pk: add check_pair info to mbedtls_pk_setup_opaque() documentation
This also updates use-psa-crypto.md accordingly.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index 92d0985..f2983bd 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md
@@ -75,13 +75,8 @@
**Benefits:** isolation of long-term secrets, use of PSA Crypto drivers.
-**Limitations:** can only wrap a key pair, can only use it for private key
-operations. (That is, signature generation, and for RSA decryption too.)
-Note: for ECDSA, currently this uses randomized ECDSA while Mbed TLS uses
-deterministic ECDSA by default. The following operations are not supported
-with a context set this way, while they would be available with a normal
-context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key
-operations.
+**Limitations:** please refer to the documentation of `mbedtls_pk_setup_opaque()`
+for a full list of supported operations and limitations.
**Use in X.509 and TLS:** opt-in. The application needs to construct the PK context
using the new API in order to get the benefits; it can then pass the
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index e33702f..a3b1363 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -377,6 +377,9 @@
* In order for the above operations to succeed, the policy of the wrapped PSA
* key must allow the specified algorithm.
*
+ * Opaque PK contexts wrapping an EC keys also support \c mbedtls_pk_check_pair(),
+ * whereas RSA ones do not.
+ *
* \warning The PSA wrapped key must remain valid as long as the wrapping PK
* context is in use, that is at least between the point this function
* is called and the point mbedtls_pk_free() is called on this context.