Bouncy Castle 1.80 accepted a CRL file with an invalid AKI extension.

[onepeople158]

RFC 5280 specifies that the AKI extension, i.e., the Authority Key Identifier, is based on either keyIdentifier or a combination of both authorityCertIssuer and authorityCertSerialNumber. That is, authorityCertIssuer and authorityCertSerialNumber must either both appear together or both be None. However, I was able to successfully parse a CRL file with an AKI extension that only contains the authorityCertSerialNumber field using Bouncy Castle 1.80.

Code:

import java.io.InputStream;
import java.io.FileInputStream;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ASN1OctetStringParser;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.*;

public class CRLParserExample_aki_serial {
    public static void main(String[] args) throws Exception{

            InputStream inputStream = new FileInputStream("crl_file_1.der");
            
            X509CRLHolder crlHolder = new X509CRLHolder(inputStream);
            
            ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier("2.5.29.35"); 
            
            Extension extension = crlHolder.getExtension(oid);

            System.out.println(extension.getParsedValue());
            ASN1Encodable parsedValue =extension.getParsedValue();
            ASN1Sequence sequence = (ASN1Sequence) parsedValue;
            int numElements = sequence.size();
            System.out.println(sequence.getObjectAt(numElements-1));

        } 
}

Test Case:

crl_file_1.zip