diff --git a/src/spki/certificate.h b/src/spki/certificate.h
index e4f5d5096ef3a0c08aaaf66462bb172d360d1e9d..a45d1050f19423d3df9dc39e1bb8f16c35e38d0e 100644
--- a/src/spki/certificate.h
+++ b/src/spki/certificate.h
@@ -34,8 +34,9 @@
 
 #include <time.h>
 
-/* Real declaration in parse.h */
+/* Real declarations in parse.h */
 struct spki_iterator;
+struct spki_hash_value;
 
 /* Real declaration in tag.c */
 struct spki_tag;
@@ -274,8 +275,7 @@ spki_5_tuple_reduce(struct spki_acl_db *db,
 /* Signature verification */
 int
 spki_verify(void *ctx,
-	    enum spki_type digest_type,
-	    const uint8_t *digest,
+	    const struct spki_hash_value *hash,
 	    struct spki_principal *principal,
 	    struct spki_iterator *signature);
 
diff --git a/src/spki/verify.c b/src/spki/verify.c
index 3286fe8ce7c8d9cf01cee2462f12c9108b694b08..f59ed067a9f53da1f03fb0beade3a8df6c097ff3 100644
--- a/src/spki/verify.c
+++ b/src/spki/verify.c
@@ -89,8 +89,7 @@ spki_verify_dsa(const uint8_t *digest,
 
 int
 spki_verify(void *ctx UNUSED,
-	    enum spki_type digest_type,
-	    const uint8_t *digest,
+	    const struct spki_hash_value *hash,
 	    struct spki_principal *principal,
 	    struct spki_iterator *signature)
 {
@@ -112,17 +111,19 @@ spki_verify(void *ctx UNUSED,
   switch (spki_parse_type(&key))
     {
     case SPKI_TYPE_RSA_PKCS1_MD5:
-      return (digest_type == SPKI_TYPE_MD5
+      return (hash->type == SPKI_TYPE_MD5
+	      && hash->length == MD5_DIGEST_SIZE
 	      && signature_type == SPKI_TYPE_RSA_PKCS1_MD5
 	      && spki_verify_rsa(rsa_md5_verify_digest,
-				 digest,
+				 hash->digest,
 				 &key, signature));
 
     case SPKI_TYPE_RSA_PKCS1_SHA1:
-      return (digest_type == SPKI_TYPE_SHA1
+      return (hash->type == SPKI_TYPE_SHA1
+	      && hash->length == SHA1_DIGEST_SIZE
 	      && signature_type == SPKI_TYPE_RSA_PKCS1_SHA1
 	      && spki_verify_rsa(rsa_sha1_verify_digest, 
-				 digest,
+				 hash->digest,
 				 &key, signature));
 #if 0
     case SPKI_TYPE_RSA_PKCS1:
@@ -143,8 +144,9 @@ spki_verify(void *ctx UNUSED,
 #endif
       
     case SPKI_TYPE_DSA_SHA1:
-      return (digest_type == SPKI_TYPE_SHA1
-	      && spki_verify_dsa(digest, &key, signature));
+      return (hash->type == SPKI_TYPE_SHA1
+	      && hash->length == SHA1_DIGEST_SIZE
+	      && spki_verify_dsa(hash->digest, &key, signature));
 
     default:
       return 0;