library: ssl: replace mbedtls_pk_can_do_ext with mbedtls_pk_can_do_psa

valeriosetti · valeriosetti · commit cccb5b6d4f8a · 2025-08-01T17:18:07.000+02:00
Signed-off-by: Valerio Setti &lt;valerio.setti@nordicsemi.no&gt;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
@@ -8245,14 +8245,14 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
                     mbedtls_md_psa_alg_from_type(md_alg);
 
                 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
-                    !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
+                    !mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
                                            PSA_ALG_ECDSA(psa_hash_alg),
                                            PSA_KEY_USAGE_SIGN_HASH)) {
                     continue;
                 }
 
                 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
-                    !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
+                    !mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
                                            PSA_ALG_RSA_PKCS1V15_SIGN(
                                                psa_hash_alg),
                                            PSA_KEY_USAGE_SIGN_HASH)) {
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
@@ -694,11 +694,11 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
         int key_type_matches = 0;
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
         key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
-                             mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
-                            mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
+                             mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage)) &&
+                            mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg, pk_usage));
 #else
         key_type_matches = (
-            mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
+            mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage));
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
         if (!key_type_matches) {
             MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
@@ -1160,7 +1160,7 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
             if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
                     *sig_alg, &key_cert->cert->pk)
                 && psa_alg != PSA_ALG_NONE &&
-                mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
+                mbedtls_pk_can_do_psa(&key_cert->cert->pk, psa_alg,
                                       PSA_KEY_USAGE_SIGN_HASH) == 1
                 ) {
                 ssl->handshake->key_cert = key_cert;
