diff --git a/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt b/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt
index cf4c9e953..9aa3ff91d 100644
--- a/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt
+++ b/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt
@@ -1,2 +1,3 @@
-API changes
-   * x509 certificate parse functionality is extended with the possibility of extracting SignatureKeyId and AuthorityKeyId fields
+Features
+   * When parsing X.509 certificates, support the extensions
+     SignatureKeyIdentifier and AuthorityKeyIdentifier.
diff --git a/library/x509_crt.c b/library/x509_crt.c
index e7a98dd62..8cb78e553 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -608,6 +608,11 @@ static int x509_get_subject_key_id(unsigned char **p,
         *p += len;
     }
 
+    if (*p != end) {
+        return MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+    }
+
     return 0;
 }