diff --git a/src/pki.c b/src/pki.c
index 6d47a499..3b58921e 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -2460,6 +2460,7 @@ int ssh_pki_signature_verify(ssh_session session,
                              size_t input_len)
 {
     int rc;
+    bool allowed;
     enum ssh_keytypes_e key_type;
 
     if (session == NULL || sig == NULL || key == NULL || input == NULL) {
@@ -2480,6 +2481,13 @@ int ssh_pki_signature_verify(ssh_session session,
         return SSH_ERROR;
     }
 
+    allowed = ssh_key_size_allowed(session, key);
+    if (!allowed) {
+        ssh_set_error(session, SSH_FATAL, "The '%s' key of size %d is not "
+                      "allowd by RSA_MIN_SIZE", key->type_c, ssh_key_size(key));
+        return SSH_ERROR;
+    }
+
     /* Check if public key and hash type are compatible */
     rc = pki_key_check_hash_compatible(key, sig->hash_type);
     if (rc != SSH_OK) {
diff --git a/tests/unittests/torture_pki_rsa.c b/tests/unittests/torture_pki_rsa.c
index a9867069..18b5d611 100644
--- a/tests/unittests/torture_pki_rsa.c
+++ b/tests/unittests/torture_pki_rsa.c
@@ -665,6 +665,44 @@ static void torture_pki_rsa_sha2(void **state)
     ssh_free(session);
 }
 
+static void torture_pki_rsa_key_size(void **state)
+{
+    int rc;
+    ssh_key key = NULL, pubkey = NULL;
+    ssh_signature sign = NULL;
+    ssh_session session=ssh_new();
+    unsigned int length = 4096;
+
+    (void) state;
+
+    rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 2048, &key);
+    assert_true(rc == SSH_OK);
+    assert_non_null(key);
+    rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
+    assert_int_equal(rc, SSH_OK);
+    assert_non_null(pubkey);
+    sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256);
+    assert_non_null(sign);
+    rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
+    assert_ssh_return_code(session, rc);
+
+    /* Set the minumum RSA key size to 4k */
+    rc = ssh_options_set(session, SSH_OPTIONS_RSA_MIN_SIZE, &length);
+    assert_ssh_return_code(session, rc);
+
+    /* the verification should fail now */
+    rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
+    assert_true(rc == SSH_ERROR);
+
+    ssh_signature_free(sign);
+    SSH_KEY_FREE(key);
+    SSH_KEY_FREE(pubkey);
+    key = NULL;
+    pubkey = NULL;
+
+    ssh_free(session);
+}
+
 static int test_sign_verify_data(ssh_key key,
                                  enum ssh_digest_e hash_type,
                                  const unsigned char *input,
@@ -985,6 +1023,7 @@ int torture_run_tests(void) {
                                         setup_rsa_key,
                                         teardown),
         cmocka_unit_test(torture_pki_rsa_generate_key),
+        cmocka_unit_test(torture_pki_rsa_key_size),
 #if defined(HAVE_LIBCRYPTO)
         cmocka_unit_test_setup_teardown(torture_pki_rsa_write_privkey,
                                         setup_rsa_key,