Empty revokedCertificates in CRLs

[botovq]

I noticed that about 15% of CRLs in the RPKI currently contain an empty list of revoked certificates. I suspect this is a bug in either krill or rpki-rs (or both).

Per RFC 5280, section 5.1.2.6: "When there are no revoked certificates, the revoked certificates list MUST be absent."

I suspect that Revocations::to_crl_entries() returns a zero-length vector if there are no certificates to revoke

krill/src/commons/api/ca.rs

Lines 728 to 733 in 33e072e

	pub fn to_crl_entries(&self) -> Vec<CrlEntry> {
	self.0
	.iter()
	.map(|r| CrlEntry::new(r.serial, r.revocation_date))
	.collect()
	}

which rpki-rs's RevokedCertificates::encode_ref() then encodes as an empty sequence.

Presumably the TbsCertList either needs to turn the revoked_certs into an Option<C> or its encoding needs to handle the empty sequence specially.

[partim]

Thank you for the report! This should be relatively easy to fix directly in rpki-rs – if the RevokedCertifcates are empty, don’t encode the outer sequence either.

[botovq]

Fixed in #1200 which accidentally referenced the wrong issue.