Certificate pinning matches against all pins instead of hostname-scoped pins

**Description**

In Darwin's CertificatePinner (ktor-client/ktor-client-darwin/darwin/src/io/ktor/client/engine/darwin/certificates/CertificatePinner.kt), findMatchingPins(hostname) is computed but not used for pins validation.

hasOnePinnedCertificate matches the server certificate chain against all configured pins, not just the pins that match the current hostname.

// applyPinning()
val matchingPins = findMatchingPins(hostname)
...
hasOnePinnedCertificate(certificates) // uses all pins

<img width="828" height="768" alt="Image" src="https://github.com/user-attachments/assets/b1c6321f-9caa-4c5d-aa86-881e2d907529" />


// hasOnePinnedCertificate()
pinnedCertificates.any { pin -> ... }

<img width="828" height="694" alt="Image" src="https://github.com/user-attachments/assets/ba061f89-2ec2-4052-a177-5faef502a683" />

**Impact**

When multiple domains are pinned, a pin for domain A can satisfy pinning for domain B, breaking hostname-scoped pin isolation.

**Expected**

Certificate validation should only consider matchingPins.

**Suggested Fix**

Pass matchingPins into hasOnePinnedCertificate and validate against that set instead of pinnedCertificates.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Certificate pinning matches against all pins instead of hostname-scoped pins #5309

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Certificate pinning matches against all pins instead of hostname-scoped pins #5309

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions