Generate valid time values in ca program

[kroeckx]

I just found 2 bugs reports that point out that the openssl ca app just puts -startdate and -enddate into the certificate as it was specified on the command line even when it was invalid. We should either reject them or normalize them.

Bugs:
https://gitlab.com/gnutls/gnutls/issues/196
https://bugs.debian.org/862335

[rockdaboot]

From the Debian bug report:

Just for the record, the latest openssl (1.1.1-dev from Github) accepts
this (seen from the code):

[SS] is optional, <+|-> = either + or - must be present

1. YYMMDDHHMM[SS]Z YYMMDDHHMM[SS]<+|->hhmm
   If valid, these date strings are written to ASN.1 into an UTCTime field.

2. YYYYMMDDHHMM[SS]Z or YYYYMMDDHHMMSS<+|->hhmm
   If valid, these date strings are written to ASN.1 into a GeneralizedTime
   field.

Regarding RFC5280 in both cases (UTCTime and GeneralizedTime) the
seconds (SS) and Z (Zulu) timezone is a MUST.

See RFC5280 '4.1.2.5.1. UTCTime' and '4.1.2.5.2. GeneralizedTime'.

OpenSSL relies on their ASN.1 code to check for validity, which is
simply not strict enough. Other implementors do a strict check and thus
might reject certificates generated by openssl.

[InfoHunter]

Hi guys, I have made a fix for this issue. For UTC time, the format of time string is limited to 'YYMMDDHHMMSSZ', and for GeneralizedTime is 'YYYYMMDDHHMMSSZ', without +/- and fractional seconds support.