diff --git a/src/internal.c b/src/internal.c
index 1262d1d44..eda846407 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -12454,7 +12454,8 @@ void CopyDecodedName(WOLFSSL_X509_NAME* name, DecodedCert* dCert, int nameType)
         name->sz = (int)XSTRLEN(name->name) + 1;
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
         name->rawLen = min(dCert->subjectRawLen, ASN_NAME_MAX);
-        XMEMCPY(name->raw, dCert->subjectRaw, name->rawLen);
+        if (name->rawLen > 0)
+            XMEMCPY(name->raw, dCert->subjectRaw, name->rawLen);
 #endif
     }
     else {
@@ -12464,7 +12465,7 @@ void CopyDecodedName(WOLFSSL_X509_NAME* name, DecodedCert* dCert, int nameType)
 #if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) \
     && (defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT))
         name->rawLen = min(dCert->issuerRawLen, ASN_NAME_MAX);
-        if (name->rawLen) {
+        if (name->rawLen > 0) {
             XMEMCPY(name->raw, dCert->issuerRaw, name->rawLen);
         }
 #endif
diff --git a/src/tls.c b/src/tls.c
index 7fa94d079..ca5159d3f 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -11212,8 +11212,10 @@ static int TLSX_ClientCertificateType_GetSize(WOLFSSL* ssl, byte msgType)
         ret = (int)(OPAQUE8_LEN + cnt * OPAQUE8_LEN);
     }
     else if (msgType == server_hello || msgType == encrypted_extensions) {
-        /* sever side */
+        /* server side */
         cnt = ssl->options.rpkState.sending_ClientCertTypeCnt;/* must be one */
+        if (cnt != 1)
+            return SANITY_MSG_E;
         ret = OPAQUE8_LEN;
     }
     else {
diff --git a/tests/api.c b/tests/api.c
index 0e2e38d95..cb309db43 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -67498,7 +67498,7 @@ static int test_tls13_rpk_handshake(void)
     certType_s[1] = WOLFSSL_CERT_TYPE_X509;
     typeCnt_s = 2;
 
-    /*  both clien and server do not call client/server_cert_type APIs,
+    /*  both client and server do not call client/server_cert_type APIs,
      *  expecting default settings works and no negotiation performed.
      */
 
@@ -67520,6 +67520,9 @@ static int test_tls13_rpk_handshake(void)
                                                             WOLFSSL_SUCCESS);
     ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
 
+    (void)typeCnt_c;
+    (void)typeCnt_s;
+
     wolfSSL_free(ssl_c);
     wolfSSL_CTX_free(ctx_c);
     wolfSSL_free(ssl_s);
@@ -67551,7 +67554,7 @@ static int test_tls13_rpk_handshake(void)
     certType_s[1] = WOLFSSL_CERT_TYPE_X509;
     typeCnt_s = 2;
 
-    /*  both clien and server do not call client/server_cert_type APIs,
+    /*  both client and server do not call client/server_cert_type APIs,
      *  expecting default settings works and no negotiation performed.
      */
 
@@ -67575,6 +67578,9 @@ static int test_tls13_rpk_handshake(void)
                                                         WOLFSSL_SUCCESS);
     ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
 
+    (void)typeCnt_c;
+    (void)typeCnt_s;
+
     wolfSSL_free(ssl_c);
     wolfSSL_CTX_free(ctx_c);
     wolfSSL_free(ssl_s);
@@ -67733,12 +67739,9 @@ static int test_tls13_rpk_handshake(void)
             svrKeyFile,      WOLFSSL_FILETYPE_PEM )
         , 0);
 
-    /* set client certificate type in client end */
-    certType_c[0] = WOLFSSL_CERT_TYPE_RPK;
-    certType_c[1] = WOLFSSL_CERT_TYPE_X509;
-    typeCnt_c = 2;
-
-    /* client indicates both RPK and x509 certs are available but loaded RPK
+    /* set client certificate type in client end
+     *
+     * client indicates both RPK and x509 certs are available but loaded RPK
      * cert only. It does not have client add client-cert-type extension in CH.
      */
     certType_c[0] = WOLFSSL_CERT_TYPE_RPK;