From 1de094fb321f793fa398951598c682969e00326f Mon Sep 17 00:00:00 2001
From: Valerio Setti <valerio.setti@nordicsemi.no>
Date: Wed, 12 Nov 2025 14:44:59 +0100
Subject: [PATCH] library: x509: replace mbedtls_pk_can_do() with
 mbedtls_pk_can_do_psa()

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
---
 library/x509_crt.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/library/x509_crt.c b/library/x509_crt.c
index ae9cc22538..61dca746a3 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -43,6 +43,8 @@
 #include "mbedtls/threading.h"
 #endif
 
+#include "mbedtls_utils.h"
+
 #if defined(MBEDTLS_HAVE_TIME)
 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
 #ifndef WIN32_LEAN_AND_MEAN
@@ -2109,7 +2111,9 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 
     /* Skip expensive computation on obvious mismatch */
-    if (!mbedtls_pk_can_do(&parent->pk, (mbedtls_pk_type_t) child->sig_pk)) {
+    if (!mbedtls_pk_can_do_psa(&parent->pk,
+                               mbedtls_psa_alg_from_pk_sigalg(child->sig_pk, hash_alg),
+                               PSA_KEY_USAGE_VERIFY_HASH)) {
         return -1;
     }