I am using MbedTLS in firmware. I successfully received a remote file and an encrypted hash of it that was encrypted with a private key (via OpenSSL). I used mbedtls_sha256() to locally make my own hash of the file and then mbedtls_pk_verify() to compare that with the encrypted hash I received.