RubyGems - ruby-sslyze - Versions diffs - 0.2.1 → 1.0.0 - Mend

ruby-sslyze 0.2.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (146) hide show

checksums.yaml +4 -4
data/.gitignore +6 -4
data/.travis.yml +15 -7
data/ChangeLog.md +29 -12
data/Gemfile +3 -2
data/LICENSE.txt +1 -1
data/README.md +5 -5
data/Rakefile +1 -1
data/lib/sslyze/cipher_suites.rb +176 -0
data/lib/sslyze/program.rb +8 -8
data/lib/sslyze/task.rb +40 -33
data/lib/sslyze/version.rb +1 -1
data/lib/sslyze/{certificate/domain_name.rb → x509/domain.rb} +5 -3
data/lib/sslyze/x509/extension.rb +15 -0
data/lib/sslyze/x509/extension_set.rb +140 -0
data/lib/sslyze/x509/extensions.rb +6 -0
data/lib/sslyze/x509/extensions/basic_constraints.rb +41 -0
data/lib/sslyze/x509/extensions/certificate_policies.rb +108 -0
data/lib/sslyze/x509/extensions/crl_distribution_points.rb +47 -0
data/lib/sslyze/x509/extensions/extended_key_usage.rb +58 -0
data/lib/sslyze/x509/extensions/key_usage.rb +66 -0
data/lib/sslyze/x509/extensions/subject_alt_name.rb +144 -0
data/lib/sslyze/x509/name.rb +194 -0
data/lib/sslyze/x509/public_key.rb +53 -0
data/lib/sslyze/xml.rb +26 -37
data/lib/sslyze/xml/attributes.rb +5 -0
data/lib/sslyze/xml/attributes/error.rb +30 -0
data/lib/sslyze/xml/attributes/exception.rb +30 -0
data/lib/sslyze/xml/attributes/is_supported.rb +29 -0
data/lib/sslyze/xml/attributes/is_vulnerable.rb +29 -0
data/lib/sslyze/xml/attributes/title.rb +31 -0
data/lib/sslyze/xml/certinfo.rb +67 -0
data/lib/sslyze/xml/certinfo/certificate.rb +202 -0
data/lib/sslyze/xml/certinfo/certificate_validation.rb +69 -0
data/lib/sslyze/xml/certinfo/certificate_validation/hostname_validation.rb +54 -0
data/lib/sslyze/xml/certinfo/certificate_validation/path_validation.rb +84 -0
data/lib/sslyze/xml/certinfo/certificate_validation/verified_certificate_chain.rb +41 -0
data/lib/sslyze/xml/certinfo/has_certificates.rb +102 -0
data/lib/sslyze/xml/certinfo/ocsp_stapling.rb +45 -0
data/lib/sslyze/xml/certinfo/ocsp_stapling/ocsp_response.rb +87 -0
data/lib/sslyze/xml/certinfo/received_certificate_chain.rb +48 -0
data/lib/sslyze/xml/compression.rb +33 -0
data/lib/sslyze/xml/compression/compression_method.rb +38 -0
data/lib/sslyze/xml/fallback.rb +34 -0
data/lib/sslyze/xml/fallback/tls_fallback_scsv.rb +27 -0
data/lib/sslyze/xml/heartbleed.rb +38 -0
data/lib/sslyze/xml/heartbleed/openssl_heartbleed.rb +29 -0
data/lib/sslyze/xml/http_headers.rb +42 -0
data/lib/sslyze/xml/http_headers/http_public_key_pinning.rb +121 -0
data/lib/sslyze/xml/http_headers/http_strict_transport_security.rb +59 -0
data/lib/sslyze/xml/invalid_target.rb +33 -0
data/lib/sslyze/xml/openssl_ccs.rb +34 -0
data/lib/sslyze/xml/openssl_ccs/openssl_ccs_injection.rb +26 -0
data/lib/sslyze/xml/plugin.rb +27 -0
data/lib/sslyze/xml/protocol.rb +143 -0
data/lib/sslyze/xml/protocol/cipher_suite.rb +93 -0
data/lib/sslyze/xml/protocol/cipher_suite/key_exchange.rb +127 -0
data/lib/sslyze/xml/reneg.rb +28 -0
data/lib/sslyze/xml/reneg/session_renegotiation.rb +51 -0
data/lib/sslyze/xml/resum.rb +42 -0
data/lib/sslyze/xml/resum/session_resumption_with_session_ids.rb +94 -0
data/lib/sslyze/xml/resum/session_resumption_with_tls_tickets.rb +69 -0
data/lib/sslyze/xml/resum_rate.rb +30 -0
data/lib/sslyze/xml/target.rb +371 -0
data/lib/sslyze/xml/types.rb +19 -0
data/ruby-sslyze.gemspec +3 -3
data/spec/spec_helper.rb +2 -4
data/spec/sslyze.xml +2356 -2580
data/spec/x509/domain_spec.rb +125 -0
data/spec/x509/extension_set_spec.rb +208 -0
data/spec/x509/extension_spec.rb +58 -0
data/spec/x509/extensions/basic_constraints_spec.rb +41 -0
data/spec/x509/extensions/certificate_policies_spec.rb +38 -0
data/spec/x509/extensions/crl_distribution_points_spec.rb +38 -0
data/spec/x509/extensions/extended_key_usage_spec.rb +58 -0
data/spec/x509/extensions/key_usage_spec.rb +84 -0
data/spec/x509/extensions/subject_alt_name_spec.rb +146 -0
data/spec/x509/name_spec.rb +85 -0
data/spec/x509/public_key_spec.rb +113 -0
data/spec/xml/certinfo/certificate_spec.rb +166 -0
data/spec/xml/certinfo/certificate_validation/hostname_validation_spec.rb +23 -0
data/spec/xml/certinfo/certificate_validation/path_validation_spec.rb +107 -0
data/spec/xml/certinfo/certificate_validation/verified_certificate_chain_spec.rb +163 -0
data/spec/xml/certinfo/certificate_validation_spec.rb +40 -0
data/spec/xml/certinfo/ocsp_stapling/ocsp_response_spec.rb +61 -0
data/spec/xml/certinfo/ocsp_stapling_spec.rb +31 -0
data/spec/xml/certinfo/received_certificate_chain_spec.rb +165 -0
data/spec/xml/certinfo_spec.rb +45 -0
data/spec/xml/compression/compression_method_spec.rb +23 -0
data/spec/xml/compression_spec.rb +23 -0
data/spec/xml/heartbleed/openssl_heartbleed_spec.rb +17 -0
data/spec/xml/heartbleed_spec.rb +37 -0
data/spec/xml/http_headers/http_public_key_pinning_spec.rb +73 -0
data/spec/xml/http_headers/http_strict_transport_security_spec.rb +107 -0
data/spec/xml/http_headers_spec.rb +63 -0
data/spec/xml/invalid_target_spec.rb +23 -0
data/spec/xml/plugin_examples.rb +14 -0
data/spec/{key_exchange_spec.rb → xml/protocol/cipher_suite/key_exchange_spec.rb} +9 -3
data/spec/xml/protocol/cipher_suite_spec.rb +66 -0
data/spec/xml/protocol_spec.rb +115 -0
data/spec/xml/reneg/session_renegotiation_spec.rb +23 -0
data/spec/xml/reneg_spec.rb +35 -0
data/spec/xml/resum/session_resumption_with_session_ids_spec.rb +103 -0
data/spec/xml/resum/session_resumption_with_tls_tickets_spec.rb +121 -0
data/spec/xml/resum_rate_spec.rb +30 -0
data/spec/xml/resum_spec.rb +47 -0
data/spec/{target_spec.rb → xml/target_spec.rb} +73 -27
data/spec/xml_spec.rb +13 -21
metadata +138 -61
data/lib/sslyze/cert_info.rb +0 -57
data/lib/sslyze/certificate.rb +0 -139
data/lib/sslyze/certificate/extensions.rb +0 -127
data/lib/sslyze/certificate/extensions/authority_information_access.rb +0 -38
data/lib/sslyze/certificate/extensions/extension.rb +0 -26
data/lib/sslyze/certificate/extensions/x509v3_basic_constraints.rb +0 -60
data/lib/sslyze/certificate/extensions/x509v3_certificate_policies.rb +0 -50
data/lib/sslyze/certificate/extensions/x509v3_crl_distribution_points.rb +0 -32
data/lib/sslyze/certificate/extensions/x509v3_extended_key_usage.rb +0 -32
data/lib/sslyze/certificate/extensions/x509v3_key_usage.rb +0 -50
data/lib/sslyze/certificate/extensions/x509v3_subject_alternative_name.rb +0 -71
data/lib/sslyze/certificate/issuer.rb +0 -56
data/lib/sslyze/certificate/public_key.rb +0 -9
data/lib/sslyze/certificate/subject.rb +0 -117
data/lib/sslyze/certificate/subject_public_key_info.rb +0 -53
data/lib/sslyze/certificate/validity.rb +0 -9
data/lib/sslyze/certificate_chain.rb +0 -89
data/lib/sslyze/certificate_validation.rb +0 -70
data/lib/sslyze/cipher_suite.rb +0 -237
data/lib/sslyze/invalid_target.rb +0 -35
data/lib/sslyze/key_exchange.rb +0 -106
data/lib/sslyze/ocsp_response.rb +0 -87
data/lib/sslyze/protocol.rb +0 -133
data/lib/sslyze/target.rb +0 -312
data/lib/sslyze/types.rb +0 -17
data/spec/cert_info_spec.rb +0 -29
data/spec/certificate/subject_name_spec.rb +0 -72
data/spec/certificate_chain_spec.rb +0 -61
data/spec/certificate_spec.rb +0 -330
data/spec/certificate_validation_spec.rb +0 -39
data/spec/cipher_suite_spec.rb +0 -50
data/spec/invalid_target_spec.rb +0 -21
data/spec/issuer_spec.rb +0 -33
data/spec/ocsp_response_spec.rb +0 -59
data/spec/protocol_spec.rb +0 -99
data/spec/subject_public_key_info_spec.rb +0 -35
data/spec/subject_spec.rb +0 -69

data/spec/xml/certinfo/certificate_spec.rb ADDED

@@ -0,0 +1,166 @@
+require 'spec_helper'
+require 'xml_examples'
+require 'sslyze/xml/certinfo/certificate'
+describe SSLyze::XML::Certinfo::Certificate do
+  include_examples "XML specs"
+  let(:xpath) { '/document/results/target/certinfo/receivedCertificateChain/certificate' }
+  subject { described_class.new(xml.at(xpath)) }
+  describe "#sha1_fingerprint" do
+    let(:expected_sha1) { 'd79f076110b39293e349ac89845b0380c19e2f8b' }
+    let(:xpath) { "#{super()}[@sha1Fingerprint='#{expected_sha1}']" }
+    it "should parse the 'sha1Fingerprint' attribute" do
+      expect(subject.sha1_fingerprint).to be == expected_sha1
+    end
+  end
+  describe "#hpkp_sha256_pin" do
+    let(:expected_hpkp_sha256) { 'pL1+qb9HTMRZJmuC/bB/ZI9d302BYrrqiVuRyW+DGrU=' }
+    let(:xpath) { "#{super()}[@hpkpSha256Pin='#{expected_hpkp_sha256}']" }
+    it "should parse the 'hpkpSha256Pin' attribute" do
+      expect(subject.hpkp_sha256_pin).to be == expected_hpkp_sha256
+    end
+  end
+  describe "#as_pem" do
+    let(:host) { 'github.com' }
+    let(:host_pem) do
+%{-----BEGIN CERTIFICATE-----
+MIIHeTCCBmGgAwIBAgIQC/20CQrXteZAwwsWyVKaJzANBgkqhkiG9w0BAQsFADB1
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
+IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE2MDMxMDAwMDAwMFoXDTE4MDUxNzEy
+MDAwMFowgf0xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
+BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
+Ewc1MTU3NTUwMSQwIgYDVQQJExs4OCBDb2xpbiBQIEtlbGx5LCBKciBTdHJlZXQx
+DjAMBgNVBBETBTk0MTA3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMu
+MRMwEQYDVQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA54hc8pZclxgcupjiA/F/OZGRwm/ZlucoQGTNTKmBEgNsrn/mxhngWmPw
+bAvUaLP//T79Jc+1WXMpxMiz9PK6yZRRFuIo0d2bx423NA6hOL2RTtbnfs+y0PFS
+/YTpQSelTuq+Fuwts5v6aAweNyMcYD0HBybkkdosFoDccBNzJ92Ac8I5EVDUc3Or
+/4jSyZwzxu9kdmBlBzeHMvsqdH8SX9mNahXtXxRpwZnBiUjw36PgN+s9GLWGrafd
+02T0ux9Yzd5ezkMxukqEAQ7AKIIijvaWPAJbK/52XLhIy2vpGNylyni/DQD18bBP
+T+ZG1uv0QQP9LuY/joO+FKDOTler4wIDAQABo4IDejCCA3YwHwYDVR0jBBgwFoAU
+PdNQpdagre7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFIhcSGcZzKB2WS0RecO+oqyH
+IidbMCUGA1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1Ud
+DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0f
+BG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
+dmVyLWcxLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTIt
+ZXYtc2VydmVyLWcxLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsG
+AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGI
+BggrBgEFBQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
+LmNvbTBSBggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp
+Z2lDZXJ0U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMB
+Af8EAjAAMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgCkuQmQtBhYFIe7E6LM
+Z3AKPDWYBPkb37jjd80OyA3cEAAAAVNhieoeAAAEAwBHMEUCIQCHHSEY/ROK2/sO
+ljbKaNEcKWz6BxHJNPOtjSyuVnSn4QIgJ6RqvYbSX1vKLeX7vpnOfCAfS2Y8lB5R
+NMwk6us2QiAAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVNh
+iennAAAEAwBHMEUCIQDZpd5S+3to8k7lcDeWBhiJASiYTk2rNAT26lVaM3xhWwIg
+NUqrkIODZpRg+khhp8ag65B8mu0p4JUAmkRDbiYnRvYAdwBWFAaaL9fC7NP14b1E
+sj7HRna5vJkRXMDvlJhV1onQ3QAAAVNhieqZAAAEAwBIMEYCIQDnm3WStlvE99GC
+izSx+UGtGmQk2WTokoPgo1hfiv8zIAIhAPrYeXrBgseA9jUWWoB4IvmcZtshjXso
+nT8MIG1u1zF8MA0GCSqGSIb3DQEBCwUAA4IBAQCLbNtkxuspqycq8h1EpbmAX0wM
+5DoW7hM/FVdz4LJ3Kmftyk1yd8j/PSxRrAQN2Mr/frKeK8NE1cMji32mJbBqpWtK
+/+wC+avPplBUbNpzP53cuTMF/QssxItPGNP5/OT9Aj1BxA/NofWZKh4ufV7cz3pY
+RDS4BF+EEFQ4l5GY+yp4WJA/xSvYsTHWeWxRD1/nl62/Rd9FN2NkacRVozCxRVle
+FrBHTFxqIP6kDnxiLElBrZngtY07ietaYZVLQN/ETyqLQftsf8TecwTklbjvm8NT
+JqbaIVifYwqwNN+4lRxS3F5lNlA/il12IOgbRioLI62o8G0DaEUQgHNf8vSG
+-----END CERTIFICATE-----
+}
+    end
+    let(:xpath) { "/document/results/target[@host='#{host}']/certinfo/receivedCertificateChain/certificate" }
+    it "should parse the asPEM element" do
+      expect(subject.as_pem).to be == host_pem
+    end
+  end
+  describe "#x509" do
+    it do
+      expect(subject.x509).to be_kind_of(OpenSSL::X509::Certificate)
+    end
+  end
+  describe "#extensions" do
+    it do
+      expect(subject.extensions).to be_kind_of(SSLyze::X509::ExtensionSet)
+    end
+  end
+  describe "#issuer" do
+    it do
+      expect(subject.issuer).to be_a(SSLyze::X509::Name)
+    end
+  end
+  describe "#not_after" do
+    it do
+      expect(subject.not_after).to be_kind_of(Time)
+    end
+  end
+  describe "#not_before" do
+    it do
+      expect(subject.not_before).to be_kind_of(Time)
+    end
+  end
+  describe "#public_key" do
+    it do
+      expect(subject.public_key).to be_a(SSLyze::X509::PublicKey)
+    end
+  end
+  describe "#serial" do
+    it do
+      expect(subject.serial).to be_a(OpenSSL::BN)
+    end
+  end
+  describe "#signature_algorithm" do
+    it do
+      expect(subject.signature_algorithm).to be == 'sha256WithRSAEncryption'
+    end
+  end
+  describe "#subject" do
+    it do
+      expect(subject.subject).to be_a(SSLyze::X509::Name)
+    end
+  end
+  describe "#version" do
+    it do
+      expect(subject.version).to be 2
+    end
+  end
+  describe "#==" do
+    context "when the #as_pem matches" do
+      let(:other) { described_class.new(xml.at("#{xpath}[1]")) }
+      it { expect(subject == other).to be true }
+    end
+    context "when the #as_pem do not match" do
+      let(:other) { described_class.new(xml.at("#{xpath}[2]")) }
+      it { expect(subject == other).to be false }
+    end
+    context "when the classes do not match" do
+      let(:other) { Object.new }
+      it { expect(subject == other).to be false }
+    end
+  end
+end

data/spec/xml/certinfo/certificate_validation/hostname_validation_spec.rb ADDED

@@ -0,0 +1,23 @@
+require 'spec_helper'
+require 'xml_examples'
+require 'sslyze/xml/certinfo/certificate_validation/hostname_validation'
+describe SSLyze::XML::Certinfo::CertificateValidation::HostnameValidation do
+  include_examples "XML specs"
+  subject do
+    described_class.new(xml.at('/document/results/target/certinfo/certificateValidation/hostnameValidation'))
+  end
+  describe "#certificate_matches_server_hostname?" do
+    it "should return a Boolean value" do
+      expect(subject.certificate_matches_server_hostname?).to be true
+    end
+  end
+  describe "#server_hostname" do
+    it "should return the serverHostname attribute" do
+      expect(subject.server_hostname).to match(/^(?:\w+\.)?\w+\.com$/)
+    end
+  end
+end

data/spec/xml/certinfo/certificate_validation/path_validation_spec.rb ADDED

@@ -0,0 +1,107 @@
+require 'spec_helper'
+require 'xml_examples'
+require 'sslyze/xml/certinfo/certificate_validation/path_validation'
+describe SSLyze::XML::Certinfo::CertificateValidation::PathValidation do
+  include_examples "XML specs"
+  let(:xpath) { '/document/results/target/certinfo/certificateValidation/pathValidation' }
+  subject do
+    described_class.new(xml.at(xpath))
+  end
+  describe "#is_extended_validation_certificate?" do
+    context "when the 'isExtendedValidationCertificate' XML attribute is present" do
+      subject do
+        described_class.new(xml.at("#{xpath}[@isExtendedValidationCertificate]"))
+      end
+      it "should return a Boolean type" do
+        expect(subject.is_extended_validation_certificate?).to be(false).or(be(true))
+      end
+    end
+    context "when the 'isExtendedValidationCertificate' XML attribute is omitted" do
+      subject do
+        described_class.new(xml.at("#{xpath}[not(@isExtendedValidationCertificate)]"))
+      end
+      it { expect(subject.is_extended_validation_certificate?).to be nil }
+    end
+  end
+  describe "#trust_store_version" do
+    it "must return the 'trustStoreVersion' XML attribute" do
+      expect(subject.trust_store_version).to_not be_empty
+    end
+  end
+  describe "#using_trust_store" do
+    let(:trust_stores) { %w[Android iOS macOS Mozilla Windows] }
+    it "must return the 'usingTrustStore' XML attribute" do
+      expect(trust_stores).to include(subject.using_trust_store)
+    end
+  end
+  describe "#validation_result" do
+    context "when the 'validationResult' attribute is set" do
+      subject do
+        described_class.new(xml.at("#{xpath}[@validationResult]"))
+      end
+      it "must return the 'validationResult' XML element" do
+        expect(subject.validation_result).to be == :ok
+      end
+    end
+    context "when the 'validationResult' attribute is not set" do
+      subject do
+        described_class.new(xml.at("#{xpath}[not(@validationResult)]"))
+      end
+      it "must return the 'validationResult' XML element" do
+        pending "need an example without the 'validationResult' XML attribute"
+        expect(subject.validation_result).to be nil
+      end
+    end
+  end
+  describe "#ok?" do
+    context "when the 'validationResult' attribute is set" do
+      context "and is 'ok'" do
+        subject do
+          described_class.new(xml.at("#{xpath}[@validationResult=\"ok\"]"))
+        end
+        it { expect(subject.ok?).to be true }
+      end
+      context "but is not 'ok'" do
+        subject do
+          described_class.new(xml.at("#{xpath}[not(@validationResult=\"ok\")]"))
+        end
+        it do
+          pending "need an example where the 'validationResult' isn't 'ok'"
+          expect(subject.ok?).to be false
+        end
+      end
+    end
+    context "when the 'validationResult' attribute is not set" do
+      subject do
+        described_class.new(xml.at("#{xpath}[not(@validationResult)]"))
+      end
+      it "must return the 'validationResult' XML element" do
+        pending "need an example without the 'validationResult' XML attribute"
+        expect(subject.ok?).to be nil
+      end
+    end
+  end
+end

data/spec/xml/certinfo/certificate_validation/verified_certificate_chain_spec.rb ADDED

@@ -0,0 +1,163 @@
+require 'spec_helper'
+require 'xml_examples'
+require 'sslyze/xml/certinfo/certificate_validation/verified_certificate_chain'
+describe SSLyze::XML::Certinfo::CertificateValidation::VerifiedCertificateChain do
+  include_examples "XML specs"
+  let(:xpath) { '/document/results/target/certinfo/certificateValidation/verifiedCertificateChain' }
+  subject { described_class.new(xml.at(xpath)) }
+  describe "#has_sha1_signed_certificate?" do
+    it "should return a Boolean value" do
+      expect(subject.has_sha1_signed_certificate?).to be(true).or(be(false))
+    end
+  end
+  describe "#each_certificate" do
+    context "when at least one 'certificate' XML child exists" do
+      let(:xpath) { "#{super()}[certificate]" }
+      let(:xpath_count) { xml.at(xpath).xpath('certificate').count }
+      it "should yield successive Certificate objects" do
+        expect { |b|
+          subject.each_certificate(&b)
+        }.to yield_successive_args(
+          *Array.new(xpath_count,SSLyze::XML::Certinfo::Certificate)
+        )
+      end
+    end
+    context "when no 'certificate' XML children exist" do
+      let(:xpath) { "#{super()}[not(./certificate)]" }
+      it "should not yield control" do
+        pending "need an example with no 'certificate' XML children"
+        expect { |b|
+          subject.each_certificate(&b)
+        }.to_not yield_control
+      end
+    end
+  end
+  describe "#certificates" do
+    context "when at least one 'certificate' XML child exists" do
+      let(:xpath) { "#{super()}[certificate]" }
+      let(:xpath_count) { xml.at(xpath).xpath('certificate').count }
+      it do
+        expect(subject.certificates).to be_a(Array).and(
+          all(be_kind_of(SSLyze::XML::Certinfo::Certificate))
+        )
+      end
+    end
+    context "when no 'certificate' XML children exist" do
+      let(:xpath) { "#{super()}[not(./certificate)]" }
+      it do
+        pending "need an example with no 'certificate' XML children"
+        expect(subject.certificates).to be_empty
+      end
+    end
+  end
+  describe "#leaf" do
+    context "when at least one 'certificate' XML child exists" do
+      let(:xpath) { "#{super()}[certificate]" }
+      it do
+        expect(subject.leaf).to be_a(SSLyze::XML::Certinfo::Certificate)
+      end
+      it "should select the first 'certificate' XML child" do
+        expect(subject.leaf).to be == \
+          SSLyze::XML::Certinfo::Certificate.new(xml.at("#{xpath}/certificate[1]"))
+      end
+    end
+    context "when no 'certificate' XML children exist" do
+      let(:xpath) { "#{super()}[not(./certificate)]" }
+      it do
+        pending "need an example with no 'certificate' XML children"
+        expect(subject.leaf).to be nil
+      end
+    end
+  end
+  describe "#each_intermediate" do
+    context "when there are more than two 'certificate' XML children" do
+      let(:xpath) { "#{super()}[count(certificate) > 2]" }
+      it "should yield the intermediate certificates" do
+        expect { |b|
+          subject.each_intermediate(&b)
+        }.to yield_successive_args(
+          SSLyze::XML::Certinfo::Certificate
+        )
+      end
+    end
+    context "when there are two or fewer 'certificate' XML children" do
+      let(:xpath) { "#{super()}[count(certificate) <= 2]" }
+      it "should not yield anything" do
+        pending "<vertifiedCertificateChain/> does not appear to ever have two or fewer <certificate/> children"
+        expect { |b|
+          subject.each_intermediate(&b)
+        }.to_not yield_control
+      end
+    end
+  end
+  describe "#intermediates" do
+    context "when there are more than two 'certificate' XML children" do
+      let(:xpath) { "#{super()}[count(certificate) > 2]" }
+      it "should yield the intermediate certificates" do
+        expect(subject.intermediates).to be_a(Array).and(all(be_kind_of(SSLyze::XML::Certinfo::Certificate)))
+      end
+    end
+    context "when there are two or fewer 'certificate' XML children" do
+      let(:xpath) { "#{super()}[count(certificate) <= 2]" }
+      it "should not yield anything" do
+        pending "<vertifiedCertificateChain/> does not appear to ever have two or fewer <certificate/> children"
+        expect(subject.intermediates).to be_empty
+      end
+    end
+  end
+  describe "#root" do
+    context "when at least one 'certificate' XML child exists" do
+      let(:xpath) { "#{super()}[certificate]" }
+      it do
+        expect(subject.root).to be_a(SSLyze::XML::Certinfo::Certificate)
+      end
+      it "should select the last 'certificate' XML child" do
+        expect(subject.root).to be == \
+          SSLyze::XML::Certinfo::Certificate.new(xml.at("#{xpath}/certificate[last()]"))
+      end
+    end
+    context "when no 'certificate' XML children exist" do
+      let(:xpath) { "#{super()}[not(./certificate)]" }
+      it do
+        pending "need an example with no 'certificate' XML children"
+        expect(subject.root).to be nil
+      end
+    end
+  end
+end