The function mbedtls_pk_can_do() should be removed. Before that we need to remove the last places it's used:

• Externally in mbedtls: covered by Remove use of pk_can_do() mbedtls#10453
• Internally in mbedtls_pk_can_do_ext(): well fortunately we want to remove that function as well, and it's not used anywhere so that's an easy one.
• Internally in mbedtls_pk_sign_ext() and mbedtls_pk_verify_ext(): see discussion below.

Regarding the last point, it is entirely possible that the check is redundant these days and can just be removed, because ultimately psa_sign_hash() (or psa_verify_hash()) will return an error if the key is not capable of doing the operation anyway. So, the first thing I'd try is to simply remove the check and see if the tests still pass. However before that we want to double-check we have sufficient negative testing for sign_ext() and verify_ext(). (Possibly we'll need to ensure PSA_ERROR_NOT_PERMITTED is correctly translated to MBEDTLS_ERR_PK_TYPE_MISMATCH which might involve switching from PSA_PK_RSA_TO_MBEDTLS_ERR() to PSA_PK_TO_MBEDTLS_ERR().)

If this approach turns out not to work for some reason, we can always fall back to using mbedtls_pk_can_do_psa(), but I don't think that should be necessary.

Note: even though the issue title is about pk_can_do() (because the definition of done is this function is gone) the bulk of the work is refactoring sign_ext() and verify_ext(), and as such we need to ensure we have proper testing (including negative) in place before we touch the code. Also, we cannot change observable behaviour unless it was undocumented.

Depends on: Mbed-TLS/mbedtls#10453

Potential conflicts: this is very likely going to conflict with #515 and #519 since all of them are touching the same library and test functions.