diff --git a/src/pk/asn1/der/sequence/der_decode_subject_public_key_info.c b/src/pk/asn1/der/sequence/der_decode_subject_public_key_info.c
index 74522f7..b0f2f94 100644
--- a/src/pk/asn1/der/sequence/der_decode_subject_public_key_info.c
+++ b/src/pk/asn1/der/sequence/der_decode_subject_public_key_info.c
@@ -46,6 +46,7 @@ int der_decode_subject_public_key_info(const unsigned char *in, unsigned long in
 
    LTC_ARGCHK(in    != NULL);
    LTC_ARGCHK(inlen != 0);
+   LTC_ARGCHK(public_key_len != NULL);
 
    err = pk_get_oid(algorithm, &oid);
    if (err != CRYPT_OK) {
@@ -63,8 +64,8 @@ int der_decode_subject_public_key_info(const unsigned char *in, unsigned long in
    LTC_SET_ASN1(alg_id, 0, LTC_ASN1_OBJECT_IDENTIFIER, tmpoid, sizeof(tmpoid)/sizeof(tmpoid[0]));
    LTC_SET_ASN1(alg_id, 1, parameters_type, parameters, parameters_len);
 
-   /* the actual format of the SSL DER key is odd, it stores a RSAPublicKey in a **BIT** string ... so we have to extract it
-      then proceed to convert bit to octet
+   /* the actual format of the SSL DER key is odd, it stores a RSAPublicKey
+    * in a **BIT** string ... so we have to extract it then proceed to convert bit to octet
     */
    LTC_SET_ASN1(subject_pubkey, 0, LTC_ASN1_SEQUENCE, alg_id, 2);
    LTC_SET_ASN1(subject_pubkey, 1, LTC_ASN1_RAW_BIT_STRING, tmpbuf, MAX_RSA_SIZE*8);
@@ -74,6 +75,13 @@ int der_decode_subject_public_key_info(const unsigned char *in, unsigned long in
            goto LBL_ERR;
    }
 
+   if ((alg_id[0].size != oid.OIDlen) ||
+       memcmp(oid.OID, alg_id[0].data, oid.OIDlen * sizeof(oid.OID[0]))) {
+        /* OID mismatch */
+        err = CRYPT_PK_INVALID_TYPE;
+        goto LBL_ERR;
+   }
+
    len = subject_pubkey[1].size/8;
    if (*public_key_len > len) {
        memcpy(public_key, subject_pubkey[1].data, len);