Verification failure reason output

Description of problem:

GnuTLS outputs different failure reasons than OpenSSL for certificate verification： The reason OpenSSL outputs verification failures is because of a problem with the extension, while GnuTLS outputs an invalid signature.

Version of gnutls used:

gnutls-cli 3.7.3

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Ubuntu

How reproducible:

Steps to Reproduce:

certtool --verify --load-ca-certificate RootCA.pem --infile Cert1732784125176M1.pem
openssl verify -CAfile ca.pem RootCA.pem Cert1732784125176M1.pem

Cert1732784125176M1.pem

RootCA.pem

Actual results:

Loaded CAs (1 available)
	Subject: CN=www.mycompany1.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Issuer: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Checked against: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Signature algorithm: RSA-SHA256
	Output: Not verified. The certificate is NOT trusted. The signature in the certificate is invalid. 

Chain verification output: Not verified. The certificate is NOT trusted. The signature in the certificate is invalid.

Expected results:

C = UN, ST = My ST1, L = MY Locality1, O = My Company1, OU = My Unit1, CN = www.mycompany1.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error Cert1732784125176M1.pem: verification failed
40C7C39917720000:error:1100009E:X509 V3 routines:ossl_x509v3_cache_extensions:invalid certificate:../crypto/x509/v3_purp.c:635:

Edited Apr 24, 2025 by dulanshuangqiao