diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index e11bd90e1..452ea31f6 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -285,7 +285,8 @@ int x509_get_rsassa_pss_params( const x509_buf *params,
 #endif
 int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig );
 int x509_get_sig_alg( const x509_buf *sig_oid, const x509_buf *sig_params,
-                      md_type_t *md_alg, pk_type_t *pk_alg );
+                      md_type_t *md_alg, pk_type_t *pk_alg,
+                      void **sig_opts );
 int x509_get_time( unsigned char **p, const unsigned char *end,
                    x509_time *time );
 int x509_get_serial( unsigned char **p, const unsigned char *end,
diff --git a/include/polarssl/x509_crl.h b/include/polarssl/x509_crl.h
index 81d4734a4..5c4564a45 100644
--- a/include/polarssl/x509_crl.h
+++ b/include/polarssl/x509_crl.h
@@ -92,8 +92,9 @@ typedef struct _x509_crl
     x509_buf sig_oid2;
     x509_buf sig;
     md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
-    pk_type_t sig_pk            /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */;
+    pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */
 #if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+    void *sig_opts;             /**< Signature options to be passed to pk_verify_ext(), eg for RSASSA-PSS */
     x509_buf sig_params;        /**< Parameters for the signature algorithm */
 #endif
 
diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h
index 09cc9829b..86686316c 100644
--- a/include/polarssl/x509_crt.h
+++ b/include/polarssl/x509_crt.h
@@ -92,8 +92,9 @@ typedef struct _x509_crt
     x509_buf sig_oid2;          /**< Signature algorithm. Must match sig_oid1. */
     x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */
     md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
-    pk_type_t sig_pk            /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */;
+    pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */
 #if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+    void *sig_opts;             /**< Signature options to be passed to pk_verify_ext(), eg for RSASSA-PSS */
     x509_buf sig_params;        /**< Parameters for the signature algorithm */
 #endif
 
diff --git a/include/polarssl/x509_csr.h b/include/polarssl/x509_csr.h
index af3f226c8..28ddedaae 100644
--- a/include/polarssl/x509_csr.h
+++ b/include/polarssl/x509_csr.h
@@ -66,8 +66,9 @@ typedef struct _x509_csr
     x509_buf sig_oid;
     x509_buf sig;
     md_type_t sig_md;       /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
-    pk_type_t sig_pk        /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */;
+    pk_type_t sig_pk;       /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */
 #if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+    void *sig_opts;             /**< Signature options to be passed to pk_verify_ext(), eg for RSASSA-PSS */
     x509_buf sig_params;        /**< Parameters for the signature algorithm */
 #endif
 }
diff --git a/library/x509.c b/library/x509.c
index 8e53eb798..ffa798052 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -559,25 +559,37 @@ int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig )
  * Get signature algorithm from alg OID and optional parameters
  */
 int x509_get_sig_alg( const x509_buf *sig_oid, const x509_buf *sig_params,
-                      md_type_t *md_alg, pk_type_t *pk_alg )
+                      md_type_t *md_alg, pk_type_t *pk_alg,
+                      void **sig_opts )
 {
     int ret;
 
+    if( *sig_opts != NULL )
+        return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
+
     if( ( ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
         return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret );
 
 #if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
     if( *pk_alg == POLARSSL_PK_RSASSA_PSS )
     {
-        int salt_len;
-        md_type_t mgf_md;
+        pk_rsassa_pss_options *pss_opts;
+
+        pss_opts = polarssl_malloc( sizeof( pk_rsassa_pss_options ) );
+        if( pss_opts == NULL )
+            return( POLARSSL_ERR_X509_MALLOC_FAILED );
 
-        /* Make sure params are valid */
         ret = x509_get_rsassa_pss_params( sig_params,
-                                          md_alg, &mgf_md, &salt_len );
+                                          md_alg,
+                                          &pss_opts->mgf1_hash_id,
+                                          &pss_opts->expected_salt_len );
         if( ret != 0 )
+        {
+            polarssl_free( pss_opts );
             return( ret );
+        }
 
+        *sig_opts = (void *) pss_opts;
     }
     else
 #endif
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 986fc26d4..2d6b50d1d 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -398,7 +398,8 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
     }
 
     if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params,
-                                  &crl->sig_md, &crl->sig_pk ) ) != 0 )
+                                  &crl->sig_md, &crl->sig_pk,
+                                  &crl->sig_opts ) ) != 0 )
     {
         x509_crl_free( crl );
         return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
@@ -726,6 +727,10 @@ void x509_crl_free( x509_crl *crl )
 
     do
     {
+#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+        polarssl_free( crl_cur->sig_opts );
+#endif
+
         name_cur = crl_cur->issuer.next;
         while( name_cur != NULL )
         {
diff --git a/library/x509_crt.c b/library/x509_crt.c
index fbc3989c7..7e5de1d67 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -616,7 +616,8 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf,
     }
 
     if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &sig_params,
-                                  &crt->sig_md, &crt->sig_pk ) ) != 0 )
+                                  &crt->sig_md, &crt->sig_pk,
+                                  &crt->sig_opts ) ) != 0 )
     {
         x509_crt_free( crt );
         return( ret );
@@ -1961,6 +1962,10 @@ void x509_crt_free( x509_crt *crt )
     {
         pk_free( &cert_cur->pk );
 
+#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+        polarssl_free( cert_cur->sig_opts );
+#endif
+
         name_cur = cert_cur->issuer.next;
         while( name_cur != NULL )
         {
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 082e46191..4dd623a6a 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -255,7 +255,8 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen )
     }
 
     if( ( ret = x509_get_sig_alg( &csr->sig_oid, &sig_params,
-                                  &csr->sig_md, &csr->sig_pk ) ) != 0 )
+                                  &csr->sig_md, &csr->sig_pk,
+                                  &csr->sig_opts ) ) != 0 )
     {
         x509_csr_free( csr );
         return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
@@ -425,6 +426,10 @@ void x509_csr_free( x509_csr *csr )
 
     pk_free( &csr->pk );
 
+#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+    polarssl_free( csr->sig_opts );
+#endif
+
     name_cur = csr->subject.next;
     while( name_cur != NULL )
     {