crl2pkcs7 shouldn't include empty optional sets

If using crl2pkcs7 -nocrl and with no -certfiles, we shouldn't include
the implicitly tagged [0] certs and [1] crls sets as they are marked
optional and would be empty.
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14781)

apps/crl2p7.c

@@ -134,19 +134,20 @@ int crl2pkcs7_main(int argc, char **argv)
 
     if (!ASN1_INTEGER_set(p7s->version, 1))
         goto end;
-    if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
-        goto end;
-    p7s->crl = crl_stack;
+
     if (crl != NULL) {
+        if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
+            goto end;
+        p7s->crl = crl_stack;
         sk_X509_CRL_push(crl_stack, crl);
         crl = NULL;             /* now part of p7 for OPENSSL_freeing */
     }
 
-    if ((cert_stack = sk_X509_new_null()) == NULL)
-        goto end;
-    p7s->cert = cert_stack;
+    if (certflst != NULL) {
+        if ((cert_stack = sk_X509_new_null()) == NULL)
+            goto end;
+        p7s->cert = cert_stack;
 
-    if (certflst != NULL)
         for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
             certfile = sk_OPENSSL_STRING_value(certflst, i);
             if (add_certs_from_file(cert_stack, certfile) < 0) {
@@ -155,6 +156,7 @@ int crl2pkcs7_main(int argc, char **argv)
                 goto end;
             }
         }
+    }
 
     out = bio_open_default(outfile, 'w', outformat);
     if (out == NULL)