diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 00558e101..26057644c 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2871,24 +2871,26 @@ static psa_status_t psa_sign_internal( mbedtls_svc_key_id_t key,
 
     *signature_length = 0;
 
-    if( operation == PSA_SIGN_MESSAGE )
+    if( operation == PSA_SIGN_INVALID )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+    else
     {
         if( ! PSA_ALG_IS_SIGN_MESSAGE( alg ) )
             return( PSA_ERROR_INVALID_ARGUMENT );
 
-        if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) )
+        if( operation == PSA_SIGN_MESSAGE )
         {
-            if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) )
-                return( PSA_ERROR_INVALID_ARGUMENT );
+            if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) )
+            {
+                if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) )
+                    return( PSA_ERROR_INVALID_ARGUMENT );
+            }
         }
         /* Curently only hash-then-sign algorithms are supported. */
         else
             return( PSA_ERROR_INVALID_ARGUMENT );
     }
 
-    else if( operation == PSA_SIGN_INVALID )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
     /* Immediately reject a zero-length signature buffer. This guarantees
      * that signature must be a valid pointer. (On the other hand, the hash
      * buffer can in principle be empty since it doesn't actually have
@@ -2962,24 +2964,26 @@ static psa_status_t psa_verify_internal( mbedtls_svc_key_id_t key,
     psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_slot_t *slot;
 
-    if( operation == PSA_VERIFY_MESSAGE )
+    if( operation == PSA_VERIFY_INVALID )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+    else
     {
         if( ! PSA_ALG_IS_SIGN_MESSAGE( alg ) )
             return( PSA_ERROR_INVALID_ARGUMENT );
 
-        if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) )
+        if( operation == PSA_VERIFY_MESSAGE )
         {
-            if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) )
-                return( PSA_ERROR_INVALID_ARGUMENT );
+            if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) )
+            {
+                if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) )
+                    return( PSA_ERROR_INVALID_ARGUMENT );
+            }
         }
         /* Curently only hash-then-sign algorithms are supported. */
         else
             return( PSA_ERROR_INVALID_ARGUMENT );
     }
 
-    else if( operation == PSA_VERIFY_INVALID )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
     status = psa_get_and_lock_key_slot_with_policy(
                 key, &slot,
                 operation == PSA_VERIFY_HASH ? PSA_KEY_USAGE_VERIFY_HASH :