diff --git a/src/cms_common.c b/src/cms_common.c
index 4a79cb0..4dbea4f 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -365,7 +365,10 @@ is_valid_cert(CERTCertificate *cert, void *data)
 
 	privkey = PK11_FindPrivateKeyFromCert(slot, cert, cbd->cms);
 	if (privkey != NULL) {
+		if (cbd->cert)
+			CERT_DestroyCertificate(cbd->cert);
 		cbd->cert = CERT_DupCertificate(cert);
+		CERT_DestroyCertificate(cert);
 		SECKEY_DestroyPrivateKey(privkey);
 		return SECSuccess;
 	}
@@ -383,8 +386,15 @@ is_valid_cert_without_private_key(CERTCertificate *cert, void *data)
 		return SECFailure;
 	privkey = PK11_FindPrivateKeyFromCert(slot, cert, cbd->cms);
 	if (privkey == NULL) {
+		if (cbd->cert)
+			CERT_DestroyCertificate(cbd->cert);
+		PORT_SetError(0);
 		cbd->cert = CERT_DupCertificate(cert);
+		CERT_DestroyCertificate(cert);
 		return SECSuccess;
+	} else {
+		SECKEY_DestroyPrivateKey(privkey);
+		CERT_DestroyCertificate(cert);
 	}
 	return SECFailure;
 }
diff --git a/src/pesign.c b/src/pesign.c
index 4f6d2e4..08121ac 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -81,10 +81,12 @@ main(int argc, char *argv[])
 	int check_vendor_cert = 1;
 
 	char *digest_name = "sha256";
+	char *orig_digest_name = digest_name;
 	char *tokenname = "NSS Certificate DB";
 	char *origtoken = tokenname;
 	char *certname = NULL;
 	char *certdir = "/etc/pki/pesign";
+	char *orig_certdir = certdir;
 	char *signum = NULL;
 
 	secuPWData pwdata;
@@ -351,6 +353,7 @@ main(int argc, char *argv[])
 			fprintf(stderr, "invalid signature number: %m\n");
 			exit(1);
 		}
+		free(signum);
 	}
 
 	int action = 0;
@@ -475,6 +478,8 @@ main(int argc, char *argv[])
 	}
 	if (certname)
 		free(certname);
+	if (digest_name && digest_name != orig_digest_name)
+		free(digest_name);
 
 
 	if (ctxp->sign) {
@@ -509,6 +514,8 @@ main(int argc, char *argv[])
 					break;
 			}
 	}
+	if (certdir && certdir != orig_certdir)
+		free(certdir);
 	pesign_context_free(ctxp);
 
 	if (!daemon) {