diff --git a/keyserver/internal/cross_signing.go b/keyserver/internal/cross_signing.go
index 0fc31cba7..7e83cfce2 100644
--- a/keyserver/internal/cross_signing.go
+++ b/keyserver/internal/cross_signing.go
@@ -137,7 +137,7 @@ func (a *KeyInternalAPI) PerformUploadDeviceKeys(ctx context.Context, req *api.P
 		case *gomatrixserverlib.CrossSigningKey:
 			if err := sanityCheckKey(*k, req.UserID, gomatrixserverlib.CrossSigningKeyPurposeMaster); err != nil {
 				res.Error = &api.KeyError{
-					Err: "User-signing key sanity check failed: " + err.Error(),
+					Err: "Master key sanity check failed: " + err.Error(),
 				}
 				return
 			}
@@ -147,6 +147,20 @@ func (a *KeyInternalAPI) PerformUploadDeviceKeys(ctx context.Context, req *api.P
 			}
 			return
 		}
+		switch k := keys.SelfSigningKeys[req.UserID].CrossSigningBody.(type) {
+		case *gomatrixserverlib.CrossSigningKey:
+			if err := sanityCheckKey(*k, req.UserID, gomatrixserverlib.CrossSigningKeyPurposeSelfSigning); err != nil {
+				res.Error = &api.KeyError{
+					Err: "Self-signing key sanity check failed: " + err.Error(),
+				}
+				return
+			}
+		default:
+			res.Error = &api.KeyError{
+				Err: "Unexpected type for self-signing key retrieved from federation",
+			}
+			return
+		}
 	}
 
 	// If we still don't have a master key at this point then there's nothing else