diff --git a/library/x509.c b/library/x509.c
index 9869b05e5..81e30e4ac 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -1328,6 +1328,8 @@ int mbedtls_x509_get_ns_cert_type(unsigned char **p,
         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
     }
 
+    /* A bitstring with no flags set is still technically valid, as it will mean
+       that the certificate has no designated purpose at the time of creation. */
     if (bs.len == 0) {
         *ns_cert_type = 0;
         return 0;
@@ -1355,16 +1357,13 @@ int mbedtls_x509_get_key_usage(unsigned char **p,
         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
     }
 
+    /* A bitstring with no flags set is still technically valid, as it will mean
+       that the certificate has no designated purpose at the time of creation. */
     if (bs.len == 0) {
         *key_usage = 0;
         return 0;
     }
 
-    if (bs.len < 1) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
-                                 MBEDTLS_ERR_ASN1_INVALID_LENGTH);
-    }
-
     /* Get actual bitstring */
     *key_usage = 0;
     for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {