Add test cases for strict expiration time validation

[jvdprng]

Context

Implementations should strictly validate certificate expiration times and reject certificates that are expired at validation time, even by a few seconds. Some implementations may have lax validation that accepts certificates expired very recently, creating a security window.

Why this matters:

• Security: prevents use of expired certificates during revocation grace periods
• Compliance: ensures strict adherence to validity period semantics
• Consistency: eliminates ambiguity around "close enough" expiration times
• Prevents attacks that rely on timing windows around expiration

Test Case Description

Create test certificates with various expiration scenarios at the boundary of validity:

Expired by Small Amounts:

1. Certificate expired 1 second before validation time (should REJECT)
2. Certificate expired 5 seconds before validation time (should REJECT)
3. Certificate expired 1 minute before validation time (should REJECT)

Not Yet Valid by Small Amounts:

4. Certificate valid starting 1 second after validation time (should REJECT)
5. Certificate valid starting 5 seconds after validation time (should REJECT)

Exactly at Boundaries:

6. Certificate with notBefore exactly at validation time (should ACCEPT)
7. Certificate with notAfter exactly at validation time (typically ACCEPT - some validators may differ)

Sub-second Precision:

8. Certificate with fractional seconds in validity times at boundary (should follow RFC 5280 rules)

Expected validation results: REJECT for any amount of expiration or not-yet-valid, ACCEPT only when within validity period

Implementation Requirements

Certificate Builder Modifications:

• Add ability to create certificates with precise timestamps
• Support fractional second timestamps (per RFC 5280)
• Allow setting validity periods relative to validation time

Test Harness:

• Test cases need ability to set precise validation time
• Should test with validation times very close to notBefore/notAfter boundaries
• Need sub-second timing precision

Test Case Examples:

• rfc5280::validity-expired-1-second
• rfc5280::validity-expired-5-seconds
• rfc5280::validity-not-yet-valid-1-second
• rfc5280::validity-exact-notbefore
• rfc5280::validity-exact-notafter

References

• RFC 5280 Section 4.1.2.5: Validity period specification
• RFC 5280 Section 6: Certificate path validation algorithm
• Related: Existing x509-limbo tests for exact validity boundaries (PR limbo: more validity cases C2SP/x509-limbo#237)

Acceptance Criteria

• Test cases created for sub-minute expiration boundaries
• Test cases created for sub-second precision timing
• Test cases validate against x509-limbo schema
• Test cases produce REJECT results for any expiration in at least one harness
• Documentation clarifies strict expiration semantics
• Coordinates with existing validity tests to avoid duplication