Add SPKI-based certificate pinning support

[o-nnerb]

This PR introduces SPKI-based certificate pinning to AsyncHTTPClient, enabling clients to enforce explicit trust in server certificates beyond standard PKI validation. This provides protection against compromised Certificate Authorities and MITM attacks.

🔑 Key features

• SPKI pinning (not full certificate pinning) — survives legitimate certificate rotations
• Two verification modes:
  • .strict (production): blocks connections on pin mismatch
  • .audit (staging): allows connections but logs warnings
• Full compatibility with existing TLS configuration
• OpenSSL/BoringSSL only (Network.framework ignored when pinning is active)

🛡️ Security by design

• Backup pins are strongly encouraged: emits warning if missing in .strict mode
• Hashes stored as Base64-encoded SHA-256 of SPKI (matches OpenSSL output)
• No silent failures: explicit errors on pin mismatch
• Aligned with OWASP MSTG-NETWORK-4 and NIST SP 800-52 Rev. 2

🧪 Usage example

let config = HTTPClient.Configuration(
    tlsPinning: SPKIPinningConfiguration(
        pins: ["dJEGUdm2BuEalPybF+8enWB7R4AeiwE0gsQHyQrhzhY="],
        policy: .strict
    )
)

let client = HTTPClient(configuration: config)

⚠️ Important notes

• Pinning requires the OpenSSL/BoringSSL backend — Network.framework (NIOTS) is ignored when pinning is configured
• Always deploy backup pins in production to avoid lockout during certificate rotation
• Pins must be Base64-encoded SHA-256 hashes of SPKI (use openssl dgst -sha256 -binary | base64 -A)

📚 References

• iOS Network Communication
• NIST SP 800-52 Rev. 2, Section 3.4.3
• RFC 5280, Section 4.1 (SPKI)

[o-nnerb]

Good morning, @Lukasa. Does this PR make sense for AsyncHTTPClient?

I’m currently developing an application and need this feature. I’ve researched the topic and found some use cases on https://github.com/datatheorem/TrustKit.

I’ve also made this a draft because I’ll need more time to implement the tests.