TEK Exports should not contain any keys which recently expired

[christian-kirschnick]

Currently the system also packages keys, which expired recently. Instead, only keys which have been expired since at least 2 hours should be part of the export.

Can also be a nice prework for #108.

Probably should change this already when the diagnosis keys are queried for distribution:
https://github.com/corona-warn-app/cwa-server/blob/master/common/persistence/src/main/java/app/coronawarn/server/common/persistence/service/DiagnosisKeyService.java#L64

[pithumke]

Apple spec states:

[Your EN Server...] must not distribute temporary exposure key data until at least 2 hours after the end of the keyʼs expiration window

I think this is a subtle but important difference to just excluding (+2h) by submission timestamp. As far as I know, the TEK API on-device does not give out "still active" keys to the app. This just leaves a 2 hour window that depends on the rolling start interval number and the rolling period, but not on the submission timestamp.

[christian-kirschnick]

You are right Pit - I just talked to DPP to clarify whether this is OK for them, and it is.

I'll update the description of the issue accordingly.