diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 8aa3145bd8..0100441aca 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1959,6 +1959,12 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
     {
         return( PSA_ERROR_INVALID_ARGUMENT );
     }
+
+    /* Mbed TLS distinguishes "invalid padding" from "valid padding but
+     * the rest of the signature is invalid". This has little use in
+     * practice and PSA doesn't report this distinction. */
+    if( ret == MBEDTLS_ERR_RSA_INVALID_PADDING )
+        return( PSA_ERROR_INVALID_SIGNATURE );
     return( mbedtls_to_psa_error( ret ) );
 }
 #endif /* MBEDTLS_RSA_C */