Ensure CBS is empty after importing keys

[jonasfj]

Whenever we create a CBS object, it's usually because we're feeding some data into BoringCrypto. If all the data is not read, this usually indicates invalid data. If importing a key doesn't consume all the bytes supplied in the key, we should probably reject it.

This needs test cases to ensure compatibility with web implementations.

Look code referencingScope.createCBS those places probably have to check that CBS is empty after it's been processed.

This requires testing of invalid key bytes, so probably blocked by #55