# HG changeset patch
# User David Benjamin <davidben@google.com>
# Date 1593049849 14400
#      Wed Jun 24 21:50:49 2020 -0400
# Node ID 26178d7b046af04862530d2e19d3093091b61119
# Parent  18198361c47ec505ea5a3aa4bdb4fe7229c98bc3
Fix up crl_delta_crl_indicator.pem. (#5283)

The CRL is missing a CRL number and should mark the delta CRL extension
as critical. RFC 5280 says the following:

Section 5.2.3:

> CRL issuers conforming to this profile MUST include this extension
> [CRL number] in all CRLs and MUST mark this extension as
> non-critical.

Section 5.2.4:

> The delta CRL indicator is a critical CRL extension that identifies a
> CRL as being a delta CRL.

> When a conforming CRL issuer generates a delta CRL, the delta CRL
> MUST include a critical delta CRL indicator extension.

Sadly, RFC 5280 is often unclear about the difference between issuer
requirements and verifier requirements, but test certificates should
conform to issuer requirements where possible, in case the underly
library becomes stricter. Section 5.2.4 includes further text which
implies a delta CRL without a CRL number is unusable for a verifier
anyway:

> A complete CRL and a delta CRL MAY be combined if the following four
> conditions are satisfied:
>
> [...]
>
>   (d)  The CRL number of the complete CRL is less than the CRL number
>        of the delta CRL.  That is, the delta CRL follows the complete
>        CRL in the numbering sequence.

Note I have not updated the signature in crl_delta_crl_indicator.pem.
The test does not care, and it is unclear which key to sign it with.

diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -307,7 +307,7 @@
             ExtensionOID.DELTA_CRL_INDICATOR
         )
         assert dci.value == x509.DeltaCRLIndicator(12345678901234567890)
-        assert dci.critical is False
+        assert dci.critical is True
 
     def test_signature(self, backend):
         crl = _load_cert(
diff --git a/vectors/cryptography_vectors/x509/custom/crl_delta_crl_indicator.pem b/vectors/cryptography_vectors/x509/custom/crl_delta_crl_indicator.pem
--- a/vectors/cryptography_vectors/x509/custom/crl_delta_crl_indicator.pem
+++ b/vectors/cryptography_vectors/x509/custom/crl_delta_crl_indicator.pem
@@ -1,11 +1,11 @@
 -----BEGIN X509 CRL-----
-MIIBfTBnAgEBMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMMEmNyeXB0b2dyYXBo
-eS5pbyBDQRcNMDIwMTAxMTIwMTAwWhcNMzAwMTAxMTIwMTAwWqAWMBQwEgYDVR0b
-BAsCCQCrVKmM6x8K0jANBgkqhkiG9w0BAQsFAAOCAQEAUEE3Z8rgIZYo1YK0wZ2X
-bz9NnnE/X1YZQZ/IO/mSsz/k2d5XhLwa53zMlvX7J3UFEjEp+82b+gCMvgpJzTBq
-a/XnifnA8lnFJmPiLB1JgRm2/GsXxkws3ziH5D/6yRdV3MDRQzRg610GayF+LfrF
-74kMns0a1TaOfRhw1APiDvJLngElvcutBS3/mgr+SPPdDgFJ++PSrWOdAw4vo4HH
-TTxduelWWDag2Bg0L90Td8Cdv57jgbCjSwWPSLqfwq674cDxotYABqtLg1Q5jeg2
-GIzEZqYXWvxMc87pQLRwrxG2+U4p+hDpx3TTIn2uyxDTihXvWKmiqzpOiXJKixe5
-Jw==
+MIIBlDB+AgEBMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMMEmNyeXB0b2dyYXBo
+eS5pbyBDQRcNMDIwMTAxMTIwMTAwWhcNMzAwMTAxMTIwMTAwWqAtMCswEgYDVR0U
+BAsCCQCrVKmM6x8K0zAVBgNVHRsBAf8ECwIJAKtUqYzrHwrSMA0GCSqGSIb3DQEB
+CwUAA4IBAQBQQTdnyuAhlijVgrTBnZdvP02ecT9fVhlBn8g7+ZKzP+TZ3leEvBrn
+fMyW9fsndQUSMSn7zZv6AIy+CknNMGpr9eeJ+cDyWcUmY+IsHUmBGbb8axfGTCzf
+OIfkP/rJF1XcwNFDNGDrXQZrIX4t+sXviQyezRrVNo59GHDUA+IO8kueASW9y60F
+Lf+aCv5I890OAUn749KtY50DDi+jgcdNPF256VZYNqDYGDQv3RN3wJ2/nuOBsKNL
+BY9Iup/CrrvhwPGi1gAGq0uDVDmN6DYYjMRmphda/ExzzulAtHCvEbb5Tin6EOnH
+dNMifa7LENOKFe9YqaKrOk6JckqLF7kn
 -----END X509 CRL-----