Fix up crl_delta_crl_indicator.pem. (#5283)

The CRL is missing a CRL number and should mark the delta CRL extension
as critical. RFC 5280 says the following:

Section 5.2.3:

> CRL issuers conforming to this profile MUST include this extension
> [CRL number] in all CRLs and MUST mark this extension as
> non-critical.

Section 5.2.4:

> The delta CRL indicator is a critical CRL extension that identifies a
> CRL as being a delta CRL.

> When a conforming CRL issuer generates a delta CRL, the delta CRL
> MUST include a critical delta CRL indicator extension.

Sadly, RFC 5280 is often unclear about the difference between issuer
requirements and verifier requirements, but test certificates should
conform to issuer requirements where possible, in case the underly
library becomes stricter. Section 5.2.4 includes further text which
implies a delta CRL without a CRL number is unusable for a verifier
anyway:

> A complete CRL and a delta CRL MAY be combined if the following four
> conditions are satisfied:
>
> [...]
>
>   (d)  The CRL number of the complete CRL is less than the CRL number
>        of the delta CRL.  That is, the delta CRL follows the complete
>        CRL in the numbering sequence.

Note I have not updated the signature in crl_delta_crl_indicator.pem.
The test does not care, and it is unclear which key to sign it with.

1 files changed, 1 insertions, 1 deletions

diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 38fe6bf8b..35089c508 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -307,7 +307,7 @@ class TestCertificateRevocationList(object):
             ExtensionOID.DELTA_CRL_INDICATOR
         )
         assert dci.value == x509.DeltaCRLIndicator(12345678901234567890)
-        assert dci.critical is False
+        assert dci.critical is True
 
     def test_signature(self, backend):
         crl = _load_cert(