RFC-5280 has somewhat complicated rules on whether the Subject may be empty. On gnupg-users a problem was described with a Sectigo issued certificate. This is the first cert I have seen with empty Subject and critical marked altSubjectName. This is valid but not supported by LibKSBA.

We need to properly parse such a cert and make sure that gpgsm can work with it.