diff --git a/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/security/PKIAuthenticationModule.java b/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/security/PKIAuthenticationModule.java
index a751a28d32..4460108900 100644
--- a/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/security/PKIAuthenticationModule.java
+++ b/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/security/PKIAuthenticationModule.java
@@ -88,6 +88,27 @@ public class PKIAuthenticationModule implements AuthenticationModule {
 		return false;
 	}
 
+	private void checkTokenIntegrity(byte[] token) throws LoginException {
+		if (token.length != TOKEN_SIZE) {
+			throw new FailedLoginException("Invalid Signature callback");
+		}
+
+		boolean isZeroToken = true;
+		for (byte b : token) {
+			if (b != 0) {
+				isZeroToken = false;
+				break;
+			}
+		}
+		if (isZeroToken) {
+			throw new FailedLoginException("Invalid Signature callback");
+		}
+
+		if (!TokenGenerator.isRecentToken(token, MAX_TOKEN_TIME)) {
+			throw new FailedLoginException("Stale Signature callback");
+		}
+	}
+
 	/*
 	 * @see ghidra.server.security.AuthenticationModule#authenticate(ghidra.server.UserManager, javax.security.auth.Subject, javax.security.auth.callback.Callback[])
 	 */
@@ -121,14 +142,12 @@ public class PKIAuthenticationModule implements AuthenticationModule {
 		try {
 
 			byte[] token = sigCb.getToken();
-
-			if (!TokenGenerator.isRecentToken(token, MAX_TOKEN_TIME)) {
-				throw new FailedLoginException("Stale Signature callback");
-			}
+			checkTokenIntegrity(token);
 
 			boolean usingSelfSignedCert =
 				DefaultKeyManagerFactory.usingGeneratedSelfSignedCertificate();
-			if (!DefaultKeyManagerFactory.isMySignature(usingSelfSignedCert ? null : authorities,
+			if (!DefaultKeyManagerFactory.isMySignature(
+				usingSelfSignedCert ? null : DefaultTrustManagerFactory.getTrustedIssuers(),
 				token, sigCb.getServerSignature())) {
 				throw new FailedLoginException("Invalid Signature callback");
 			}