bug 1453741 - (1/2) remove nsIX509CertDB.verifyCert{AtTime,Now} r=fkiefer,jcj
authorDavid Keeler <dkeeler@mozilla.com>
Wed, 11 Apr 2018 16:23:48 -0700
changeset 413924 c76fdea6986887d84c1d252634f2a68228e375f6
parent 413923 9a18481b44cdc5e2762631a4acc760dd54eb6a6a
child 413925 00a9881a5ceb8e1d345a39c4c425f5fd88b4aa76
push id33853
push usercbrindusan@mozilla.com
push dateTue, 17 Apr 2018 09:51:13 +0000
treeherdermozilla-central@8b0ba3f7d099 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfkiefer, jcj
bugs1453741
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1453741 - (1/2) remove nsIX509CertDB.verifyCert{AtTime,Now} r=fkiefer,jcj These functions perform certificate verification on the main thread, which is already a bad idea. They can also cause OCSP requests to be made from the main thread, which will cause nested event loop spinning, which is an even worse idea. Luckily this really only affects tests. MozReview-Commit-ID: LqDAgDmlyER
security/manager/ssl/nsIX509CertDB.idl
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_add_preexisting_cert.js
security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
security/manager/ssl/tests/unit/test_cert_blocklist.js
security/manager/ssl/tests/unit/test_cert_eku.js
security/manager/ssl/tests/unit/test_cert_embedded_null.js
security/manager/ssl/tests/unit/test_cert_sha1.js
security/manager/ssl/tests/unit/test_cert_signatures.js
security/manager/ssl/tests/unit/test_cert_trust.js
security/manager/ssl/tests/unit/test_cert_version.js
security/manager/ssl/tests/unit/test_keysize.js
security/manager/ssl/tests/unit/test_keysize_ev.js
security/manager/ssl/tests/unit/test_name_constraints.js
security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
security/manager/ssl/tests/unit/test_ocsp_private_caching.js
security/manager/ssl/tests/unit/test_ocsp_url.js
security/manager/ssl/tests/unit/test_pinning_dynamic.js
security/manager/ssl/tests/unit/test_startcom_wosign.js
security/manager/ssl/tests/unit/test_symantec_apple_google.js
security/manager/ssl/tests/unit/test_validity.js
--- a/security/manager/ssl/nsIX509CertDB.idl
+++ b/security/manager/ssl/nsIX509CertDB.idl
@@ -295,64 +295,38 @@ interface nsIX509CertDB : nsISupports {
    *              effectively ignored by gecko, but they still must be specified
    *              (at least by a final trailing comma) because this argument is
    *              passed to CERT_DecodeTrustString.
    * @return nsIX509Cert the resulting certificate
    */
   [must_use]
   nsIX509Cert addCert(in ACString certDER, in ACString trust);
 
-  // Flags for verifyCertNow (these must match the values in CertVerifier.cpp):
-  // Prevent network traffic. Doesn't work with classic verification.
+  // Flags for asyncVerifyCertAtTime (these must match the values in
+  // CertVerifier.cpp):
+  // Prevent network traffic.
   const uint32_t FLAG_LOCAL_ONLY = 1 << 0;
   // Do not fall back to DV verification after attempting EV validation.
-  // Actually does prevent network traffic, but can cause a valid EV
-  // certificate to not be considered valid.
   const uint32_t FLAG_MUST_BE_EV = 1 << 1;
 
-  /** Warning: This interface is inteded to use only for testing only as:
-   *    1. It can create IO on the main thread.
-   *    2. It is in constant change, so in/out can change at any release.
-   *
-   *  Obtain the verification result for a cert given a particular usage.
-   *  On success, the call returns 0, the chain built during verification,
-   *  and whether the cert is good for EV usage.
-   *  On failure, the call returns the PRErrorCode for the verification failure
+  /*
+   * Asynchronously verify a certificate given a set of parameters. Calls the
+   * `verifyCertFinished` function on the provided `nsICertVerificationCallback`
+   * with the results of the verification operation.
+   * See the documentation for  nsICertVerificationCallback.
    *
-   *  @param aCert Obtain the stored trust of this certificate
-   *  @param aUsage a integer representing the usage from NSS
-   *  @param aFlags flags as described above
-   *  @param aHostname the (optional) hostname to verify for
-   *  @param aTime the time at which to verify, in seconds since the epoch
-   *  @param aVerifiedChain chain of verification up to the root if success
-   *  @param aHasEVPolicy bool that signified that the cert was an EV cert
-   *  @return 0 if success or the value or the error code for the verification
-   *          failure
-   */
-  [must_use]
-  int32_t /*PRErrorCode*/
-    verifyCertAtTime(in nsIX509Cert aCert,
-                     in int64_t /*SECCertificateUsage*/ aUsage,
-                     in uint32_t aFlags,
-                     in ACString aHostname,
-                     in uint64_t aTime,
-                     out nsIX509CertList aVerifiedChain,
-                     out bool aHasEVPolicy);
-  [must_use]
-  int32_t /*PRErrorCode*/
-    verifyCertNow(in nsIX509Cert aCert,
-                  in int64_t /*SECCertificateUsage*/ aUsage,
-                  in uint32_t aFlags,
-                  in ACString aHostname,
-                  out nsIX509CertList aVerifiedChain,
-                  out bool aHasEVPolicy);
-
-  /**
-   * Similar to the above, but asynchronous. As a result, use of this API is not
-   * limited to tests.
+   * @param aCert the certificate to verify
+   * @param aUsage an integer representing the usage to verify for (see
+   *               SECCertificateUsage in certt.h from NSS)
+   * @param aFlags flags as described above
+   * @param aHostname the (optional) hostname to verify for
+   * @param aTime the time at which to verify, in seconds since the epoch
+   * @param aCallback the nsICertVerificationCallback that will receive the
+                      results of this verification
+   * @return a succeeding nsresult if the job was dispatched successfully
    */
   [must_use]
   void asyncVerifyCertAtTime(in nsIX509Cert aCert,
                              in int64_t /*SECCertificateUsage*/ aUsage,
                              in uint32_t aFlags,
                              in ACString aHostname,
                              in uint64_t aTime,
                              in nsICertVerificationCallback aCallback);
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -1301,45 +1301,16 @@ VerifyCertAtTime(nsIX509Cert* aCert,
   if (result == mozilla::pkix::Success && evOidPolicy != SEC_OID_UNKNOWN) {
     *aHasEVPolicy = true;
   }
   nssCertList.forget(aVerifiedChain);
 
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
-                                  int64_t /*SECCertificateUsage*/ aUsage,
-                                  uint32_t aFlags,
-                                  const nsACString& aHostname,
-                                  nsIX509CertList** aVerifiedChain,
-                                  bool* aHasEVPolicy,
-                                  int32_t* /*PRErrorCode*/ _retval)
-{
-  return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
-                            mozilla::pkix::Now(),
-                            aVerifiedChain, aHasEVPolicy, _retval);
-}
-
-NS_IMETHODIMP
-nsNSSCertificateDB::VerifyCertAtTime(nsIX509Cert* aCert,
-                                     int64_t /*SECCertificateUsage*/ aUsage,
-                                     uint32_t aFlags,
-                                     const nsACString& aHostname,
-                                     uint64_t aTime,
-                                     nsIX509CertList** aVerifiedChain,
-                                     bool* aHasEVPolicy,
-                                     int32_t* /*PRErrorCode*/ _retval)
-{
-  return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
-                            mozilla::pkix::TimeFromEpochInSeconds(aTime),
-                            aVerifiedChain, aHasEVPolicy, _retval);
-}
-
 class VerifyCertAtTimeTask final : public CryptoTask
 {
 public:
   VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags,
                        const nsACString& aHostname, uint64_t aTime,
                        nsICertVerificationCallback* aCallback)
     : mCert(aCert)
     , mUsage(aUsage)
@@ -1356,19 +1327,20 @@ public:
 
 private:
   virtual nsresult CalculateResult() override
   {
     nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID);
     if (!certDB) {
       return NS_ERROR_FAILURE;
     }
-    return certDB->VerifyCertAtTime(mCert, mUsage, mFlags, mHostname, mTime,
-                                    getter_AddRefs(mVerifiedCertList),
-                                    &mHasEVPolicy, &mPRErrorCode);
+    return VerifyCertAtTime(mCert, mUsage, mFlags, mHostname,
+                            mozilla::pkix::TimeFromEpochInSeconds(mTime),
+                            getter_AddRefs(mVerifiedCertList),
+                            &mHasEVPolicy, &mPRErrorCode);
   }
 
   virtual void CallCallback(nsresult rv) override
   {
     if (NS_FAILED(rv)) {
       Unused << mCallback->VerifyCertFinished(SEC_ERROR_LIBRARY_FAILURE,
                                               nullptr, false);
     } else {
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -171,49 +171,63 @@ function setCertTrust(cert, trustString)
 }
 
 function getXPCOMStatusFromNSS(statusNSS) {
   let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
                            .getService(Ci.nsINSSErrorsService);
   return nssErrorsService.getXPCOMFromNSSError(statusNSS);
 }
 
+// Helper for checkCertErrorGenericAtTime
+class CertVerificationExpectedErrorResult {
+  constructor(certName, expectedError, expectedEVStatus, resolve) {
+    this.certName = certName;
+    this.expectedError = expectedError;
+    this.expectedEVStatus = expectedEVStatus;
+    this.resolve = resolve;
+  }
+
+  verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) {
+    equal(aPRErrorCode, this.expectedError,
+          `verifying ${this.certName}: should get error ${this.expectedError}`);
+    if (this.expectedEVStatus != undefined) {
+      equal(aHasEVPolicy, this.expectedEVStatus,
+            `verifying ${this.certName}: ` +
+            `should ${this.expectedEVStatus ? "be" : "not be"} EV`);
+    }
+    this.resolve();
+  }
+}
+
 // certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
 // In particular, hostname is optional.
 function checkCertErrorGenericAtTime(certdb, cert, expectedError, usage, time,
-                                     /* optional */ hasEVPolicy,
+                                     /* optional */ isEVExpected,
                                      /* optional */ hostname) {
-  info(`cert cn=${cert.commonName}`);
-  info(`cert issuer cn=${cert.issuerCommonName}`);
-  let verifiedChain = {};
-  let error = certdb.verifyCertAtTime(cert, usage, NO_FLAGS, hostname, time,
-                                      verifiedChain, hasEVPolicy || {});
-  Assert.equal(error, expectedError,
-               "Actual and expected error should match");
+  return new Promise((resolve, reject) => {
+      let result = new CertVerificationExpectedErrorResult(
+        cert.commonName, expectedError, isEVExpected, resolve);
+      certdb.asyncVerifyCertAtTime(cert, usage, NO_FLAGS, hostname, time,
+                                   result);
+  });
 }
 
 // certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
 // In particular, hostname is optional.
 function checkCertErrorGeneric(certdb, cert, expectedError, usage,
-                               /* optional */ hasEVPolicy,
-                               /* optional */ hostname) {
-  info(`cert cn=${cert.commonName}`);
-  info(`cert issuer cn=${cert.issuerCommonName}`);
-  let verifiedChain = {};
-  let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, hostname,
-                                   verifiedChain, hasEVPolicy || {});
-  Assert.equal(error, expectedError,
-               "Actual and expected error should match");
+                                     /* optional */ isEVExpected,
+                                     /* optional */ hostname) {
+  let now = (new Date()).getTime() / 1000;
+  return checkCertErrorGenericAtTime(certdb, cert, expectedError, usage, now,
+                                     isEVExpected, hostname);
 }
 
 function checkEVStatus(certDB, cert, usage, isEVExpected) {
-  let hasEVPolicy = {};
-  checkCertErrorGeneric(certDB, cert, PRErrorCodeSuccess, usage, hasEVPolicy);
-  Assert.equal(hasEVPolicy.value, isEVExpected,
-               "Actual and expected EV status should match");
+  return checkCertErrorGeneric(certDB, cert, PRErrorCodeSuccess, usage,
+                               isEVExpected);
 }
 
 function _getLibraryFunctionWithNoArguments(functionName, libraryName,
                                             returnType) {
   // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
   let path = ctypes.libraryName(libraryName);
 
   // XXX really want to be able to pass specific dlopen flags here.
@@ -668,16 +682,25 @@ function startOCSPResponder(serverPort, 
         Assert.equal(expectedResponseTypes.length, 0,
                      "Should have 0 remaining expected response types");
       }
       httpServer.stop(callback);
     }
   };
 }
 
+// Given an OCSP responder (see startOCSPResponder), returns a promise that
+// resolves when the responder has successfully stopped.
+function stopOCSPResponder(responder) {
+  return new Promise((resolve, reject) => {
+    responder.stop(resolve);
+  });
+}
+
+
 // A prototype for a fake, error-free sslstatus
 var FakeSSLStatus = function(certificate) {
   this.serverCert = certificate;
 };
 
 FakeSSLStatus.prototype = {
   serverCert: null,
   cipherName: null,
--- a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
+++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
@@ -20,25 +20,25 @@ function load_cert(cert, trust) {
 function getDERString(cert) {
   let derString = "";
   for (let rawByte of cert.getRawDER({})) {
     derString += String.fromCharCode(rawByte);
   }
   return derString;
 }
 
-function run_test() {
+add_task(async function() {
   load_cert("ca", "CTu,CTu,CTu");
   let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu");
   let file = "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem";
   let cert_pem = readFile(do_get_file(file));
   let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem));
-  checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
-                        certificateUsageSSLServer);
+  await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
+                              certificateUsageSSLServer);
   // Change the already existing intermediate certificate's trust using
   // addCertFromBase64().
   notEqual(int_cert, null, "Intermediate cert should be in the cert DB");
   let base64_cert = btoa(getDERString(int_cert));
   let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p");
   notEqual(returnedEE, null, "addCertFromBase64 should return a certificate");
-  checkCertErrorGeneric(certDB, ee, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageSSLServer);
-}
+  await checkCertErrorGeneric(certDB, ee, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageSSLServer);
+});
--- a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
@@ -26,22 +26,22 @@ function certFromFile(certName) {
 function loadCertWithTrust(certName, trustString) {
   addCertFromFile(gCertDB, `test_baseline_requirements/${certName}.pem`,
                   trustString);
 }
 
 function checkCertOn25August2016(cert, expectedResult) {
   // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
   const VALIDATION_TIME = 1472083200;
-  checkCertErrorGenericAtTime(gCertDB, cert, expectedResult,
-                              certificateUsageSSLServer, VALIDATION_TIME, {},
-                              "example.com");
+  return checkCertErrorGenericAtTime(gCertDB, cert, expectedResult,
+                                     certificateUsageSSLServer, VALIDATION_TIME,
+                                     false, "example.com");
 }
 
-function run_test() {
+add_task(async function() {
   registerCleanupFunction(() => {
     Services.prefs.clearUserPref("security.pki.name_matching_mode");
     Services.prefs.clearUserPref("security.test.built_in_root_hash");
     Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
   });
 
   Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
 
@@ -50,142 +50,142 @@ function run_test() {
   // When verifying a certificate, if the trust anchor is not a built-in root,
   // name matching will fall back to using the subject common name if necessary
   // (i.e. if there is no subject alternative name extension or it does not
   // contain any dNSName or iPAddress entries). Thus, since imported roots are
   // not in general treated as built-ins, these should all successfully verify
   // regardless of the value of the pref.
   Services.prefs.setIntPref("security.pki.name_matching_mode", 0);
   info("current mode: always fall back, root not built-in");
-  checkCertOn25August2016(certFromFile("no-san-recent"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("no-san-old"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("no-san-older"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
-                          PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-recent"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-old"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-older"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+                                PRErrorCodeSuccess);
 
   Services.prefs.setIntPref("security.pki.name_matching_mode", 1);
   info("current mode: fall back for notBefore < August 23, 2016, root " +
        "not built-in");
-  checkCertOn25August2016(certFromFile("no-san-recent"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("no-san-old"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("no-san-older"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
-                          PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-recent"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-old"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-older"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+                                PRErrorCodeSuccess);
 
   Services.prefs.setIntPref("security.pki.name_matching_mode", 2);
   info("current mode: fall back for notBefore < August 23, 2015, root " +
        "not built-in");
-  checkCertOn25August2016(certFromFile("no-san-recent"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("no-san-old"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("no-san-older"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
-                          PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-recent"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-old"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-older"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+                                PRErrorCodeSuccess);
 
   Services.prefs.setIntPref("security.pki.name_matching_mode", 3);
   info("current mode: never fall back, root not built-in");
-  checkCertOn25August2016(certFromFile("no-san-recent"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("no-san-old"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("no-san-older"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
-                          PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
-                          PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-recent"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-old"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("no-san-older"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+                                PRErrorCodeSuccess);
+  await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+                                PRErrorCodeSuccess);
 
   // In debug builds, we can treat an imported root as a built-in, and thus we
   // can actually test the different values of the pref.
   if (isDebugBuild) {
     let root = certFromFile("ca");
     Services.prefs.setCharPref("security.test.built_in_root_hash",
                                root.sha256Fingerprint);
 
     // Always fall back if necessary.
     Services.prefs.setIntPref("security.pki.name_matching_mode", 0);
     info("current mode: always fall back, root built-in");
-    checkCertOn25August2016(certFromFile("no-san-recent"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("no-san-old"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("no-san-older"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
-                            PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("no-san-recent"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("no-san-old"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("no-san-older"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+                                  PRErrorCodeSuccess);
 
     // Only fall back if notBefore < 23 August 2016
     Services.prefs.setIntPref("security.pki.name_matching_mode", 1);
     info("current mode: fall back for notBefore < August 23, 2016, root " +
          "built-in");
-    checkCertOn25August2016(certFromFile("no-san-recent"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("no-san-old"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("no-san-older"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
-                            PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("no-san-recent"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("no-san-old"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("no-san-older"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+                                  PRErrorCodeSuccess);
 
     // Only fall back if notBefore < 23 August 2015
     Services.prefs.setIntPref("security.pki.name_matching_mode", 2);
     info("current mode: fall back for notBefore < August 23, 2015, root " +
          "built-in");
-    checkCertOn25August2016(certFromFile("no-san-recent"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("no-san-old"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("no-san-older"),
-                            PRErrorCodeSuccess);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
-                            PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("no-san-recent"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("no-san-old"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("no-san-older"),
+                                  PRErrorCodeSuccess);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+                                  PRErrorCodeSuccess);
 
     // Never fall back.
     Services.prefs.setIntPref("security.pki.name_matching_mode", 3);
     info("current mode: never fall back, root built-in");
-    checkCertOn25August2016(certFromFile("no-san-recent"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("no-san-old"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("no-san-older"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
-    checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
-                            SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("no-san-recent"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("no-san-old"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("no-san-older"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
+    await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+                                  SSL_ERROR_BAD_CERT_DOMAIN);
   }
-}
+});
--- a/security/manager/ssl/tests/unit/test_cert_blocklist.js
+++ b/security/manager/ssl/tests/unit/test_cert_blocklist.js
@@ -161,28 +161,29 @@ var addonManager = Cc["@mozilla.org/addo
 addonManager.observe(null, "addons-startup", null);
 
 var converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"]
                   .createInstance(Ci.nsIScriptableUnicodeConverter);
 converter.charset = "UTF-8";
 
 function verify_cert(file, expectedError) {
   let ee = constructCertFromFile(file);
-  checkCertErrorGeneric(certDB, ee, expectedError, certificateUsageSSLServer);
+  return checkCertErrorGeneric(certDB, ee, expectedError,
+                               certificateUsageSSLServer);
 }
 
 // The certificate blocklist currently only applies to TLS server certificates.
-function verify_non_tls_usage_succeeds(file) {
+async function verify_non_tls_usage_succeeds(file) {
   let ee = constructCertFromFile(file);
-  checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
+                              certificateUsageEmailRecipient);
 }
 
 function load_cert(cert, trust) {
   let file = "bad_certs/" + cert + ".pem";
   addCertFromFile(certDB, file, trust);
 }
 
 function test_is_revoked(certList, issuerString, serialString, subjectString,
@@ -304,17 +305,17 @@ function run_test() {
                      { " Rym6o+VN9xgZXT/QLrvN/nv1ZN4=": true},
                    "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=":
                      { " a0X7/7DlTaedpgrIJg25iBPOkIM=": true},
                    "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy":
                      { " YW5vdGhlciBzZXJpYWwu": true,
                        " c2VyaWFsMi4=": true }
                  };
 
-  add_test(function () {
+  add_task(async function() {
     // check some existing items in revocations.txt are blocked. Since the
     // CertBlocklistItems don't know about the data they contain, we can use
     // arbitrary data (not necessarily DER) to test if items are revoked or not.
     // This test corresponds to:
     // issuer: c29tZSBpbWFnaW5hcnkgaXNzdWVy
     // serial: c2VyaWFsLg==
     ok(test_is_revoked(certList, "some imaginary issuer", "serial."),
       "issuer / serial pair should be blocked");
@@ -331,35 +332,33 @@ function run_test() {
     // (we test this issuer twice to ensure we can read multiple serials)
     ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
       "issuer / serial pair should be blocked");
 
     // Soon we'll load a blocklist which revokes test-int.pem, which issued
     // test-int-ee.pem.
     // Check the cert validates before we load the blocklist
     let file = "test_onecrl/test-int-ee.pem";
-    verify_cert(file, PRErrorCodeSuccess);
+    await verify_cert(file, PRErrorCodeSuccess);
 
     // The blocklist also revokes other-test-ca.pem, which issued
     // other-ca-ee.pem. Check the cert validates before we load the blocklist
     file = "bad_certs/other-issuer-ee.pem";
-    verify_cert(file, PRErrorCodeSuccess);
+    await verify_cert(file, PRErrorCodeSuccess);
 
     // The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash.
     // Check the cert validates before we load the blocklist
     file = "test_onecrl/same-issuer-ee.pem";
-    verify_cert(file, PRErrorCodeSuccess);
-
-    run_next_test();
+    await verify_cert(file, PRErrorCodeSuccess);
   });
 
   // blocklist load is async so we must use add_test from here
   add_task(fetch_blocklist);
 
-  add_test(function() {
+  add_task(async function() {
     // The blocklist will be loaded now. Let's check the data is sane.
     // In particular, we should still have the revoked issuer / serial pair
     // that was in both revocations.txt and the blocklist.
     ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
       "issuer / serial pair should be blocked");
 
     // Check that both serials in the certItem with multiple serials were read
     // properly
@@ -374,48 +373,46 @@ function run_test() {
        "issuer / serial pair should be blocked");
 
     // Check the blocklist entry has been persisted properly to the backing
     // file
     check_revocations_txt_contents(expected);
 
     // Check the blocklisted intermediate now causes a failure
     let file = "test_onecrl/test-int-ee.pem";
-    verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
-    verify_non_tls_usage_succeeds(file);
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+    await verify_non_tls_usage_succeeds(file);
 
     // Check the ee with the blocklisted root also causes a failure
     file = "bad_certs/other-issuer-ee.pem";
-    verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
-    verify_non_tls_usage_succeeds(file);
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+    await verify_non_tls_usage_succeeds(file);
 
     // Check the ee blocked by subject / pubKey causes a failure
     file = "test_onecrl/same-issuer-ee.pem";
-    verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
-    verify_non_tls_usage_succeeds(file);
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+    await verify_non_tls_usage_succeeds(file);
 
     // Check a non-blocklisted chain still validates OK
     file = "bad_certs/default-ee.pem";
-    verify_cert(file, PRErrorCodeSuccess);
+    await verify_cert(file, PRErrorCodeSuccess);
 
     // Check a bad cert is still bad (unknown issuer)
     file = "bad_certs/unknownissuer.pem";
-    verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
+    await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
 
     // check that save with no further update is a no-op
     let lastModified = gRevocations.lastModifiedTime;
     // add an already existing entry
     certList.revokeCertByIssuerAndSerial("YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy",
                                          "c2VyaWFsMi4=");
     certList.saveEntries();
     let newModified = gRevocations.lastModifiedTime;
     equal(lastModified, newModified,
           "saveEntries with no modifications should not update the backing file");
-
-    run_next_test();
   });
 
   add_test(function() {
     // Check the blocklist entry has not changed
     check_revocations_txt_contents(expected);
     run_next_test();
   });
 
--- a/security/manager/ssl/tests/unit/test_cert_eku.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -18,120 +18,122 @@ function certFromFile(certName) {
   return constructCertFromFile(`test_cert_eku/${certName}.pem`);
 }
 
 function loadCertWithTrust(certName, trustString) {
   addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString);
 }
 
 function checkEndEntity(cert, expectedResult) {
-  checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLServer);
+  return checkCertErrorGeneric(certdb, cert, expectedResult,
+                               certificateUsageSSLServer);
 }
 
 function checkCertOn25August2016(cert, expectedResult) {
   // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
   const VALIDATION_TIME = 1472083200;
-  checkCertErrorGenericAtTime(certdb, cert, expectedResult,
-                              certificateUsageSSLServer, VALIDATION_TIME);
+  return checkCertErrorGenericAtTime(certdb, cert, expectedResult,
+                                     certificateUsageSSLServer,
+                                     VALIDATION_TIME);
 }
 
 
-function run_test() {
+add_task(async function() {
   registerCleanupFunction(() => {
     Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
   });
   Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
 
   loadCertWithTrust("ca", "CTu,,");
   // end-entity has id-kp-serverAuth => success
-  checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
   // end-entity has id-kp-serverAuth => success
-  checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
   // end-entity has extended key usage, but id-kp-serverAuth is not present =>
   // failure
-  checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+  await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
   // end-entity has id-kp-serverAuth => success
-  checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);
 
   // end-entity has extended key usage, but id-kp-serverAuth is not present =>
   // failure (in particular, Netscape Server Gated Crypto (also known as
   // Netscape Step Up) is not an acceptable substitute for end-entity
   // certificates).
   // Verify this for all Netscape Step Up policy configurations.
   // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
   Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
-  checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+  await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
   // 1 = "accept nsSGC before 23 August 2016"
   Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
-  checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+  await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
   // 2 = "accept nsSGC before 23 August 2015"
   Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
-  checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+  await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
   // 3 = "never accept nsSGC"
   Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
-  checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+  await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
 
   // end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity
   // certificates being verified as TLS server certificates => failure
-  checkEndEntity(certFromFile("ee-SA-OCSP"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+  await checkEndEntity(certFromFile("ee-SA-OCSP"), SEC_ERROR_INADEQUATE_CERT_TYPE);
 
   // intermediate has id-kp-serverAuth => success
   loadCertWithTrust("int-SA", ",,");
-  checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
   // intermediate has id-kp-serverAuth => success
   loadCertWithTrust("int-SA-CA", ",,");
-  checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
   // intermediate has extended key usage, but id-kp-serverAuth is not present
   // => failure
   loadCertWithTrust("int-CA", ",,");
-  checkEndEntity(certFromFile("ee-int-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+  await checkEndEntity(certFromFile("ee-int-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
   // intermediate has id-kp-serverAuth => success
   loadCertWithTrust("int-SA-nsSGC", ",,");
-  checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);
 
   // Intermediate has Netscape Server Gated Crypto. Success will depend on the
   // Netscape Step Up policy configuration and the notBefore property of the
   // intermediate.
   loadCertWithTrust("int-nsSGC-recent", ",,");
   loadCertWithTrust("int-nsSGC-old", ",,");
   loadCertWithTrust("int-nsSGC-older", ",,");
   // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
   Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
   info("Netscape Step Up policy: always accept");
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
                           PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
                           PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
                           PRErrorCodeSuccess);
   // 1 = "accept nsSGC before 23 August 2016"
   info("Netscape Step Up policy: accept before 23 August 2016");
   Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
                           SEC_ERROR_INADEQUATE_CERT_TYPE);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
                           PRErrorCodeSuccess);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
                           PRErrorCodeSuccess);
   // 2 = "accept nsSGC before 23 August 2015"
   info("Netscape Step Up policy: accept before 23 August 2015");
   Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
                           SEC_ERROR_INADEQUATE_CERT_TYPE);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
                           SEC_ERROR_INADEQUATE_CERT_TYPE);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
                           PRErrorCodeSuccess);
   // 3 = "never accept nsSGC"
   info("Netscape Step Up policy: never accept");
   Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
                           SEC_ERROR_INADEQUATE_CERT_TYPE);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
                           SEC_ERROR_INADEQUATE_CERT_TYPE);
-  checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
+  await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
                           SEC_ERROR_INADEQUATE_CERT_TYPE);
 
   // intermediate has id-kp-OCSPSigning, which is acceptable for CA
   // certificates => success
   loadCertWithTrust("int-SA-OCSP", ",,");
-  checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
-}
+  await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
+});
--- a/security/manager/ssl/tests/unit/test_cert_embedded_null.js
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null.js
@@ -9,30 +9,32 @@
 // Includes a similar test case but for the subject alternative name extension.
 
 "use strict";
 
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
-function do_testcase(certname, checkCommonName) {
+async function do_testcase(certname, checkCommonName) {
   let cert = constructCertFromFile(`test_cert_embedded_null/${certname}.pem`);
   // Where applicable, check that the testcase is meaningful (i.e. that the
   // certificate's subject common name has an embedded NUL in it).
   if (checkCommonName) {
     equal(cert.commonName, "www.bank1.com\\00www.bad-guy.com",
           "certificate subject common name should have an embedded NUL byte");
   }
-  checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN,
-                        certificateUsageSSLServer, {}, "www.bank1.com");
-  checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN,
-                        certificateUsageSSLServer, {}, "www.bad-guy.com");
+  await checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN,
+                              certificateUsageSSLServer, undefined,
+                              "www.bank1.com");
+  await checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN,
+                              certificateUsageSSLServer, undefined,
+                              "www.bad-guy.com");
 }
 
-function run_test() {
+add_task(async function() {
   addCertFromFile(certdb, "test_cert_embedded_null/ca.pem", "CTu,,");
 
-  do_testcase("embeddedNull", true);
-  do_testcase("embeddedNullSAN", false);
-  do_testcase("embeddedNullCNAndSAN", true);
-  do_testcase("embeddedNullSAN2", false);
-}
+  await do_testcase("embeddedNull", true);
+  await do_testcase("embeddedNullSAN", false);
+  await do_testcase("embeddedNullCNAndSAN", true);
+  await do_testcase("embeddedNullSAN2", false);
+});
--- a/security/manager/ssl/tests/unit/test_cert_sha1.js
+++ b/security/manager/ssl/tests/unit/test_cert_sha1.js
@@ -22,21 +22,22 @@ function certFromFile(certName) {
   return constructCertFromFile("test_cert_sha1/" + certName + ".pem");
 }
 
 function loadCertWithTrust(certName, trustString) {
   addCertFromFile(certdb, "test_cert_sha1/" + certName + ".pem", trustString);
 }
 
 function checkEndEntity(cert, expectedResult) {
-  checkCertErrorGenericAtTime(certdb, cert, expectedResult,
-                              certificateUsageSSLServer, VALIDATION_TIME);
+  return checkCertErrorGenericAtTime(certdb, cert, expectedResult,
+                                     certificateUsageSSLServer,
+                                     VALIDATION_TIME);
 }
 
-function run_test() {
+add_task(async function() {
   loadCertWithTrust("ca", "CTu,,");
   loadCertWithTrust("int-pre", ",,");
   loadCertWithTrust("int-post", ",,");
 
   // Test cases per pref setting
   //
   // root  intermed.  end entity
   // ===========================
@@ -82,61 +83,61 @@ function run_test() {
   // verifier does not take into account the currently configured SHA-1 policy.
   // This is in part due to implementation complexity and because this isn't
   // actually how TLS web server certificates are verified in the TLS handshake
   // (which makes a full implementation that supports heeding the SHA-1 policy
   // unnecessary).
 
   // SHA-1 allowed
   Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 0);
-  checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
 
   // SHA-1 forbidden
   Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 1);
-  checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-  checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-  checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+  await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+  await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+  await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
 
   // SHA-1 forbidden (test the case where the pref has been set to 2)
   Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 2);
-  checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-  checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-  checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+  await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+  await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+  await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
 
   // SHA-1 allowed only when issued by an imported root. First test with the
   // test root considered a built-in (on debug only - this functionality is
   // disabled on non-debug builds).
   Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 3);
   if (isDebugBuild) {
     let root = certFromFile("ca");
     Services.prefs.setCharPref("security.test.built_in_root_hash", root.sha256Fingerprint);
-    checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-    checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-    checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+    await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+    await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+    await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
     Services.prefs.clearUserPref("security.test.built_in_root_hash");
   }
 
   // SHA-1 still allowed only when issued by an imported root.
   // Now test with the test root considered a non-built-in.
-  checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
 
   // SHA-1 allowed before 2016 or when issued by an imported root. First test
   // with the test root considered a built-in.
   Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4);
   if (isDebugBuild) {
     let root = certFromFile("ca");
     Services.prefs.setCharPref("security.test.built_in_root_hash", root.sha256Fingerprint);
-    checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
-    checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-    checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+    await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
+    await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+    await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
     Services.prefs.clearUserPref("security.test.built_in_root_hash");
   }
 
   // SHA-1 still only allowed before 2016 or when issued by an imported root.
   // Now test with the test root considered a non-built-in.
-  checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
-}
+  await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
+});
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -39,25 +39,25 @@ function readAndTamperWithNthByte(certif
 const BYTE_IN_SIGNATURE = -8;
 function addSignatureTamperedCertificate(certificatePath) {
   let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
   certdb.addCertFromBase64(base64, ",,");
 }
 
 function ensureSignatureVerificationFailure(certificatePath) {
   let cert = constructCertFromFile(certificatePath);
-  checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
-                        certificateUsageSSLServer);
+  return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
+                               certificateUsageSSLServer);
 }
 
 function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) {
   let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
   let cert = certdb.constructX509FromBase64(base64);
-  checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
-                        certificateUsageSSLServer);
+  return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
+                               certificateUsageSSLServer);
 }
 
 // The beginning of a certificate looks like this (in hex, using DER):
 // 30 XX XX XX [the XX encode length - there are probably 3 bytes here]
 //    30 XX XX XX [length again]
 //       A0 03
 //          02 01
 //             02
@@ -76,46 +76,46 @@ function addSerialNumberTamperedCertific
                                         BYTE_IN_SERIAL_NUMBER);
   certdb.addCertFromBase64(base64, ",,");
 }
 
 function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) {
   let base64 = readAndTamperWithNthByte(certificatePath,
                                         BYTE_IN_SERIAL_NUMBER);
   let cert = certdb.constructX509FromBase64(base64);
-  checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
-                        certificateUsageSSLServer);
+  return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
+                               certificateUsageSSLServer);
 }
 
-function run_test() {
+add_task(async function() {
   addCertFromFile(certdb, "test_cert_signatures/ca-rsa.pem", "CTu,,");
   addCertFromFile(certdb, "test_cert_signatures/ca-secp384r1.pem", "CTu,,");
 
   // Tamper with the signatures on intermediate certificates and ensure that
   // end-entity certificates issued by those intermediates do not validate
   // successfully.
   addSignatureTamperedCertificate("test_cert_signatures/int-rsa.pem");
   addSignatureTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
-  ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
-  ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem");
+  await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+  await ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem");
 
   // Tamper with the signatures on end-entity certificates and ensure that they
   // do not validate successfully.
-  tamperWithSignatureAndEnsureVerificationFailure(
+  await tamperWithSignatureAndEnsureVerificationFailure(
     "test_cert_signatures/ee-rsa-direct.pem");
-  tamperWithSignatureAndEnsureVerificationFailure(
+  await tamperWithSignatureAndEnsureVerificationFailure(
     "test_cert_signatures/ee-secp384r1-direct.pem");
 
   // Tamper with the serial numbers of intermediate certificates and ensure
   // that end-entity certificates issued by those intermediates do not validate
   // successfully.
   addSerialNumberTamperedCertificate("test_cert_signatures/int-rsa.pem");
   addSerialNumberTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
-  ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
-  ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem");
+  await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+  await ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem");
 
   // Tamper with the serial numbers of end-entity certificates and ensure that
   // they do not validate successfully.
-  tamperWithSerialNumberAndEnsureVerificationFailure(
+  await tamperWithSerialNumberAndEnsureVerificationFailure(
     "test_cert_signatures/ee-rsa-direct.pem");
-  tamperWithSerialNumberAndEnsureVerificationFailure(
+  await tamperWithSerialNumberAndEnsureVerificationFailure(
     "test_cert_signatures/ee-secp384r1-direct.pem");
-}
+});
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -18,129 +18,129 @@ function load_cert(cert_name, trust_stri
 function setup_basic_trusts(ca_cert, int_cert) {
   certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT,
                       Ci.nsIX509CertDB.TRUSTED_SSL |
                       Ci.nsIX509CertDB.TRUSTED_EMAIL);
 
   certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
 }
 
-function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
+async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
   // On reset most usages are successful
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
-                        certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+                              certificateUsageSSLCA);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageEmailRecipient);
 
 
   // Test of active distrust. No usage should pass.
   setCertTrust(cert_to_modify_trust, "p,p,p");
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
-                        certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+                              certificateUsageSSLCA);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageEmailRecipient);
 
   // Trust set to T  -  trusted CA to issue client certs, where client cert is
   // usageSSLClient.
   setCertTrust(cert_to_modify_trust, "T,T,T");
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                                        : PRErrorCodeSuccess,
+                              certificateUsageSSLServer);
 
   // XXX(Bug 982340)
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                                        : PRErrorCodeSuccess,
+                              certificateUsageSSLClient);
 
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
-                        certificateUsageSSLCA);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+                              certificateUsageSSLCA);
 
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                                        : PRErrorCodeSuccess,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                                        : PRErrorCodeSuccess,
+                              certificateUsageEmailRecipient);
 
 
   // Now tests on the SSL trust bit
   setCertTrust(cert_to_modify_trust, "p,C,C");
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageSSLServer);
 
   // XXX(Bug 982340)
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
-                        certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+                              certificateUsageSSLCA);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageEmailRecipient);
 
   // Inherited trust SSL
   setCertTrust(cert_to_modify_trust, ",C,C");
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                                        : PRErrorCodeSuccess,
+                              certificateUsageSSLServer);
   // XXX(Bug 982340)
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
-                        certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+                              certificateUsageSSLCA);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageEmailRecipient);
 
   // Now tests on the EMAIL trust bit
   setCertTrust(cert_to_modify_trust, "C,p,C");
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
-                        certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+                              certificateUsageSSLCA);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+                              certificateUsageEmailRecipient);
 
 
   // inherited EMAIL Trust
   setCertTrust(cert_to_modify_trust, "C,,C");
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
-                        certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                                        : PRErrorCodeSuccess,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+                              certificateUsageSSLCA);
+  await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                                        : PRErrorCodeSuccess,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                                        : PRErrorCodeSuccess,
+                              certificateUsageEmailRecipient);
 }
 
 
-function run_test() {
+add_task(async function() {
   let certList = [
     "ca",
     "int",
     "ee",
   ];
   let loadedCerts = [];
   for (let certName of certList) {
     loadedCerts.push(load_cert(certName, ",,"));
@@ -149,41 +149,41 @@ function run_test() {
   let ca_cert = loadedCerts[0];
   notEqual(ca_cert, null, "CA cert should have successfully loaded");
   let int_cert = loadedCerts[1];
   notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
   let ee_cert = loadedCerts[2];
   notEqual(ee_cert, null, "EE cert should have successfully loaded");
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, ca_cert, true);
+  await test_ca_distrust(ee_cert, ca_cert, true);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, int_cert, false);
+  await test_ca_distrust(ee_cert, int_cert, false);
 
   // Reset trust to default ("inherit trust")
   setCertTrust(ca_cert, ",,");
   setCertTrust(int_cert, ",,");
 
   // If an end-entity certificate is manually trusted, it may not be the root of
   // its own verified chain. In general this will cause "unknown issuer" errors
   // unless a CA trust anchor can be found.
   setCertTrust(ee_cert, "CTu,CTu,CTu");
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
-                        certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
-                        certificateUsageEmailRecipient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+                              certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+                              certificateUsageEmailRecipient);
 
   // Now make a CA trust anchor available.
   setCertTrust(ca_cert, "CTu,CTu,CTu");
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageEmailRecipient);
-}
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageSSLServer);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageSSLClient);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageEmailSigner);
+  await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+                              certificateUsageEmailRecipient);
+});
--- a/security/manager/ssl/tests/unit/test_cert_version.js
+++ b/security/manager/ssl/tests/unit/test_cert_version.js
@@ -37,154 +37,156 @@ function certFromFile(certName) {
   return constructCertFromFile("test_cert_version/" + certName + ".pem");
 }
 
 function loadCertWithTrust(certName, trustString) {
   addCertFromFile(certdb, "test_cert_version/" + certName + ".pem", trustString);
 }
 
 function checkEndEntity(cert, expectedResult) {
-  checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLServer);
+  return checkCertErrorGeneric(certdb, cert, expectedResult,
+                               certificateUsageSSLServer);
 }
 
 function checkIntermediate(cert, expectedResult) {
-  checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLCA);
+  return checkCertErrorGeneric(certdb, cert, expectedResult,
+                               certificateUsageSSLCA);
 }
 
 // Test that the code that decodes certificates to display them in the
 // certificate manager correctly handles the version field.
 function checkCertVersion(cert, expectedVersionString) {
   let asn1 = cert.ASN1Structure.QueryInterface(Ci.nsIASN1Sequence);
   let tbsCertificate = asn1.ASN1Objects.queryElementAt(0, Ci.nsIASN1Sequence);
   let version = tbsCertificate.ASN1Objects.queryElementAt(0, Ci.nsIASN1Object);
   equal(version.displayValue, expectedVersionString,
         "Actual and expected version strings should match");
 }
 
-function run_test() {
+add_task(async function() {
   loadCertWithTrust("ca", "CTu,,");
 
   // Section for CAs lacking the basicConstraints extension entirely:
   loadCertWithTrust("int-v1-noBC_ca", ",,");
-  checkIntermediate(certFromFile("int-v1-noBC_ca"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
-  checkEndEntity(certFromFile("ee_int-v1-noBC"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
+  await checkIntermediate(certFromFile("int-v1-noBC_ca"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
+  await checkEndEntity(certFromFile("ee_int-v1-noBC"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
   // A v1 certificate with no basicConstraints extension may issue certificates
   // if it is a trust anchor.
   loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
 
   loadCertWithTrust("int-v2-noBC_ca", ",,");
-  checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
   loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
 
   loadCertWithTrust("int-v3-noBC_ca", ",,");
-  checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
   loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
 
   loadCertWithTrust("int-v4-noBC_ca", ",,");
-  checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
   loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
 
   // Section for CAs with basicConstraints not specifying cA:
   loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
-  checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
   loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
 
   loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
-  checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
   loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
 
   loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
-  checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
   loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
 
   loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
-  checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
   loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
-  checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+  await checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+  await checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
 
   // Section for CAs with basicConstraints specifying cA:
   loadCertWithTrust("int-v1-BC-cA_ca", ",,");
-  checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
   loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
 
   loadCertWithTrust("int-v2-BC-cA_ca", ",,");
-  checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
   loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
 
   loadCertWithTrust("int-v3-BC-cA_ca", ",,");
-  checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
   loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
 
   loadCertWithTrust("int-v4-BC-cA_ca", ",,");
-  checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
   loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
-  checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+  await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
 
   // Section for end-entity certificates with various basicConstraints:
-  checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
 
-  checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
-  checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
 
-  checkEndEntity(certFromFile("ee-v1-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
-  checkEndEntity(certFromFile("ee-v2-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
-  checkEndEntity(certFromFile("ee-v3-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
-  checkEndEntity(certFromFile("ee-v4-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
+  await checkEndEntity(certFromFile("ee-v1-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
+  await checkEndEntity(certFromFile("ee-v2-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
+  await checkEndEntity(certFromFile("ee-v3-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
+  await checkEndEntity(certFromFile("ee-v4-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
 
   // Section for self-signed certificates:
-  checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
 
-  checkEndEntity(certFromFile("ss-v1-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v2-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v3-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v4-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v1-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v2-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v3-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v4-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
 
-  checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
-  checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
 
   checkCertVersion(certFromFile("ss-v1-noBC"), "Version 1");
   checkCertVersion(certFromFile("int-v2-BC-cA_ca"), "Version 2");
   checkCertVersion(certFromFile("ee-v3-BC-not-cA_ca"), "Version 3");
   checkCertVersion(certFromFile("int-v4-BC-not-cA_ca"), "Version 4");
-}
+});
--- a/security/manager/ssl/tests/unit/test_keysize.js
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@@ -19,109 +19,109 @@ const certdb = Cc["@mozilla.org/security
  *        The key type of the root certificate, or the name of an elliptic
  *        curve, as output by the 'openssl ecparam -list_curves' command.
  * @param {Number} rootKeySize
  * @param {String} intKeyType
  * @param {Number} intKeySize
  * @param {String} eeKeyType
  * @param {Number} eeKeySize
  * @param {PRErrorCode} eeExpectedError
+ * @return {Promise} a promise that will resolve when the verification has
+ *                   completed
  */
 function checkChain(rootKeyType, rootKeySize, intKeyType, intKeySize,
                     eeKeyType, eeKeySize, eeExpectedError) {
   let rootName = "root_" + rootKeyType + "_" + rootKeySize;
   let intName = "int_" + intKeyType + "_" + intKeySize;
   let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
 
   let intFullName = intName + "-" + rootName;
   let eeFullName = eeName + "-" + intName + "-" + rootName;
 
   addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu");
   addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,");
   let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`);
 
   info("cert o=" + eeCert.organization);
   info("cert issuer o=" + eeCert.issuerOrganization);
-  checkCertErrorGeneric(certdb, eeCert, eeExpectedError,
-                        certificateUsageSSLServer);
+  return checkCertErrorGeneric(certdb, eeCert, eeExpectedError,
+                               certificateUsageSSLServer);
 }
 
 /**
  * Tests various RSA chains.
  *
  * @param {Number} inadequateKeySize
  * @param {Number} adequateKeySize
  */
-function checkRSAChains(inadequateKeySize, adequateKeySize) {
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
   // Chain with certs that have adequate sizes for DV
-  checkChain("rsa", adequateKeySize,
-             "rsa", adequateKeySize,
-             "rsa", adequateKeySize,
-             PRErrorCodeSuccess);
+  await checkChain("rsa", adequateKeySize,
+                   "rsa", adequateKeySize,
+                   "rsa", adequateKeySize,
+                   PRErrorCodeSuccess);
 
   // Chain with a root cert that has an inadequate size for DV
-  checkChain("rsa", inadequateKeySize,
-             "rsa", adequateKeySize,
-             "rsa", adequateKeySize,
-             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
+  await checkChain("rsa", inadequateKeySize,
+                   "rsa", adequateKeySize,
+                   "rsa", adequateKeySize,
+                   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 
   // Chain with an intermediate cert that has an inadequate size for DV
-  checkChain("rsa", adequateKeySize,
-             "rsa", inadequateKeySize,
-             "rsa", adequateKeySize,
-             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
+  await checkChain("rsa", adequateKeySize,
+                   "rsa", inadequateKeySize,
+                   "rsa", adequateKeySize,
+                   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 
   // Chain with an end entity cert that has an inadequate size for DV
-  checkChain("rsa", adequateKeySize,
-             "rsa", adequateKeySize,
-             "rsa", inadequateKeySize,
-             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
+  await checkChain("rsa", adequateKeySize,
+                   "rsa", adequateKeySize,
+                   "rsa", inadequateKeySize,
+                   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 }
 
-function checkECCChains() {
-  checkChain("secp256r1", 256,
-             "secp384r1", 384,
-             "secp521r1", 521,
-             PRErrorCodeSuccess);
-  checkChain("secp256r1", 256,
-             "secp224r1", 224,
-             "secp256r1", 256,
-             SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-  checkChain("secp256r1", 256,
-             "secp256r1", 256,
-             "secp224r1", 224,
-             SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-  checkChain("secp224r1", 224,
-             "secp256r1", 256,
-             "secp256r1", 256,
-             SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-  checkChain("secp256r1", 256,
-             "secp256r1", 256,
-             "secp256k1", 256,
-             SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-  checkChain("secp256k1", 256,
-             "secp256r1", 256,
-             "secp256r1", 256,
-             SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+async function checkECCChains() {
+  await checkChain("secp256r1", 256,
+                   "secp384r1", 384,
+                   "secp521r1", 521,
+                   PRErrorCodeSuccess);
+  await checkChain("secp256r1", 256,
+                   "secp224r1", 224,
+                   "secp256r1", 256,
+                   SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+  await checkChain("secp256r1", 256,
+                   "secp256r1", 256,
+                   "secp224r1", 224,
+                   SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+  await checkChain("secp224r1", 224,
+                   "secp256r1", 256,
+                   "secp256r1", 256,
+                   SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+  await checkChain("secp256r1", 256,
+                   "secp256r1", 256,
+                   "secp256k1", 256,
+                   SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+  await checkChain("secp256k1", 256,
+                   "secp256r1", 256,
+                   "secp256r1", 256,
+                   SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
 }
 
-function checkCombinationChains() {
-  checkChain("rsa", 2048,
-             "secp256r1", 256,
-             "secp384r1", 384,
-             PRErrorCodeSuccess);
-  checkChain("rsa", 2048,
-             "secp256r1", 256,
-             "secp224r1", 224,
-             SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-  checkChain("secp256r1", 256,
-             "rsa", 1016,
-             "secp256r1", 256,
-             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
+async function checkCombinationChains() {
+  await checkChain("rsa", 2048,
+                   "secp256r1", 256,
+                   "secp384r1", 384,
+                   PRErrorCodeSuccess);
+  await checkChain("rsa", 2048,
+                   "secp256r1", 256,
+                   "secp224r1", 224,
+                   SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+  await checkChain("secp256r1", 256,
+                   "rsa", 1016,
+                   "secp256r1", 256,
+                   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 }
 
-function run_test() {
-  checkRSAChains(1016, 1024);
-  checkECCChains();
-  checkCombinationChains();
-
-  run_next_test();
-}
+add_task(async function() {
+  await checkRSAChains(1016, 1024);
+  await checkECCChains();
+  await checkCombinationChains();
+});
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -20,49 +20,47 @@ function getOCSPResponder(expectedCertNa
 
 function loadCert(certName, trustString) {
   let certFilename = "test_keysize_ev/" + certName + ".pem";
   addCertFromFile(certDB, certFilename, trustString);
   return constructCertFromFile(certFilename);
 }
 
 /**
- * Adds a single EV key size test.
+ * Asynchronously runs a single EV key size test.
  *
  * @param {Array} expectedNamesForOCSP
  *        An array of nicknames of the certs to be responded to.
  * @param {String} rootCertFileName
  *        The file name of the root cert. Can begin with ".." to reference
  *        certs in folders other than "test_keysize_ev/".
  * @param {Array} intCertFileNames
  *        An array of file names of any intermediate certificates.
  * @param {String} endEntityCertFileName
  *        The file name of the end entity cert.
  * @param {Boolean} expectedResult
  *        Whether the chain is expected to validate as EV.
  */
-function addKeySizeTestForEV(expectedNamesForOCSP,
-                             rootCertFileName, intCertFileNames,
-                             endEntityCertFileName, expectedResult) {
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+async function keySizeTestForEV(expectedNamesForOCSP,
+                                rootCertFileName, intCertFileNames,
+                                endEntityCertFileName, expectedResult) {
+  clearOCSPCache();
+  let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
 
-    loadCert(rootCertFileName, "CTu,CTu,CTu");
-    for (let intCertFileName of intCertFileNames) {
-      loadCert(intCertFileName, ",,");
-    }
-    checkEVStatus(
-      certDB,
-      constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
-      certificateUsageSSLServer,
-      expectedResult);
+  loadCert(rootCertFileName, "CTu,CTu,CTu");
+  for (let intCertFileName of intCertFileNames) {
+    loadCert(intCertFileName, ",,");
+  }
+  await checkEVStatus(
+    certDB,
+    constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
+    certificateUsageSSLServer,
+    expectedResult);
 
-    ocspResponder.stop(run_next_test);
-  });
+  await stopOCSPResponder(ocspResponder);
 }
 
 /**
  * For debug builds which have the test EV roots compiled in, checks RSA chains
  * which contain certs with key sizes adequate for EV are validated as such,
  * while chains that contain any cert with an inadequate key size fail EV and
  * validate as DV.
  * For opt builds which don't have the test EV roots compiled in, checks that
@@ -71,17 +69,17 @@ function addKeySizeTestForEV(expectedNam
  * Note: This function assumes that the key size requirements for EV are greater
  * than the requirements for DV.
  *
  * @param {Number} inadequateKeySize
  *        The inadequate key size of the generated certs.
  * @param {Number} adequateKeySize
  *        The adequate key size of the generated certs.
  */
-function checkRSAChains(inadequateKeySize, adequateKeySize) {
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
   // Reuse the existing test RSA EV root
   let rootOKCertFileName = "../test_ev_certs/evroot";
   let rootOKName = "evroot";
   let rootNotOKName = "ev_root_rsa_" + inadequateKeySize;
   let intOKName = "ev_int_rsa_" + adequateKeySize;
   let intNotOKName = "ev_int_rsa_" + inadequateKeySize;
   let eeOKName = "ev_ee_rsa_" + adequateKeySize;
   let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize;
@@ -91,55 +89,53 @@ function checkRSAChains(inadequateKeySiz
   // will for example not be done for the "ev_int_rsa_2048-evroot" intermediate
   // in such a build.
   let intFullName = intOKName + "-" + rootOKName;
   let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
   let expectedNamesForOCSP = gEVExpected
                            ? [ intFullName,
                                eeFullName ]
                            : [ eeFullName ];
-  addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
-                      [ intFullName ], eeFullName, gEVExpected);
+  await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
+                         [ intFullName ], eeFullName, gEVExpected);
 
   // Chain with a root cert that has an inadequate size for EV, but
   // adequate size for DV
   intFullName = intOKName + "-" + rootNotOKName;
   eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName;
   expectedNamesForOCSP = [ eeFullName ];
-  addKeySizeTestForEV(expectedNamesForOCSP, rootNotOKName,
-                      [ intFullName ], eeFullName, false);
+  await keySizeTestForEV(expectedNamesForOCSP, rootNotOKName,
+                         [ intFullName ], eeFullName, false);
 
   // Chain with an intermediate cert that has an inadequate size for EV, but
   // adequate size for DV
   intFullName = intNotOKName + "-" + rootOKName;
   eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName;
   expectedNamesForOCSP = [ eeFullName ];
-  addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
-                      [ intFullName ], eeFullName, false);
+  await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
+                         [ intFullName ], eeFullName, false);
 
   // Chain with an end entity cert that has an inadequate size for EV, but
   // adequate size for DV
   intFullName = intOKName + "-" + rootOKName;
   eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
   expectedNamesForOCSP = gEVExpected
                        ? [ intFullName,
                            eeFullName ]
                        : [ eeFullName ];
-  addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
-                      [ intFullName ], eeFullName, false);
+  await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
+                         [ intFullName ], eeFullName, false);
 }
 
-function run_test() {
+add_task(async function() {
   Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   let smallKeyEVRoot =
     constructCertFromFile("test_keysize_ev/ev_root_rsa_2040.pem");
   equal(smallKeyEVRoot.sha256Fingerprint,
         "40:AB:5D:A5:89:15:A9:4B:82:87:B8:A6:9A:84:B1:DB:" +
         "7A:9D:DB:B8:4E:E1:23:E3:C6:64:E7:50:DC:35:8C:68",
         "test sanity check: the small-key EV root must have the same " +
         "fingerprint as the corresponding entry in ExtendedValidation.cpp");
 
-  checkRSAChains(2040, 2048);
-
-  run_next_test();
-}
+  await checkRSAChains(2040, 2048);
+});
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -33,31 +33,31 @@ function certFromFile(name) {
 }
 
 function loadCertWithTrust(certName, trustString) {
   addCertFromFile(certdb, `test_name_constraints/${certName}.pem`,
                   trustString);
 }
 
 function checkCertNotInNameSpace(cert) {
-  checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
-                        certificateUsageSSLServer);
+  return checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
+                               certificateUsageSSLServer);
 }
 
 function checkCertInNameSpace(cert) {
-  checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
-                        certificateUsageSSLServer);
+  return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
+                               certificateUsageSSLServer);
 }
 
-function run_test() {
+add_task(async function() {
   // Test that name constraints from the entire certificate chain are enforced.
   loadCertWithTrust("ca-example-com-permitted", "CTu,,");
   loadCertWithTrust("int-example-org-permitted", ",,");
-  checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
-  checkCertNotInNameSpace(certFromFile("ee-example-com"));
-  checkCertNotInNameSpace(certFromFile("ee-example-org"));
-  checkCertNotInNameSpace(certFromFile("ee-example-test"));
+  await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
+  await checkCertNotInNameSpace(certFromFile("ee-example-com"));
+  await checkCertNotInNameSpace(certFromFile("ee-example-org"));
+  await checkCertNotInNameSpace(certFromFile("ee-example-test"));
 
   // Test that externally-imposed name constraints are enforced (DCISS tests).
   loadCertWithTrust("dciss", "CTu,,");
-  checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
-  checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
-}
+  await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
+  await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
+});
--- a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@@ -25,117 +25,94 @@ function getFailingOCSPResponder() {
 }
 
 function getOCSPResponder(expectedCertNames) {
   return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs",
                             expectedCertNames, []);
 }
 
 // Tests that in ocspOff mode, OCSP fetches are never done.
-function testOff() {
-  add_test(() => {
-    Services.prefs.setIntPref("security.OCSP.enabled", 0);
-    info("Setting security.OCSP.enabled to 0");
-    run_next_test();
-  });
+async function testOff() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 0);
+  info("Setting security.OCSP.enabled to 0");
 
   // EV chains should verify successfully but never get EV status.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = getFailingOCSPResponder();
-    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
-                  false);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  let ocspResponder = getFailingOCSPResponder();
+  await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"),
+                      certificateUsageSSLServer, false);
+  await stopOCSPResponder(ocspResponder);
 
   // A DV chain should verify successfully.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = getFailingOCSPResponder();
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
-                          PRErrorCodeSuccess, certificateUsageSSLServer);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = getFailingOCSPResponder();
+  await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
+                              PRErrorCodeSuccess, certificateUsageSSLServer);
+  await stopOCSPResponder(ocspResponder);
 }
 
 // Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
-function testOn() {
-  add_test(() => {
-    Services.prefs.setIntPref("security.OCSP.enabled", 1);
-    info("Setting security.OCSP.enabled to 1");
-    run_next_test();
-  });
+async function testOn() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  info("Setting security.OCSP.enabled to 1");
 
   // If a successful OCSP response is fetched, then an EV chain should verify
   // successfully and get EV status as well.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder =
+  clearOCSPCache();
+  let ocspResponder =
       getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"]
                                    : ["test-oid-path-ee"]);
-    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
-                  gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
+  await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"),
+                      certificateUsageSSLServer, gEVExpected);
+  await stopOCSPResponder(ocspResponder);
 
   // If a successful OCSP response is fetched, then a DV chain should verify
   // successfully.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
-                          PRErrorCodeSuccess, certificateUsageSSLServer);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
+  await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
+                              PRErrorCodeSuccess, certificateUsageSSLServer);
+  await stopOCSPResponder(ocspResponder);
 }
 
 // Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
-function testEVOnly() {
-  add_test(() => {
-    Services.prefs.setIntPref("security.OCSP.enabled", 2);
-    info("Setting security.OCSP.enabled to 2");
-    run_next_test();
-  });
+async function testEVOnly() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 2);
+  info("Setting security.OCSP.enabled to 2");
 
   // If a successful OCSP response is fetched, then an EV chain should verify
   // successfully and get EV status as well.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = gEVExpected
-                      ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
-                      : getFailingOCSPResponder();
-    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
-                  gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  let ocspResponder = gEVExpected
+                    ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
+                    : getFailingOCSPResponder();
+  await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"),
+                      certificateUsageSSLServer, gEVExpected);
+  await stopOCSPResponder(ocspResponder);
 
   // A DV chain should verify successfully even without doing OCSP fetches.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = getFailingOCSPResponder();
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
-                          PRErrorCodeSuccess, certificateUsageSSLServer);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = getFailingOCSPResponder();
+  await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
+                              PRErrorCodeSuccess, certificateUsageSSLServer);
+  await stopOCSPResponder(ocspResponder);
 }
 
-function run_test() {
+add_task(async function() {
   registerCleanupFunction(() => {
     Services.prefs.clearUserPref("network.dns.localDomains");
     Services.prefs.clearUserPref("security.OCSP.enabled");
     Services.prefs.clearUserPref("security.OCSP.require");
   });
   Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
   // Enable hard fail to ensure chains that should only succeed because they get
   // a good OCSP response do not succeed due to soft fail leniency.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   loadCert("evroot", "CTu,,");
   loadCert("test-oid-path-int", ",,");
   loadCert("non-evroot-ca", "CTu,,");
   loadCert("non-ev-root-path-int", ",,");
 
-  testOff();
-  testOn();
-  testEVOnly();
-
-  run_next_test();
-}
+  await testOff();
+  await testOn();
+  await testEVOnly();
+});
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
@@ -23,37 +23,31 @@ function start_ocsp_responder(expectedCe
 }
 
 function check_cert_err(cert_name, expected_error) {
   let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem");
   return checkCertErrorGeneric(certdb, cert, expected_error,
                                certificateUsageSSLServer);
 }
 
-function run_test() {
+add_task(async function() {
   addCertFromFile(certdb, "test_ocsp_fetch_method/ca.pem", "CTu,CTu,CTu");
   addCertFromFile(certdb, "test_ocsp_fetch_method/int.pem", ",,");
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
-  add_test(function() {
-    clearOCSPCache();
-    Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
-    let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
-    check_cert_err("a", PRErrorCodeSuccess);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
+  let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
+  await check_cert_err("a", PRErrorCodeSuccess);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
-    let ocspResponder = start_ocsp_responder(["a"], [], ["GET"]);
-    check_cert_err("a", PRErrorCodeSuccess);
-    ocspResponder.stop(run_next_test);
-  });
-
-  run_next_test();
-}
+  clearOCSPCache();
+  Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
+  ocspResponder = start_ocsp_responder(["a"], [], ["GET"]);
+  await check_cert_err("a", PRErrorCodeSuccess);
+  await stopOCSPResponder(ocspResponder);
+});
--- a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
@@ -18,22 +18,16 @@ const SERVER_PORT = 8888;
 
 function start_ocsp_responder(expectedCertNames, expectedPaths,
                               expectedMethods) {
   return startOCSPResponder(SERVER_PORT, "www.example.com",
                             "test_ocsp_fetch_method", expectedCertNames,
                             expectedPaths, expectedMethods);
 }
 
-function check_cert_err(cert_name, expected_error) {
-  let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem");
-  return checkCertErrorGeneric(certdb, cert, expected_error,
-                               certificateUsageSSLServer);
-}
-
 function add_flush_cache() {
   add_test(() => {
     // This appears to either fire multiple times or fire once for every
     // observer that has ever been passed to flush. To prevent multiple calls to
     // run_next_test, keep track of if this observer has already called it.
     let observed = false;
     let observer = { observe: () => {
         if (!observed) {
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -25,113 +25,87 @@ function start_ocsp_responder(expectedCe
 }
 
 function check_cert_err(cert_name, expected_error) {
   let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem");
   return checkCertErrorGeneric(certdb, cert, expected_error,
                                certificateUsageSSLServer);
 }
 
-function run_test() {
+add_task(async function() {
   addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu");
   addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,");
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   // Note: We don't test the case of a well-formed HTTP URL with an empty port
   //       because the OCSP code would then send a request to port 80, which we
   //       can't use in tests.
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  let ocspResponder = failingOCSPResponder();
+  await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
-    check_cert_err("hTTp-url", PRErrorCodeSuccess);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
+  await check_cert_err("hTTp-url", PRErrorCodeSuccess);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    // XXX Bug 1013615 parser accepts ":8888" as hostname
-    check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  // XXX Bug 1013615 parser accepts ":8888" as hostname
+  await check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
-    check_cert_err("no-path-url", PRErrorCodeSuccess);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
+  await check_cert_err("no-path-url", PRErrorCodeSuccess);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
 
   // Note: We currently don't have anything that ensures user:pass sections
   //       weren't sent. The following test simply checks that such sections
   //       don't cause failures.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(["user-pass"], [""]);
-    check_cert_err("user-pass", PRErrorCodeSuccess);
-    ocspResponder.stop(run_next_test);
-  });
-
-  run_next_test();
-}
+  clearOCSPCache();
+  ocspResponder = start_ocsp_responder(["user-pass"], [""]);
+  await check_cert_err("user-pass", PRErrorCodeSuccess);
+  await stopOCSPResponder(ocspResponder);
+});
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js
+++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js
@@ -20,22 +20,22 @@ function certFromFile(cert_name) {
 function loadCert(cert_name, trust_string) {
   let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem";
   addCertFromFile(certdb, cert_filename, trust_string);
   return constructCertFromFile(cert_filename);
 }
 
 function checkOK(cert, hostname) {
   return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
-                               certificateUsageSSLServer, {}, hostname);
+                               certificateUsageSSLServer, false, hostname);
 }
 
 function checkFail(cert, hostname) {
   return checkCertErrorGeneric(certdb, cert, MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE,
-                               certificateUsageSSLServer, {}, hostname);
+                               certificateUsageSSLServer, false, hostname);
 }
 
 const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN=";
 const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
 
 function run_test() {
   Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
 
@@ -101,129 +101,141 @@ function checkStateRead(aSubject, aTopic
     throw new Error("Observed data should either be the Site Security " +
                     "Service state file name or the preload file name");
   }
 
   if (!gSSSStateSeen || !gPreloadStateSeen) {
     return;
   }
 
+  async_check_pins()
+  .then(function() {
+    return new Promise((resolve, reject) => {
+      do_timeout(1250, resolve);
+    });
+  })
+  .then(checkExpiredState)
+  .then(checkPreloadClear)
+  .then(do_test_finished);
+}
+
+async function async_check_pins() {
   notEqual(gSSService, null, "SiteSecurityService should be initialized");
 
   // Initializing the certificate DB will cause NSS-initialization, which in
   // turn initializes the site security service. Since we're in part testing
   // that the site security service correctly reads its state file, we have to
   // make sure it doesn't start up before we've populated the file
   certdb = Cc["@mozilla.org/security/x509certdb;1"]
              .getService(Ci.nsIX509CertDB);
 
   loadCert("pinningroot", "CTu,CTu,CTu");
   loadCert("badca", "CTu,CTu,CTu");
 
   // the written entry is for a.pinning2.example.com without subdomains
   // and b.pinning2.example.com with subdomains
-  checkFail(certFromFile("a.pinning2.example.com-badca"),
-            "a.pinning2.example.com");
-  checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
-          "a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-badca"),
-          "x.a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
-          "x.a.pinning2.example.com");
+  await checkFail(certFromFile("a.pinning2.example.com-badca"),
+                  "a.pinning2.example.com");
+  await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+                "a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-badca"),
+                "x.a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+                "x.a.pinning2.example.com");
 
-  checkFail(certFromFile("b.pinning2.example.com-badca"),
-            "b.pinning2.example.com");
-  checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
-          "b.pinning2.example.com");
-  checkFail(certFromFile("x.b.pinning2.example.com-badca"),
-            "x.b.pinning2.example.com");
-  checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
-          "x.b.pinning2.example.com");
+  await checkFail(certFromFile("b.pinning2.example.com-badca"),
+                  "b.pinning2.example.com");
+  await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+                "b.pinning2.example.com");
+  await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+                  "x.b.pinning2.example.com");
+  await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+                "x.b.pinning2.example.com");
 
   checkDefaultSiteHPKPStatus();
 
 
   // add includeSubdomains to a.pinning2.example.com
   gSSService.setKeyPins("a.pinning2.example.com", true,
                         new Date().getTime() + 1000000, 2,
                         [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]);
-  checkFail(certFromFile("a.pinning2.example.com-badca"),
-            "a.pinning2.example.com");
-  checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
-          "a.pinning2.example.com");
-  checkFail(certFromFile("x.a.pinning2.example.com-badca"),
-            "x.a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
-          "x.a.pinning2.example.com");
-  checkFail(certFromFile("b.pinning2.example.com-badca"),
-            "b.pinning2.example.com");
-  checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
-          "b.pinning2.example.com");
-  checkFail(certFromFile("x.b.pinning2.example.com-badca"),
-            "x.b.pinning2.example.com");
-  checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
-          "x.b.pinning2.example.com");
+  await checkFail(certFromFile("a.pinning2.example.com-badca"),
+                  "a.pinning2.example.com");
+  await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+                "a.pinning2.example.com");
+  await checkFail(certFromFile("x.a.pinning2.example.com-badca"),
+                  "x.a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+                "x.a.pinning2.example.com");
+  await checkFail(certFromFile("b.pinning2.example.com-badca"),
+                  "b.pinning2.example.com");
+  await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+                "b.pinning2.example.com");
+  await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+                  "x.b.pinning2.example.com");
+  await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+                "x.b.pinning2.example.com");
 
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HPKP,
        Services.io.newURI("https://a.pinning2.example.com"), 0),
      "a.pinning2.example.com should still have HPKP status after adding" +
      " includeSubdomains to a.pinning2.example.com");
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HPKP,
        Services.io.newURI("https://x.a.pinning2.example.com"), 0),
      "x.a.pinning2.example.com should now have HPKP status after adding" +
      " includeSubdomains to a.pinning2.example.com");
 
   // Now setpins without subdomains
   gSSService.setKeyPins("a.pinning2.example.com", false,
                         new Date().getTime() + 1000000, 2,
                         [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]);
-  checkFail(certFromFile("a.pinning2.example.com-badca"),
-            "a.pinning2.example.com");
-  checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
-          "a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-badca"),
-          "x.a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
-          "x.a.pinning2.example.com");
+  await checkFail(certFromFile("a.pinning2.example.com-badca"),
+                  "a.pinning2.example.com");
+  await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+                "a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-badca"),
+                "x.a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+                "x.a.pinning2.example.com");
 
-  checkFail(certFromFile("b.pinning2.example.com-badca"),
-            "b.pinning2.example.com");
-  checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
-          "b.pinning2.example.com");
-  checkFail(certFromFile("x.b.pinning2.example.com-badca"),
-            "x.b.pinning2.example.com");
-  checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
-          "x.b.pinning2.example.com");
+  await checkFail(certFromFile("b.pinning2.example.com-badca"),
+                  "b.pinning2.example.com");
+  await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+                "b.pinning2.example.com");
+  await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+                  "x.b.pinning2.example.com");
+  await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+                "x.b.pinning2.example.com");
 
   checkDefaultSiteHPKPStatus();
 
   // failure to insert new pin entry leaves previous pin behavior
   throws(() => {
     gSSService.setKeyPins("a.pinning2.example.com", true,
                           new Date().getTime() + 1000000, 1, ["not a hash"]);
   }, /NS_ERROR_ILLEGAL_VALUE/, "Attempting to set an invalid pin should fail");
-  checkFail(certFromFile("a.pinning2.example.com-badca"),
-            "a.pinning2.example.com");
-  checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
-          "a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-badca"),
-          "x.a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
-          "x.a.pinning2.example.com");
+  await checkFail(certFromFile("a.pinning2.example.com-badca"),
+                  "a.pinning2.example.com");
+  await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+                "a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-badca"),
+                "x.a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+                "x.a.pinning2.example.com");
 
-  checkFail(certFromFile("b.pinning2.example.com-badca"),
-            "b.pinning2.example.com");
-  checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
-          "b.pinning2.example.com");
-  checkFail(certFromFile("x.b.pinning2.example.com-badca"),
-            "x.b.pinning2.example.com");
-  checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
-          "x.b.pinning2.example.com");
+  await checkFail(certFromFile("b.pinning2.example.com-badca"),
+                  "b.pinning2.example.com");
+  await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+                "b.pinning2.example.com");
+  await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+                  "x.b.pinning2.example.com");
+  await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+                "x.b.pinning2.example.com");
 
   checkDefaultSiteHPKPStatus();
 
   // Incorrect size results in failure
   throws(() => {
     gSSService.setKeyPins("a.pinning2.example.com", true,
                           new Date().getTime() + 1000000, 2, ["not a hash"]);
   }, /NS_ERROR_XPC_NOT_ENOUGH_ELEMENTS_IN_ARRAY/,
@@ -238,56 +250,51 @@ function checkStateRead(aSubject, aTopic
        Ci.nsISiteSecurityService.HEADER_HPKP,
        Services.io.newURI("https://include-subdomains.pinning.example.com"), 0),
      "Built-in include-subdomains.pinning.example.com should have HPKP status");
 
   gSSService.setKeyPins("a.pinning2.example.com", false, new Date().getTime(),
                         1, [NON_ISSUED_KEY_HASH]);
 
   // Check that a preload pin loaded from file works as expected
-  checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com");
-  checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com");
+  await checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com");
+  await checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com");
 
   // Check a dynamic addition works as expected
   // first, it should succeed with the badCA - because there's no pin
-  checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
+  await checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
   // then we add a pin, and we should get a failure (ensuring the expiry is
   // after the test timeout)
   gSSService.setKeyPins("b.preload.example.com", false,
                         new Date().getTime() + 1000000, 2,
                         [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH], true);
-  checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
-
-  do_timeout(1250, checkExpiredState);
+  await checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
 }
 
-function checkExpiredState() {
-  checkOK(certFromFile("a.pinning2.example.com-badca"),
-          "a.pinning2.example.com");
-  checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
-          "a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-badca"),
-          "x.a.pinning2.example.com");
-  checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
-          "x.a.pinning2.example.com");
+async function checkExpiredState() {
+  await checkOK(certFromFile("a.pinning2.example.com-badca"),
+                "a.pinning2.example.com");
+  await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+                "a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-badca"),
+                "x.a.pinning2.example.com");
+  await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+                "x.a.pinning2.example.com");
 
-  checkFail(certFromFile("b.pinning2.example.com-badca"),
-          "b.pinning2.example.com");
-  checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
-          "b.pinning2.example.com");
-  checkFail(certFromFile("x.b.pinning2.example.com-badca"),
-          "x.b.pinning2.example.com");
-  checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
-          "x.b.pinning2.example.com");
-  checkPreloadClear();
+  await checkFail(certFromFile("b.pinning2.example.com-badca"),
+                "b.pinning2.example.com");
+  await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+                "b.pinning2.example.com");
+  await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+                "x.b.pinning2.example.com");
+  await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+                "x.b.pinning2.example.com");
 }
 
-function checkPreloadClear() {
+async function checkPreloadClear() {
   // Check that the preloaded pins still work after private data is cleared
   gSSService.clearAll();
-  checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
+  await checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
 
   // Check that the preloaded pins are cleared when we clear preloads
   gSSService.clearPreloads();
-  checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
-
-  do_test_finished();
+  await checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
 }
--- a/security/manager/ssl/tests/unit/test_startcom_wosign.js
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign.js
@@ -7,37 +7,41 @@
 // certificates have a notBefore before 21 October 2016, they are handled
 // normally. Otherwise, they are treated as revoked.
 
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function loadCertWithTrust(certName, trustString) {
-  addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem", trustString);
+  addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem",
+                  trustString);
 }
 
 function certFromFile(certName) {
   return constructCertFromFile("test_startcom_wosign/" + certName + ".pem");
 }
 
 function checkEndEntity(cert, expectedResult) {
   // (new Date("2016-11-01")).getTime() / 1000
   const VALIDATION_TIME = 1477958400;
-  checkCertErrorGenericAtTime(certdb, cert, expectedResult,
-                              certificateUsageSSLServer, VALIDATION_TIME);
+  return checkCertErrorGenericAtTime(certdb, cert, expectedResult,
+                                     certificateUsageSSLServer,
+                                     VALIDATION_TIME);
 }
 
-loadCertWithTrust("ca", "CTu,,");
-// This is not a real StartCom CA - it merely has the same distinguished name as
-// one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2",
-// encoded with PrintableStrings). By checking for specific DNs, we can enforce
-// the date-based policy in a way that is testable.
-loadCertWithTrust("StartComCA", ",,");
-checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess);
-checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
+add_task(async function() {
+  loadCertWithTrust("ca", "CTu,,");
+  // This is not a real StartCom CA - it merely has the same distinguished name
+  // as one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority
+  // G2", encoded with PrintableStrings). By checking for specific DNs, we can
+  // enforce the date-based policy in a way that is testable.
+  loadCertWithTrust("StartComCA", ",,");
+  await checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
 
-// Similarly, this is not a real WoSign CA. It has the same distinguished name
-// as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign", encoded
-// with PrintableStrings).
-loadCertWithTrust("WoSignCA", ",,");
-checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess);
-checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
+  // Similarly, this is not a real WoSign CA. It has the same distinguished name
+  // as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign",
+  // encoded with PrintableStrings).
+  loadCertWithTrust("WoSignCA", ",,");
+  await checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
+});
--- a/security/manager/ssl/tests/unit/test_symantec_apple_google.js
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google.js
@@ -64,27 +64,25 @@ add_test(function() {
 });
 
 add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
                     MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
                     null, null);
 
 // Load the wildcard *.google.com cert and its intermediate, then verify
 // it at a reasonable time and make sure the whitelists work
-function run_test() {
+add_task(async function() {
   addCertFromFile(certDB, "test_symantec_apple_google/real-google-g2-intermediate.pem", ",,");
   let whitelistedCert = constructCertFromFile("test_symantec_apple_google/real-googlecom.pem");
 
   // Since we don't want to actually try to fetch OCSP for this certificate,
   // (as an external fetch is bad in the tests), disable OCSP first.
   Services.prefs.setIntPref("security.OCSP.enabled", 0);
 
   Services.prefs.setIntPref("security.pki.distrust_ca_policy",
                             /* DistrustedCAPolicy::DistrustSymantecRoots */ 1);
 
   // (new Date("2018-02-16")).getTime() / 1000
   const VALIDATION_TIME = 1518739200;
 
-  checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
-                              certificateUsageSSLServer, VALIDATION_TIME);
-
-  run_next_test();
-}
+  await checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
+                                    certificateUsageSSLServer, VALIDATION_TIME);
+});
--- a/security/manager/ssl/tests/unit/test_validity.js
+++ b/security/manager/ssl/tests/unit/test_validity.js
@@ -22,70 +22,66 @@ function certFromFile(filename) {
   return constructCertFromFile(`test_validity/${filename}`);
 }
 
 function loadCert(certFilename, trustString) {
   addCertFromFile(certDB, `test_validity/${certFilename}`, trustString);
 }
 
 /**
- * Adds a single EV test.
+ * Asynchronously runs a single EV test.
  *
  * @param {Array} expectedNamesForOCSP
  *        An array of nicknames of the certs to be responded to.
  * @param {String} rootCertFileName
  *        The file name of the root cert. Can begin with ".." to reference
  *        certs in folders other than "test_validity/".
  * @param {Array} intCertFileNames
  *        An array of file names of any intermediate certificates.
  * @param {String} endEntityCertFileName
  *        The file name of the end entity cert.
  * @param {Boolean} expectedResult
  *        Whether the chain is expected to validate as EV.
  */
-function addEVTest(expectedNamesForOCSP, rootCertFileName, intCertFileNames,
-                   endEntityCertFileName, expectedResult) {
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+async function doEVTest(expectedNamesForOCSP, rootCertFileName, intCertFileNames,
+                        endEntityCertFileName, expectedResult) {
+  clearOCSPCache();
+  let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
 
-    loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
-    for (let intCertFileName of intCertFileNames) {
-      loadCert(`${intCertFileName}.pem`, ",,");
-    }
-    checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.pem`),
-                  certificateUsageSSLServer, expectedResult);
+  loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
+  for (let intCertFileName of intCertFileNames) {
+    loadCert(`${intCertFileName}.pem`, ",,");
+  }
+  await checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.pem`),
+                certificateUsageSSLServer, expectedResult);
 
-    ocspResponder.stop(run_next_test);
-  });
+  await stopOCSPResponder(ocspResponder);
 }
 
-function checkEVChains() {
+async function checkEVChains() {
   // Chain with an end entity cert with a validity period that is acceptable
   // for EV.
   const intFullName = "ev_int_60_months-evroot";
   let eeFullName = `ev_ee_27_months-${intFullName}`;
   let expectedNamesForOCSP = gEVExpected
                            ? [ intFullName,
                                eeFullName ]
                            : [ eeFullName ];
-  addEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", [ intFullName ],
-            eeFullName, gEVExpected);
+  await doEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot",
+                 [ intFullName ], eeFullName, gEVExpected);
 
   // Chain with an end entity cert with a validity period that is too long
   // for EV.
   eeFullName = `ev_ee_28_months-${intFullName}`;
   expectedNamesForOCSP = gEVExpected
                            ? [ intFullName,
                                eeFullName ]
                            : [ eeFullName ];
-  addEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", [ intFullName ],
-            eeFullName, false);
+  await doEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot",
+                 [ intFullName ], eeFullName, false);
 }
 
-function run_test() {
+add_task(async function () {
   Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
-  checkEVChains();
-
-  run_next_test();
-}
+  await checkEVChains();
+});