Validity timestamp truncation

[dalebowie]

As a caller to the library I can addValidityInfo that includes specific timestamps. It appears during encoding these timestamps are truncated. Whilst one could interpret this truncation as broadly in alignment with the standard's guidance around linkability (see second-last paragraph on page 51 of ISO/IEC 18013-5:2021(E)), should that truncation really be done when the caller's input is specifying their own values?

I admit it is a limited window where this is problematic, but in the current implementation, I can:

1. At GMT 9am get a certificate signed for intended use with this library
2. At GMT 3pm use this library to generate an mdoc with current timestamp and the certificate obtained above.
3. The produced mdoc then fails to validate because its signed date is truncated to GMT midnight, well before the GMT 9am when the certificate is valid for.

My thought on a fix might be two-fold:

1. If timestamps are specified via addValidityInfo, then no truncation should occur.
2. At signing time, the timestamps are auto-generated and truncated if not previously supplied via addValidityInfo. Whatever timestamps are present (either auto-generated or caller-specified) are validated against the certificate timestamps to ensure an invalid mdoc isn't produced.

[siacomuzzi]

Let me investigate this further, given that we are using an external library for cbor encoding.