c66c33bfd1a1

security/manager/ssl/tests/unit/head_psm.js

@@ -100,6 +100,19 @@ function getXPCOMStatusFromNSS(statusNSS) {
   return nssErrorsService.getXPCOMFromNSSError(statusNSS);
 }
 
+function checkCertErrorGeneric(certdb, cert, expectedError, usage) {
+  let hasEVPolicy = {};
+  let verifiedChain = {};
+  let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, verifiedChain,
+                                   hasEVPolicy);
+  // expected error == -1 is a special marker for any error is OK
+  if (expectedError != -1 ) {
+    do_check_eq(error, expectedError);
+  } else {
+    do_check_neq (error, 0);
+  }
+}
+
 function _getLibraryFunctionWithNoArguments(functionName, libraryName) {
   // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
   let path = ctypes.libraryName(libraryName);

security/manager/ssl/tests/unit/test_certificate_usages.js

@@ -124,7 +124,9 @@ function run_test_in_mode(useMozillaPKIX) {
     cert.getUsagesString(true, verified, usages);
     do_print("usages.value=" + usages.value);
     do_check_eq(ca_usages[i], usages.value);
-
+    if (ca_usages[i].indexOf('SSL CA') != -1) {
+      checkCertErrorGeneric(certdb, cert, 0, certificateUsageVerifyCA);
+    }
     //now the ee, names also one based
     for (var j = 0; j < ee_usages[i].length; j++) {
       var ee_name = "ee-" + (j + 1) + "-" + ca_name;