[compat] StoreContext#verify raises on internal error like CRuby

CRuby's X509_verify_cert returns -1 on internal errors (e.g. reused
context) and raises StoreError. JRuby was treating any non-zero return
as true. Now matches CRuby's three-way: 1=true, 0=false, else raise.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: kares

src/main/java/org/jruby/ext/openssl/X509StoreContext.java

@@ -158,12 +158,17 @@ public IRubyObject verify(final ThreadContext context) {
             storeContext.setExtraData(ossl_ssl_ex_vcb_idx, verify_callback);
         }
         try {
+            // match CRuby: 1 = true, 0 = false, anything else = raise
             final int result = storeContext.verifyCertificate();
-            return result != 0 ? runtime.getTrue() : runtime.getFalse();
+            if (result == 1) return runtime.getTrue();
+            if (result == 0) return runtime.getFalse();
+            throw newStoreError(runtime, "X509_verify_cert");
+        }
+        catch (RaiseException e) {
+            throw e;
         }
         catch (Exception e) {
             debugStackTrace(runtime, e);
-            // TODO: define suitable exception for jopenssl and catch it.
             throw newStoreError(runtime, e);
         }
     }

src/test/ruby/x509/test_x509store.rb

@@ -111,6 +111,16 @@ def test_store_time_accepts_integer
     assert store.verify(@cert)
   end
 
+  # CRuby raises StoreError when X509_verify_cert returns -1 (internal error).
+  # JRuby's verifyCertificate returns -1 when the StoreContext is reused.
+  def test_store_context_verify_raises_on_reuse
+    store = OpenSSL::X509::Store.new
+    store.add_file @ca_cert
+    ctx = OpenSSL::X509::StoreContext.new(store, @cert)
+    ctx.verify
+    assert_raise(OpenSSL::X509::StoreError) { ctx.verify }
+  end
+
   def test_use_non_existing_cert_file
     ENV['SSL_CERT_FILE'] = 'non-existing-file.crt'
     store = OpenSSL::X509::Store.new