diff --git a/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp b/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
index ba639f25bd46..6a9bf44e5436 100644
--- a/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
+++ b/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
@@ -134,6 +134,40 @@ TEST(pkixchekc_CheckKeyusage, tooManyUnusedBits)
                            KeyUsage::digitalSignature));
 }
 
+TEST(pkixcheck_CheckKeyUsage, NoValueBytes_NoPaddingBits)
+{
+  static const uint8_t DER_BYTES[] = {
+    0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 0/*unused bits*/
+  };
+  static const SECItem DER = {
+    siBuffer,
+    const_cast<uint8_t*>(DER_BYTES),
+    sizeof(DER_BYTES)
+  };
+
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
+                           KeyUsage::keyCertSign));
+}
+
+TEST(pkixcheck_CheckKeyUsage, NoValueBytes_7PaddingBits)
+{
+  static const uint8_t DER_BYTES[] = {
+    0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 7/*unused bits*/
+  };
+  static const SECItem DER = {
+    siBuffer,
+    const_cast<uint8_t*>(DER_BYTES),
+    sizeof(DER_BYTES)
+  };
+
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
+                           KeyUsage::keyCertSign));
+}
+
 void ASSERT_SimpleCase(uint8_t unusedBits, uint8_t bits, KeyUsage usage)
 {
   // Test that only the right bit is accepted for the usage for both EE and CA