Make sure that one of full_name, relative_name or crl_issuer is set i…

[mathiasertl]

Noticed that it's possible to create Distribution Points with no full name, relative name or issuer:

>>> x509.DistributionPoint(None, None, None, None)
<DistributionPoint(full_name=None, relative_name=None, reasons=None, crl_issuer=None)>

RFC 5280, section 4.2.1.13 says:

... either distributionPoint or cRLIssuer MUST be present.

[alex]

Looks like there's a coverage issue, presumabely because some other test case is now triggering this check?

[mathiasertl]

Just checking this. Discovered that there is a similar check further down in the constructor:

        if reasons and not crl_issuer and not (full_name or relative_name):
            raise ValueError(
                "You must supply crl_issuer, full_name, or relative_name when "
                "reasons is not None"
            )

... and the test_reason_only test would no longer reach these lines.

Now rereading RFC5280 to see if there is any basis for the above (none on my second read...)

[mathiasertl]

Ah, hmm, the preceeding line says

a DistributionPoint MUST NOT consist of only the reasons field;

so the check now not covered is a valid check, strictly speaking. But the new check is still valid and covers the "only reasons flags" as well. If you agree, I would remove the check in line 633 (and leave the test).

[alex]

Works for me.

[mathiasertl]

done. Thanks for reviewing!