fix(crl): respect disabled toggle when CRL URL list is empty

When the admin disables external CRL validation
(crl_external_validation_enabled=false), an empty CRL distribution-point
list was still returning NO_URLS instead of DISABLED, causing signing to
be blocked even though the admin intended to bypass validation.

Move the toggle check before the empty-URL guard so that an empty list
is treated the same as all points being intentionally skipped.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

Author: vitormattos

lib/Service/Crl/CrlRevocationChecker.php

@@ -54,12 +54,17 @@ public function validate(array $crlUrls, string $certPem): array {
 	}
 
 	private function validateFromUrlsWithDetails(array $crlUrls, string $certPem): array {
+		$externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);
+
 		if (empty($crlUrls)) {
+			// When external validation is disabled, treat an empty distribution-point
+			// list the same as if all points were intentionally skipped.
+			if (!$externalValidationEnabled) {
+				return ['status' => CrlValidationStatus::DISABLED];
+			}
 			return ['status' => CrlValidationStatus::NO_URLS];
 		}
 
-		$externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);
-
 		$accessibleUrls = 0;
 		$disabledUrls = 0;
 		foreach ($crlUrls as $crlUrl) {