keychain query does not match against certificate's Subject Alternative Name ( 2.5.29.17 )

we have valid, not expired, trusted wildcard certificate in keychain with both Subject Alternative Names ( 2.5.29.17 ): DNS Name *.example.com DNS Name example.com

our query does not match against example.com, it matches only against *.example.com.

let exactHostname = "example.com"
let keychainQuery = [
  kSecClass    : kSecClassCertificate,
  //kSecAttrLabel: exactHostname,//keychain label name, should not be used to query hostname
  //kSecAttrSubject: exactHostname, //also does not work
  kSecMatchSubjectWholeString: exactHostname,
  kSecMatchValidOnDate: kCFNull!,//date, kCFNull - current date
  kSecReturnRef: true] as NSDictionary

var item    : CFTypeRef?
var identity: SecIdentity?

let status = SecItemCopyMatching(keychainQuery as CFDictionary, &item)
XCTAssert(status == errSecSuccess, "Failed to get certificate: \(status)")

how to query against Subject Alternative Name DNS name ?