diff --git a/ChangeLog.d/pk_ext-pss_options-public.txt b/ChangeLog.d/pk_ext-pss_options-public.txt
new file mode 100644
index 0000000000..b11fa3063c
--- /dev/null
+++ b/ChangeLog.d/pk_ext-pss_options-public.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
+     possible to verify RSA PSS signatures with the pk module, which was
+     inadvertently broken since Mbed TLS 3.0.
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 0392bd48e9..eb4333d98a 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -98,8 +98,24 @@ typedef enum {
  *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
  */
 typedef struct mbedtls_pk_rsassa_pss_options {
-    mbedtls_md_type_t MBEDTLS_PRIVATE(mgf1_hash_id);
-    int MBEDTLS_PRIVATE(expected_salt_len);
+    /** The digest to use for MGF1 in PSS.
+     *
+     * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is
+     *       disabled, this must be equal to the \c md_alg argument passed
+     *       to mbedtls_pk_verify_ext(). In a future version of the library,
+     *       this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is
+     *       enabled regardless of the status of #MBEDTLS_RSA_C.
+     */
+    mbedtls_md_type_t mgf1_hash_id;
+
+    /** The expected length of the salt, in bytes. This may be
+     * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+     *
+     * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only
+     *       #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be
+     *       ignored (allowing any salt length).
+     */
+    int expected_salt_len;
 
 } mbedtls_pk_rsassa_pss_options;