Remove use of `pk_can_do()`

[mpg]

The function mbedtls_pk_can_do() is not public, it's deprecated and we want to remove it, so we need to stop using it in Mbed TLS.

When can_do() is really used as a capacity check, the replacement will be mbedtls_pk_can_do_psa(). (Note: mbedtls_pk_can_do_ext() should not be used as it's going to be removed as well.) However it has different arguments that are more precise: instead of a "key type" it takes and algorithm and usage. So, this is not a straightforward replacement and some awareness of the context is needed to determine the correct arguments. As a rule of thumb:

• Usage will always be PSA_KEY_USAGE_SIGN_HASH or PSA_KEY_USAGE_VERIFY_HASH for X.509 and TLS these days (other uses have been removed in 4.0).
• For MBEDTLS_PK_ECDSA, alg will be MBEDTLS_PK_ALG_ECDSA(hash) - for a hash to be determined from context.
• For MBEDTLS_PK_RSA, alg will be PSA_ALG_RSA_PKCS1V15_SIGN(hash).
• For MBEDTLS_PK_RSASSA_PSS, alg will be PSA_ALG_RSA_PSS(hash) or PSA_ALG_RSA_PSS_ANY_SALT(hash).

In some cases, can_do() was not used as a capacity check but rather as a type check. In those cases, we want to use the new function mbedtls_pk_get_key_type() introduced by Mbed-TLS/TF-PSA-Crypto#509 together with the existing PSA macros like PSA_KEY_TYPE_IS_RSA() or PSA_KEY_TYPE_IS_ECC().

Depends on: Mbed-TLS/TF-PSA-Crypto#509

[gilles-peskine-arm]

See Mbed-TLS/TF-PSA-Crypto#203 and Mbed-TLS/TF-PSA-Crypto#204 for an analysis and partial prototype of the removal of mbedtls_pk_type_t, mbedtls_pk_get_type and mbedtls_pk_can_do.