OAEP (i.e. Optimal Asymmetric Encryption Padding) as defined in RFC 2437 is parameterized by the choice of hash function and mask generation function. The hash function is usually either SHA-1 or SHA-2 while the only mask generation function defined is MGF1 which itself is based on a hash function. In the Security.framework this padding scheme is available as OAEP (deprecated as of iOS 15) and as properties of the SecKeyAlgorithm structure, e.g. rsaEncryptionOAEPSHA1. The documentation for both only reads No overview available but from the comments in SecKey.h can be gleaned that at least for rsaEncryptionOAEPSHA1 data is padded using OAEP padding scheme internally using SHA1. So it seems that while using SecKeyAlgorithm the choice of hash function corresponds to selecting a property of the structure; the question that remains is whether this hash function is used for both the encoding scheme and the mask generation function. I suppose that this is in fact the case, but I am unable to find anything corroborating this.

I currently have two valid Apple Distribution certificates (old and new, say) in my login keychain (which Xcode recognises in Settings > Accounts) and a project with a manual code signing setup such that a provisioning profile which references the old certificate is specified for the PROVISIONING_PROFILE_SPECIFIER build setting. While building, though, Xcode complains about the profile not containing some signing certificate (which I assume refers to the new one and which would be expected since I have yet to update it) and fails the build. This effectively means that I cannot have two valid certificates in the keychain and use two profiles where one references the old and the other the new certificate. Am I missing something here?