diff --git a/common/util.c b/common/util.c
index ed5f696f..874a4646 100644
--- a/common/util.c
+++ b/common/util.c
@@ -385,6 +385,7 @@ bool read_public_key(uint8_t *buf, size_t len, yh_algorithm *algo,
   }
 
   if(BIO_write(bio, buf, len) <= 0) {
+    BIO_free_all(bio);
     return false;
   }
 
diff --git a/src/commands.c b/src/commands.c
index 1ed5dc43..6e74d6f1 100644
--- a/src/commands.c
+++ b/src/commands.c
@@ -1158,7 +1158,6 @@ int yh_com_get_pubkey(yubihsm_context *ctx, Argument *argv, cmd_format in_fmt,
     BIO *bio = BIO_new_fp(ctx->out, BIO_NOCLOSE);
     if (bio == NULL) {
       fprintf(stderr, "Unable to allocate BIO\n");
-      BIO_free_all(b64);
       error = true;
       goto getpk_base64_cleanup;
     }
@@ -1169,13 +1168,11 @@ int yh_com_get_pubkey(yubihsm_context *ctx, Argument *argv, cmd_format in_fmt,
 
     if (BIO_flush(bio) != 1) {
       fprintf(stderr, "Unable to flush BIO\n");
-      BIO_free_all(b64);
-      BIO_free_all(bio);
       error = true;
       goto getpk_base64_cleanup;
     }
-    (void) BIO_free_all(bio);
   getpk_base64_cleanup:
+    (void) BIO_free_all(b64);
     if (error) {
       EVP_PKEY_free(public_key);
       return -1;
@@ -1269,7 +1266,6 @@ int yh_com_get_device_pubkey(yubihsm_context *ctx, Argument *argv,
     if (BIO_flush(bio) != 1) {
       fprintf(stderr, "Unable to flush BIO\n");
       BIO_free_all(b64);
-      BIO_free_all(bio);
       error = true;
       goto getdpk_base64_cleanup;
     }
@@ -3098,7 +3094,6 @@ int yh_com_sign_ssh_certificate(yubihsm_context *ctx, Argument *argv,
 
   uint8_t data[YH_MSG_BUF_SIZE + 1024] = {0};
   size_t response_len = sizeof(data);
-  size_t in_len = 4 + 256; // 4 bytes time stamp + 256 bytes signature
 
   if (argv[4].len > YH_MSG_BUF_SIZE) {
     fprintf(stderr, "Failed to sign ssh certificate: %s\n",
@@ -3112,7 +3107,7 @@ int yh_com_sign_ssh_certificate(yubihsm_context *ctx, Argument *argv,
   yh_rc yrc = yh_util_sign_ssh_certificate(argv[0].e, argv[1].w, argv[2].w,
                                            argv[3].a, data, argv[4].len,
                                            data + argv[4].len, &response_len);
-  if (yrc != YHR_SUCCESS || response_len == 0) {
+  if (yrc != YHR_SUCCESS) {
     fprintf(stderr, "Failed to get certificate signature: %s\n",
             yh_strerror(yrc));
     return -1;
@@ -3135,7 +3130,8 @@ int yh_com_sign_ssh_certificate(yubihsm_context *ctx, Argument *argv,
 
   int ret = 0;
   (void) BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
-  if (BIO_write(bio, data + in_len, argv[4].len + response_len - in_len) <= 0) {
+  if (BIO_write(bio, data + 4 + 256, argv[4].len + response_len - 4 - 256) <=
+      0) { // TODO(adma): FIXME, unmagify
     fprintf(stderr, "Failed to sign SSH certificate.\n");
     ret = -1;
     goto clean_bio;