bug 1435858 - add a canary test that will fail before all of the test certificates expire r=Alex_Gaynor,jcj

This test should remind us to regenerate the test certificates next year before they actually expire.

Differential Revision: https://phabricator.services.mozilla.com/D21065

--HG--
extra : moz-landing-system : lando

security/manager/ssl/tests/unit/test_cert_expiration_canary.js

@@ -0,0 +1,23 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Attempts to verify a certificate for a time a few weeks into the future in
+// the hopes of avoiding mass test failures when the certificates all expire.
+// If this test fails, the certificates probably need to be regenerated.
+// See bug 1525191.
+add_task(async function() {
+  do_get_profile();
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+  addCertFromFile(certDB, "bad_certs/test-ca.pem", "CTu,,");
+  let threeWeeksFromNowInSeconds = (Date.now() / 1000) +
+                                   (3 * 7 * 24 * 60 * 60);
+  let ee = constructCertFromFile("bad_certs/default-ee.pem");
+  await checkCertErrorGenericAtTime(certDB, ee, PRErrorCodeSuccess,
+                                    certificateUsageSSLServer,
+                                    threeWeeksFromNowInSeconds, false,
+                                    "test.example.com");
+});

security/manager/ssl/tests/unit/xpcshell.ini

@@ -53,6 +53,8 @@ run-sequentially = hardcoded ports
 [test_cert_dbKey.js]
 [test_cert_eku.js]
 [test_cert_embedded_null.js]
+[test_cert_expiration_canary.js]
+run-if = nightly_build
 [test_cert_keyUsage.js]
 [test_cert_isBuiltInRoot.js]
 [test_cert_isBuiltInRoot_reload.js]