Bug 996872 - Reduce calls to getXPCOMStatusFromNSS() in PSM xpcshell tests. r=keeler relanding on a CLOSED TREE
authorCykesiopka <cykesiopka.bmo@gmail.com>
Wed, 25 Mar 2015 17:29:05 -0700
changeset 266075 8018a7d00bab98b66a6aca30bf5e22349e124272
parent 266074 313dfa7058c837f0e3a38950971ff6cd24448d24
child 266076 9711c8b664ea3fcb5ce9048caccfef885db41026
push id830
push userraliiev@mozilla.com
push dateFri, 19 Jun 2015 19:24:37 +0000
treeherdermozilla-release@932614382a68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs996872
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 996872 - Reduce calls to getXPCOMStatusFromNSS() in PSM xpcshell tests. r=keeler relanding on a CLOSED TREE
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_cert_chains.js
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/test_client_cert.js
security/manager/ssl/tests/unit/test_nsCertType.js
security/manager/ssl/tests/unit/test_ocsp_caching.js
security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
security/manager/ssl/tests/unit/test_ocsp_required.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
security/manager/ssl/tests/unit/test_ocsp_timeout.js
security/manager/ssl/tests/unit/test_pinning.js
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -25,16 +25,20 @@ const isDebugBuild = Cc["@mozilla.org/xp
 const gEVExpected = isDebugBuild && !("@mozilla.org/b2g-process-global;1" in Cc);
 
 const SSS_STATE_FILE_NAME = "SiteSecurityServiceState.txt";
 
 const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
 const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
 const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
 
+// This isn't really a valid PRErrorCode, but is useful for signalling that
+// a test is expected to succeed.
+const PRErrorCodeSuccess = 0;
+
 // Sort in numerical order
 const SEC_ERROR_INVALID_ARGS                            = SEC_ERROR_BASE +   5; // -8187
 const SEC_ERROR_INVALID_TIME                            = SEC_ERROR_BASE +   8;
 const SEC_ERROR_BAD_DER                                 = SEC_ERROR_BASE +   9;
 const SEC_ERROR_EXPIRED_CERTIFICATE                     = SEC_ERROR_BASE +  11;
 const SEC_ERROR_REVOKED_CERTIFICATE                     = SEC_ERROR_BASE +  12; // -8180
 const SEC_ERROR_UNKNOWN_ISSUER                          = SEC_ERROR_BASE +  13;
 const SEC_ERROR_BAD_DATABASE                            = SEC_ERROR_BASE +  18;
@@ -211,42 +215,52 @@ function clearSessionCache() {
 
 // <documentation on your test>
 
 function run_test() {
   do_get_profile();
   add_tls_server_setup("<test-server-name>");
 
   add_connection_test("<test-name-1>.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_xxx),
+                      SEC_ERROR_xxx,
                       function() { ... },
                       function(aTransportSecurityInfo) { ... },
                       function(aTransport) { ... });
   [...]
-  add_connection_test("<test-name-n>.example.com", Cr.NS_OK);
+  add_connection_test("<test-name-n>.example.com", PRErrorCodeSuccess);
 
   run_next_test();
 }
 
 */
 function add_tls_server_setup(serverBinName) {
   add_test(function() {
     _setupTLSServerTest(serverBinName);
   });
 }
 
-// Add a TLS connection test case. aHost is the hostname to pass in the SNI TLS
-// extension; this should unambiguously identifiy which test is being run.
-// aExpectedResult is the expected nsresult of the connection.
-// aBeforeConnect is a callback function that takes no arguments that will be
-// called before the connection is attempted.
-// aWithSecurityInfo is a callback function that takes an
-// nsITransportSecurityInfo, which is called after the TLS handshake succeeds.
-// aAfterStreamOpen is a callback function that is called with the
-// nsISocketTransport once the output stream is ready.
+/**
+ * Add a TLS connection test case.
+ *
+ * @param {String} aHost
+ *   The hostname to pass in the SNI TLS extension; this should unambiguously
+ *   identify which test is being run.
+ * @param {PRErrorCode} aExpectedResult
+ *   The expected result of the connection. If an error is not expected, pass
+ *   in PRErrorCodeSuccess.
+ * @param {Function} aBeforeConnect
+ *   A callback function that takes no arguments that will be called before the
+ *   connection is attempted.
+ * @param {Function} aWithSecurityInfo
+ *   A callback function that takes an nsITransportSecurityInfo, which is called
+ *   after the TLS handshake succeeds.
+ * @param {Function} aAfterStreamOpen
+ *   A callback function that is called with the nsISocketTransport once the
+ *   output stream is ready.
+ */
 function add_connection_test(aHost, aExpectedResult,
                              aBeforeConnect, aWithSecurityInfo,
                              aAfterStreamOpen) {
   const REMOTE_PORT = 8443;
 
   function Connection(aHost) {
     this.host = aHost;
     let threadManager = Cc["@mozilla.org/thread-manager;1"]
@@ -320,17 +334,19 @@ function add_connection_test(aHost, aExp
   }
 
   add_test(function() {
     if (aBeforeConnect) {
       aBeforeConnect();
     }
     connectTo(aHost).then(function(conn) {
       do_print("handling " + aHost);
-      do_check_eq(conn.result, aExpectedResult);
+      do_check_eq(conn.result, aExpectedResult == PRErrorCodeSuccess
+                               ? Cr.NS_OK
+                               : getXPCOMStatusFromNSS(aExpectedResult));
       if (aWithSecurityInfo) {
         aWithSecurityInfo(conn.transport.securityInfo
                               .QueryInterface(Ci.nsITransportSecurityInfo));
       }
       run_next_test();
     });
   });
 }
--- a/security/manager/ssl/tests/unit/test_cert_chains.js
+++ b/security/manager/ssl/tests/unit/test_cert_chains.js
@@ -69,42 +69,42 @@ function run_test() {
   add_test(function() {
     test_cert_list_serialization();
     run_next_test();
   });
 
   // Test successful connection (failedCertChain should be null)
   add_connection_test(
     // re-use pinning certs (keeler)
-    "good.include-subdomains.pinning.example.com", Cr.NS_OK, null,
+    "good.include-subdomains.pinning.example.com", PRErrorCodeSuccess, null,
     function withSecurityInfo(aTransportSecurityInfo) {
       aTransportSecurityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
       test_security_info_serialization(aTransportSecurityInfo, 0);
       do_check_eq(aTransportSecurityInfo.failedCertChain, null);
     }
   );
 
   // Test overrideable connection failure (failedCertChain should be non-null)
   add_connection_test(
     "expired.example.com",
-    getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE),
+    SEC_ERROR_EXPIRED_CERTIFICATE,
     null,
     function withSecurityInfo(securityInfo) {
       securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
       test_security_info_serialization(securityInfo, SEC_ERROR_EXPIRED_CERTIFICATE);
       do_check_neq(securityInfo.failedCertChain, null);
       let originalCertChain = build_cert_chain(["expired-ee", "test-ca"]);
       do_check_true(originalCertChain.equals(securityInfo.failedCertChain));
     }
   );
 
   // Test non-overrideable error (failedCertChain should be non-null)
   add_connection_test(
     "inadequatekeyusage.example.com",
-    getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
+    SEC_ERROR_INADEQUATE_KEY_USAGE,
     null,
     function withSecurityInfo(securityInfo) {
       securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
       test_security_info_serialization(securityInfo, SEC_ERROR_INADEQUATE_KEY_USAGE);
       do_check_neq(securityInfo.failedCertChain, null);
       let originalCertChain = build_cert_chain(["inadequatekeyusage-ee", "test-ca"]);
       do_check_true(originalCertChain.equals(securityInfo.failedCertChain));
     }
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -26,22 +26,22 @@ function add_cert_override(aHost, aExpec
   let cert = sslstatus.serverCert;
   certOverrideService.rememberValidityOverride(aHost, 8443, cert, aExpectedBits,
                                                true);
 }
 
 function add_cert_override_test(aHost, aExpectedBits, aExpectedError) {
   add_connection_test(aHost, aExpectedError, null,
                       add_cert_override.bind(this, aHost, aExpectedBits));
-  add_connection_test(aHost, Cr.NS_OK);
+  add_connection_test(aHost, PRErrorCodeSuccess);
 }
 
 function add_non_overridable_test(aHost, aExpectedError) {
   add_connection_test(
-    aHost, getXPCOMStatusFromNSS(aExpectedError), null,
+    aHost, aExpectedError, null,
     function (securityInfo) {
       // bug 754369 - no SSLStatus probably means this is a non-overridable
       // error, which is what we're testing (although it would be best to test
       // this directly).
       securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
       do_check_eq(securityInfo.SSLStatus, null);
     });
 }
@@ -98,54 +98,51 @@ function run_test() {
   });
 
   run_next_test();
 }
 
 function add_simple_tests() {
   add_cert_override_test("expired.example.com",
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
+                         SEC_ERROR_EXPIRED_CERTIFICATE);
   add_cert_override_test("notyetvalid.example.com",
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(
-                           MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE));
+                         MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE);
   add_cert_override_test("before-epoch.example.com",
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(SEC_ERROR_INVALID_TIME));
+                         SEC_ERROR_INVALID_TIME);
   add_cert_override_test("selfsigned.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                         SEC_ERROR_UNKNOWN_ISSUER);
   add_cert_override_test("unknownissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                         SEC_ERROR_UNKNOWN_ISSUER);
   add_cert_override_test("expiredissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
+                         SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
   add_cert_override_test("notyetvalidissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(
-                           MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE));
+                         MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE);
   add_cert_override_test("before-epoch-issuer.example.com",
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(SEC_ERROR_INVALID_TIME));
+                         SEC_ERROR_INVALID_TIME);
   add_cert_override_test("md5signature.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(
-                            SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
+                         SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
   add_cert_override_test("mismatch.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
-                         getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
+                         SSL_ERROR_BAD_CERT_DOMAIN);
 
   // A Microsoft IIS utility generates self-signed certificates with
   // properties similar to the one this "host" will present (see
   // tlsserver/generate_certs.sh).
   add_cert_override_test("selfsigned-inadequateEKU.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                         SEC_ERROR_UNKNOWN_ISSUER);
 
   add_non_overridable_test("inadequatekeyusage.example.com",
                            SEC_ERROR_INADEQUATE_KEY_USAGE);
 
   // This is intended to test the case where a verification has failed for one
   // overridable reason (e.g. unknown issuer) but then, in the process of
   // reporting that error, a non-overridable error is encountered. The
   // non-overridable error should be prioritized.
@@ -161,93 +158,93 @@ function add_simple_tests() {
     run_next_test();
   });
 
   // Bug 990603: Apache documentation has recommended generating a self-signed
   // test certificate with basic constraints: CA:true. For compatibility, this
   // is a scenario in which an override is allowed.
   add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                         SEC_ERROR_UNKNOWN_ISSUER);
 
   add_cert_override_test("ca-used-as-end-entity.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
+                         MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
 
   // If an X.509 version 1 certificate is not a trust anchor, we will
   // encounter an overridable error.
   add_cert_override_test("end-entity-issued-by-v1-cert.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA));
+                         MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
   // If we make that certificate a trust anchor, the connection will succeed.
   add_test(function() {
     certOverrideService.clearValidityOverride("end-entity-issued-by-v1-cert.example.com", 8443);
     let v1Cert = constructCertFromFile("tlsserver/v1Cert.der");
     setCertTrust(v1Cert, "CTu,,");
     clearSessionCache();
     run_next_test();
   });
-  add_connection_test("end-entity-issued-by-v1-cert.example.com", Cr.NS_OK);
+  add_connection_test("end-entity-issued-by-v1-cert.example.com",
+                      PRErrorCodeSuccess);
   // Reset the trust for that certificate.
   add_test(function() {
     let v1Cert = constructCertFromFile("tlsserver/v1Cert.der");
     setCertTrust(v1Cert, ",,");
     clearSessionCache();
     run_next_test();
   });
 
   // Due to compatibility issues, we allow overrides for certificates issued by
   // certificates that are not valid CAs.
   add_cert_override_test("end-entity-issued-by-non-CA.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_CA_CERT_INVALID));
+                         SEC_ERROR_CA_CERT_INVALID);
 
   add_cert_override_test("inadequate-key-size-ee.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE));
+                         MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 }
 
 function add_combo_tests() {
   add_cert_override_test("mismatch-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
+                         SSL_ERROR_BAD_CERT_DOMAIN);
   add_cert_override_test("mismatch-notYetValid.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
+                         SSL_ERROR_BAD_CERT_DOMAIN);
   add_cert_override_test("mismatch-untrusted.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                         SEC_ERROR_UNKNOWN_ISSUER);
   add_cert_override_test("untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                         SEC_ERROR_UNKNOWN_ISSUER);
   add_cert_override_test("mismatch-untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                         SEC_ERROR_UNKNOWN_ISSUER);
 
   add_cert_override_test("md5signature-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(
-                            SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
+                         SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
 
   add_cert_override_test("ca-used-as-end-entity-name-mismatch.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
+                         MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
 }
 
 function add_distrust_tests() {
   // Before we specifically distrust this certificate, it should be trusted.
-  add_connection_test("untrusted.example.com", Cr.NS_OK);
+  add_connection_test("untrusted.example.com", PRErrorCodeSuccess);
 
   add_distrust_test("tlsserver/default-ee.der", "untrusted.example.com",
                     SEC_ERROR_UNTRUSTED_CERT);
 
   add_distrust_test("tlsserver/other-test-ca.der",
                     "untrustedissuer.example.com", SEC_ERROR_UNTRUSTED_ISSUER);
 
   add_distrust_test("tlsserver/test-ca.der",
--- a/security/manager/ssl/tests/unit/test_client_cert.js
+++ b/security/manager/ssl/tests/unit/test_client_cert.js
@@ -38,30 +38,30 @@ function run_test() {
       clientCert = cert;
       break;
     }
   }
   ok(clientCert, "Client cert found");
 
   add_tls_server_setup("ClientAuthServer");
 
-  add_connection_test("noclientauth.example.com", Cr.NS_OK);
+  add_connection_test("noclientauth.example.com", PRErrorCodeSuccess);
 
-  add_connection_test("requestclientauth.example.com", Cr.NS_OK);
-  add_connection_test("requestclientauth.example.com", Cr.NS_OK,
+  add_connection_test("requestclientauth.example.com", PRErrorCodeSuccess);
+  add_connection_test("requestclientauth.example.com", PRErrorCodeSuccess,
                       null, null, transport => {
     do_print("Setting client cert on transport");
     let sslSocketControl = transport.securityInfo
                            .QueryInterface(Ci.nsISSLSocketControl);
     sslSocketControl.clientCert = clientCert;
   });
 
   add_connection_test("requireclientauth.example.com",
-                      getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_ALERT));
-  add_connection_test("requireclientauth.example.com", Cr.NS_OK,
+                      SSL_ERROR_BAD_CERT_ALERT);
+  add_connection_test("requireclientauth.example.com", PRErrorCodeSuccess,
                       null, null, transport => {
     do_print("Setting client cert on transport");
     let sslSocketControl =
       transport.securityInfo.QueryInterface(Ci.nsISSLSocketControl);
     sslSocketControl.clientCert = clientCert;
   });
 
   run_next_test();
--- a/security/manager/ssl/tests/unit/test_nsCertType.js
+++ b/security/manager/ssl/tests/unit/test_nsCertType.js
@@ -14,14 +14,15 @@
 //   Otherwise, we reject it with an error indicating an unknown critical
 //   extension.
 
 "use strict";
 
 function run_test() {
   do_get_profile();
   add_tls_server_setup("BadCertServer");
-  add_connection_test("nsCertTypeNotCritical.example.com", Cr.NS_OK);
-  add_connection_test("nsCertTypeCriticalWithExtKeyUsage.example.com", Cr.NS_OK);
+  add_connection_test("nsCertTypeNotCritical.example.com", PRErrorCodeSuccess);
+  add_connection_test("nsCertTypeCriticalWithExtKeyUsage.example.com",
+                      PRErrorCodeSuccess);
   add_connection_test("nsCertTypeCritical.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION));
+                      SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -48,24 +48,24 @@ function run_test() {
 
 function add_tests() {
   // This test assumes that OCSPStaplingServer uses the same cert for
   // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
 
   // Get an Unknown response for the *.exmaple.com cert and put it in the
   // OCSP cache.
   add_connection_test("ocsp-stapling-unknown.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                      SEC_ERROR_OCSP_UNKNOWN_CERT,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 0); run_next_test(); });
 
   // A failure to retrieve an OCSP response must result in the cached Unkown
   // response being recognized and honored.
   add_connection_test("ocsp-stapling-none.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                      SEC_ERROR_OCSP_UNKNOWN_CERT,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
 
   // A valid Good response from the OCSP responder must override the cached
   // Unknown response.
   //
   // Note that We need to make sure that the Unknown response and the Good
   // response have different thisUpdate timestamps; otherwise, the Good
@@ -76,48 +76,48 @@ function add_tests() {
     do_print("Sleeping for " + duration + "ms");
     let timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer);
     timer.initWithCallback(run_next_test, duration, Ci.nsITimer.TYPE_ONE_SHOT);
   });
   add_test(function() {
     gGoodOCSPResponse = generateGoodOCSPResponse();
     run_next_test();
   });
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
 
   // The Good response retrieved from the previous fetch must have replaced
   // the Unknown response in the cache, resulting in the catched Good response
   // being returned and no fetch.
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
 
 
   //---------------------------------------------------------------------------
 
   // Reset state
   add_test(function() { clearOCSPCache(); gFetchCount = 0; run_next_test(); });
 
   // A failure to retrieve an OCSP response will result in an error entry being
   // added to the cache.
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
 
   // The error entry will prevent a fetch from happening for a while.
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
 
   // The error entry must not prevent a stapled OCSP response from being
   // honored.
   add_connection_test("ocsp-stapling-revoked.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                      SEC_ERROR_REVOKED_CERTIFICATE,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
 
   //---------------------------------------------------------------------------
 
   // Reset state
   add_test(function() { clearOCSPCache(); gFetchCount = 0; run_next_test(); });
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
@@ -29,17 +29,17 @@ function run_test() {
   ocspResponder.start(8888);
 
   // ocsp-stapling-none.example.com does not staple an OCSP response in the
   // handshake, so the revocation checking code will attempt to fetch one.
   // Since the domain of the certificate's OCSP AIA URI is an HSTS host
   // (as added in the setup of this test, below), a buggy implementation would
   // upgrade the OCSP request to HTTPS. We specifically prevent this. This
   // test demonstrates that our implementation is correct in this regard.
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
+  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess);
   add_test(function () { run_next_test(); });
 
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   let uri = Services.io.newURI("http://localhost", null, null);
   let sslStatus = new FakeSSLStatus();
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -37,17 +37,17 @@ function run_test() {
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   run_next_test();
 }
 
 function add_tests()
 {
   add_connection_test("ocsp-stapling-none.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
+                      SEC_ERROR_OCSP_BAD_SIGNATURE);
   add_connection_test("ocsp-stapling-none.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
+                      SEC_ERROR_OCSP_BAD_SIGNATURE);
   add_test(function () {
     do_check_eq(gOCSPRequestCount, 1);
     gOCSPRequestCount = 0;
     run_next_test();
   });
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -18,139 +18,156 @@ function add_ocsp_test(aHost, aExpectedR
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
 function add_tests(certDB, otherTestCA) {
   // In the absence of OCSP stapling, these should actually all work.
-  add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-unauthorized.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-unknown.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-good-other.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-none.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-critical-extension.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, false);
-  add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, false);
+  add_ocsp_test("ocsp-stapling-good.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-revoked.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-malformed.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-srverr.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-trylater.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-needssig.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-unauthorized.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-unknown.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-good-other.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-none.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-expired.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-critical-extension.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-noncritical-extension.example.com",
+                PRErrorCodeSuccess, false);
+  add_ocsp_test("ocsp-stapling-empty-extensions.example.com",
+                PRErrorCodeSuccess, false);
 
   // Now test OCSP stapling
   // The following error codes are defined in security/nss/lib/util/SECerrs.h
 
-  add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true);
+  add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true);
 
   add_ocsp_test("ocsp-stapling-revoked.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
+                SEC_ERROR_REVOKED_CERTIFICATE, true);
 
   // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
   // depends on whether the CA that signed the response is a trusted CA
   // (but only with the classic implementation - mozilla::pkix always
   // results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT).
 
   // This stapled response is from a CA that is untrusted and did not issue
   // the server's certificate.
   add_test(function() {
     certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
                         Ci.nsIX509CertDB.UNTRUSTED);
     run_next_test();
   });
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
 
   // The stapled response is from a CA that is trusted but did not issue the
   // server's certificate.
   add_test(function() {
     certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
                         Ci.nsIX509CertDB.TRUSTED_SSL);
     run_next_test();
   });
   // TODO(bug 979055): When using ByName instead of ByKey, the error here is
   // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT),
-                true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
 
   // TODO: Test the case where the signing cert can't be found at all, which
   // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
 
   add_ocsp_test("ocsp-stapling-malformed.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_REQUEST), true);
+                SEC_ERROR_OCSP_MALFORMED_REQUEST, true);
   add_ocsp_test("ocsp-stapling-srverr.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR), true);
+                SEC_ERROR_OCSP_SERVER_ERROR, true);
   add_ocsp_test("ocsp-stapling-trylater.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_TRY_SERVER_LATER), true);
+                SEC_ERROR_OCSP_TRY_SERVER_LATER, true);
   add_ocsp_test("ocsp-stapling-needssig.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG), true);
+                SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, true);
   add_ocsp_test("ocsp-stapling-unauthorized.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST),
-                true);
+                SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, true);
   add_ocsp_test("ocsp-stapling-unknown.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
+                SEC_ERROR_OCSP_UNKNOWN_CERT, true);
   add_ocsp_test("ocsp-stapling-good-other.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
+                SEC_ERROR_OCSP_UNKNOWN_CERT, true);
   // If the server doesn't staple an OCSP response, we continue as normal
   // (this means that even though stapling is enabled, we expect an OCSP
   // request).
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
     function() {
       gExpectOCSPRequest = true;
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
     }
   );
   add_ocsp_test("ocsp-stapling-empty.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
+                SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
 
   add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
+                SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
 
   add_ocsp_test("ocsp-stapling-critical-extension.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
-                true);
-  add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true);
+                SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, true);
+  add_ocsp_test("ocsp-stapling-noncritical-extension.example.com",
+                PRErrorCodeSuccess, true);
   // TODO(bug 997994): Disallow empty Extensions in responses
-  add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, true);
+  add_ocsp_test("ocsp-stapling-empty-extensions.example.com",
+                PRErrorCodeSuccess, true);
 
-  add_ocsp_test("ocsp-stapling-delegated-included.example.com", Cr.NS_OK, true);
-  add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", Cr.NS_OK, true);
+  add_ocsp_test("ocsp-stapling-delegated-included.example.com",
+                PRErrorCodeSuccess, true);
+  add_ocsp_test("ocsp-stapling-delegated-included-last.example.com",
+                PRErrorCodeSuccess, true);
   add_ocsp_test("ocsp-stapling-delegated-missing.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
   add_ocsp_test("ocsp-stapling-delegated-missing-multiple.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
   add_ocsp_test("ocsp-stapling-delegated-no-extKeyUsage.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
   add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
   add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
   add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
 
   // ocsp-stapling-expired.example.com and
   // ocsp-stapling-expired-fresh-ca.example.com are handled in
   // test_ocsp_stapling_expired.js
 
   // Check that OCSP responder certificates with key sizes below 1024 bits are
   // rejected, even when the main certificate chain keys are at least 1024 bits.
   add_ocsp_test("keysize-ocsp-delegated.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT),
-                true);
+                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
 
   add_ocsp_test("revoked-ca-cert-used-as-end-entity.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
+                SEC_ERROR_REVOKED_CERTIFICATE, true);
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
   do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -65,91 +65,91 @@ function run_test() {
   // response based on the host name ("ocsp-stapling-expired" or
   // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
   // properly falling back to fetching revocation information.
   // For ocsp-stapling-expired.example.com, the OCSP stapling server
   // staples an expired OCSP response. The certificate has not expired.
   // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
   // server staples an OCSP response with a recent signature but with an
   // out-of-date validity period. The certificate has not expired.
-  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+  add_ocsp_test("ocsp-stapling-expired.example.com", PRErrorCodeSuccess,
                 ocspResponseGood);
-  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", PRErrorCodeSuccess,
                 ocspResponseGood);
   // if we can't fetch a more recent response when
   // given an expired stapled response, we terminate the connection.
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
+                SEC_ERROR_OCSP_OLD_RESPONSE,
                 expiredOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
+                SEC_ERROR_OCSP_OLD_RESPONSE,
                 expiredOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
+                SEC_ERROR_OCSP_OLD_RESPONSE,
                 oldValidityPeriodOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
+                SEC_ERROR_OCSP_OLD_RESPONSE,
                 oldValidityPeriodOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
+                SEC_ERROR_OCSP_OLD_RESPONSE,
                 null);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
+                SEC_ERROR_OCSP_OLD_RESPONSE,
                 null);
   // Of course, if the newer response indicates Revoked or Unknown,
   // that status must be returned.
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                SEC_ERROR_REVOKED_CERTIFICATE,
                 ocspResponseRevoked);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                SEC_ERROR_REVOKED_CERTIFICATE,
                 ocspResponseRevoked);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                SEC_ERROR_OCSP_UNKNOWN_CERT,
                 ocspResponseUnknown);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                SEC_ERROR_OCSP_UNKNOWN_CERT,
                 ocspResponseUnknown);
 
   // If the response is expired but indicates Revoked or Unknown and a
   // newer status can't be fetched, the Revoked or Unknown status will
   // be returned.
   add_ocsp_test("ocsp-stapling-revoked-old.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                SEC_ERROR_REVOKED_CERTIFICATE,
                 null);
   add_ocsp_test("ocsp-stapling-unknown-old.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                SEC_ERROR_OCSP_UNKNOWN_CERT,
                 null);
   // If the response is expired but indicates Revoked or Unknown and
   // a newer status can be fetched and successfully verified, this
   // should result in a successful certificate verification.
-  add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
+  add_ocsp_test("ocsp-stapling-revoked-old.example.com", PRErrorCodeSuccess,
                 ocspResponseGood);
-  add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
+  add_ocsp_test("ocsp-stapling-unknown-old.example.com", PRErrorCodeSuccess,
                 ocspResponseGood);
   // If a newer status can be fetched but it fails to verify, the
   // Revoked or Unknown status of the expired stapled response
   // should be returned.
   add_ocsp_test("ocsp-stapling-revoked-old.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                SEC_ERROR_REVOKED_CERTIFICATE,
                 expiredOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-unknown-old.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                SEC_ERROR_OCSP_UNKNOWN_CERT,
                 expiredOCSPResponseGood);
 
   // These tests are verifying that an valid but very old response
   // is rejected as a valid stapled response, requiring a fetch
   // from the ocsp responder.
-  add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
+  add_ocsp_test("ocsp-stapling-ancient-valid.example.com", PRErrorCodeSuccess,
                 ocspResponseGood);
   add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                SEC_ERROR_REVOKED_CERTIFICATE,
                 ocspResponseRevoked);
   add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                SEC_ERROR_OCSP_UNKNOWN_CERT,
                 ocspResponseUnknown);
 
   add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(check_ocsp_stapling_telemetry);
   run_next_test();
 }
 
 function check_ocsp_stapling_telemetry() {
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -28,17 +28,18 @@ function run_test() {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
     let body = "Refusing to return a response";
     response.bodyOutputStream.write(body, body.length);
   });
   ocspResponder.start(8888);
 
   add_tls_server_setup("OCSPStaplingServer");
 
-  add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
+  add_ocsp_test("ocsp-stapling-with-intermediate.example.com",
+                PRErrorCodeSuccess);
 
   add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(function() {
     do_check_eq(gOCSPRequestCount, 0);
     run_next_test();
   });
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_timeout.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
@@ -45,18 +45,18 @@ function add_tests_in_mode(useHardFail) 
   let startTime;
   add_test(function () {
     Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
     startTime = new Date();
     run_next_test();
   });
 
   add_connection_test("ocsp-stapling-none.example.com", useHardFail
-                      ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR)
-                      : Cr.NS_OK, clearSessionCache);
+                      ? SEC_ERROR_OCSP_SERVER_ERROR
+                      : PRErrorCodeSuccess, clearSessionCache);
 
   // Reset state
   add_test(function() {
     let endTime = new Date();
     let timeDifference = endTime - startTime;
     do_print(`useHardFail = ${useHardFail}`);
     do_print(`startTime = ${startTime.getTime()} (${startTime})`);
     do_print(`endTime = ${endTime.getTime()} (${endTime})`);
--- a/security/manager/ssl/tests/unit/test_pinning.js
+++ b/security/manager/ssl/tests/unit/test_pinning.js
@@ -36,115 +36,134 @@ function test_strict() {
     Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
     run_next_test();
   });
 
   // If a host should be pinned but other errors (particularly overridable
   // errors) like 'unknown issuer' are encountered, the pinning error takes
   // precedence. This prevents overrides for such hosts.
   add_connection_test("unknownissuer.include-subdomains.pinning.example.com",
-    getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
+                      MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
 
   // Issued by otherCA, which is not in the pinset for pinning.example.com.
   add_connection_test("bad.include-subdomains.pinning.example.com",
-    getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
+                      MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
 
   // Check that using a FQDN doesn't bypass pinning.
   add_connection_test("bad.include-subdomains.pinning.example.com.",
-    getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
+                      MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
   // For some reason this is also navigable (see bug 1118522).
   add_connection_test("bad.include-subdomains.pinning.example.com..",
-    getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
+                      MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
 
   // These domains serve certs that match the pinset.
-  add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK);
+  add_connection_test("include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("good.include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("exclude-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
 
   // This domain serves a cert that doesn't match the pinset, but subdomains
   // are excluded.
-  add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
+  add_connection_test("sub.exclude-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
 
   // This domain's pinset is exactly the same as
   // include-subdomains.pinning.example.com, serves the same cert as
   // bad.include-subdomains.pinning.example.com, but it should pass because
   // it's in test_mode.
-  add_connection_test("test-mode.pinning.example.com", Cr.NS_OK);
+  add_connection_test("test-mode.pinning.example.com",
+                      PRErrorCodeSuccess);
 }
 
 function test_mitm() {
   // In MITM mode, we allow pinning to pass if the chain resolves to any
   // user-specified trust anchor, even if it is not in the pinset.
   add_test(function() {
     Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
     run_next_test();
   });
 
-  add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK);
+  add_connection_test("include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("good.include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
 
   add_connection_test("unknownissuer.include-subdomains.pinning.example.com",
-    getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                      SEC_ERROR_UNKNOWN_ISSUER);
 
   // In this case, even though otherCA is not in the pinset, it is a
   // user-specified trust anchor and the pinning check succeeds.
-  add_connection_test("bad.include-subdomains.pinning.example.com", Cr.NS_OK);
+  add_connection_test("bad.include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
 
-  add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("test-mode.pinning.example.com", Cr.NS_OK);
+  add_connection_test("exclude-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("sub.exclude-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
 };
 
 function test_disabled() {
   // Disable pinning.
   add_test(function() {
     Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0);
     run_next_test();
   });
 
-  add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("bad.include-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("test-mode.pinning.example.com", Cr.NS_OK);
+  add_connection_test("include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("good.include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("bad.include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("exclude-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("sub.exclude-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
 
   add_connection_test("unknownissuer.include-subdomains.pinning.example.com",
-    getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
+                      SEC_ERROR_UNKNOWN_ISSUER);
 }
 
 function test_enforce_test_mode() {
   // In enforce test mode, we always enforce all pins, even test pins.
   add_test(function() {
     Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3);
     run_next_test();
   });
 
   add_connection_test("unknownissuer.include-subdomains.pinning.example.com",
-    getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
+                      MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
 
   // Issued by otherCA, which is not in the pinset for pinning.example.com.
   add_connection_test("bad.include-subdomains.pinning.example.com",
-    getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
+                      MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
 
   // These domains serve certs that match the pinset.
-  add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK);
-  add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK);
+  add_connection_test("include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("good.include-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
+  add_connection_test("exclude-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
 
   // This domain serves a cert that doesn't match the pinset, but subdomains
   // are excluded.
-  add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
+  add_connection_test("sub.exclude-subdomains.pinning.example.com",
+                      PRErrorCodeSuccess);
 
   // This domain's pinset is exactly the same as
   // include-subdomains.pinning.example.com, serves the same cert as
   // bad.include-subdomains.pinning.example.com, is in test-mode, but we are
   // enforcing test mode pins.
   add_connection_test("test-mode.pinning.example.com",
-    getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
+                      MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
 }
 
 function check_pinning_telemetry() {
   let service = Cc["@mozilla.org/base/telemetry;1"].getService(Ci.nsITelemetry);
   let prod_histogram = service.getHistogramById("CERT_PINNING_RESULTS")
                          .snapshot();
   let test_histogram = service.getHistogramById("CERT_PINNING_TEST_RESULTS")
                          .snapshot();