e_tls_server_cert_valid_time_longer_than_398_days calculation is off by 1 second

[CBonnell]

RFC 5280 section 4.1.2.5 (and the BRs by reference) defines the Validity Period as the period of time from notBefore through notAfter, inclusive. This means that a certificate whose notBefore and notAfter field values are the same has a validity period of 1 second. Expanding from this base case, this means that certificates with a notAfter of exactly 398 days (34,387,200 seconds) greater than the notBefore value are actually valid for 34,387,201 seconds and thus are valid for 399 days per the rounding rules found in section 6.3.2 of the BRs.

It appears that the e_tls_server_cert_valid_time_longer_than_398_days lint does a simple time difference between the notBefore and notAfter and does not add 1 second to this interval to determine the certificate's Validity Period. To accurately detect certificates that do not comply with the validity period restrictions in the BRs, this additional second needs to be added to the interval and used for comparison.

[sleevi]

Hopefully folks paid attention to the SHOULD be 397 days, which was for exactly this scenario.