Allow empty x509 bundles to be sent in responses

The specification already allows this to happen: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md\#413-keys

v2/bundle/x509bundle/bundle.go

@@ -63,13 +63,14 @@ func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
 // blocks.
 func Parse(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) {
 	bundle := New(trustDomain)
+	if len(b) == 0 {
+		return bundle, nil
+	}
+
 	certs, err := pemutil.ParseCertificates(b)
 	if err != nil {
 		return nil, x509bundleErr.New("cannot parse certificate: %v", err)
 	}
-	if len(certs) == 0 {
-		return nil, x509bundleErr.New("no certificates found")
-	}
 	for _, cert := range certs {
 		bundle.AddX509Authority(cert)
 	}
@@ -80,13 +81,14 @@ func Parse(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) {
 // with no intermediate padding if there are more than one certificate)
 func ParseRaw(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) {
 	bundle := New(trustDomain)
+	if len(b) == 0 {
+		return bundle, nil
+	}
+
 	certs, err := x509.ParseCertificates(b)
 	if err != nil {
 		return nil, x509bundleErr.New("cannot parse certificate: %v", err)
 	}
-	if len(certs) == 0 {
-		return nil, x509bundleErr.New("no certificates found")
-	}
 	for _, cert := range certs {
 		bundle.AddX509Authority(cert)
 	}

v2/workloadapi/client.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/x509"
 	"errors"
-	"fmt"
 	"time"
 
 	"github.com/spiffe/go-spiffe/v2/bundle/jwtbundle"
@@ -489,9 +488,6 @@ func parseX509Bundle(spiffeID string, bundle []byte) (*x509bundle.Bundle, error)
 	if err != nil {
 		return nil, err
 	}
-	if len(certs) == 0 {
-		return nil, fmt.Errorf("empty X.509 bundle for trust domain %q", td)
-	}
 	return x509bundle.FromX509Authorities(td, certs), nil
 }