Security
   * Fix a compliance issue whereby we were not checking the tag on the
     algorithm parameters (only the size) when comparing the signature in the
     description part of the cert to the real signature. This meant that a
     NULL algorithm parameters entry would look identical to an array of REAL
     (size zero) to the library and thus the certificate would be considered
     valid. However, if the parameters do not match in *any* way then the
     certificate should be considered invalid, and indeed OpenSSL marks these
     certs as invalid when mbedtls did not.
     Many thanks to guidovranken who found this issue via differential fuzzing
     and reported it in #3629.