pem: error for sections that are too large

[djc]

Fixes #105.

First thought 64 kB might be enough (see also rustls' CERTIFICATE_MAX_SIZE_LIMIT), but I think CRLs might be a good chunk larger for large CAs, so maybe start with 10 MB?

/// A single recognised section in a PEM file.
#[non_exhaustive]
#[derive(Clone, Copy, Debug, PartialEq)]
pub enum SectionKind {
    /// A DER-encoded x509 certificate.
    ///
    /// Appears as "CERTIFICATE" in PEM files.
    Certificate,

    /// A DER-encoded Subject Public Key Info; as specified in RFC 7468.
    ///
    /// Appears as "PUBLIC KEY" in PEM files.
    PublicKey,

    /// A DER-encoded plaintext RSA private key; as specified in PKCS #1/RFC 3447
    ///
    /// Appears as "RSA PRIVATE KEY" in PEM files.
    RsaPrivateKey,

    /// A DER-encoded plaintext private key; as specified in PKCS #8/RFC 5958
    ///
    /// Appears as "PRIVATE KEY" in PEM files.
    PrivateKey,

    /// A Sec1-encoded plaintext private key; as specified in RFC 5915
    ///
    /// Appears as "EC PRIVATE KEY" in PEM files.
    EcPrivateKey,

    /// A Certificate Revocation List; as specified in RFC 5280
    ///
    /// Appears as "X509 CRL" in PEM files.
    Crl,

    /// A Certificate Signing Request; as specified in RFC 2986
    ///
    /// Appears as "CERTIFICATE REQUEST" in PEM files.
    Csr,

    /// An EchConfigList structure, as specified in
    /// <https://www.ietf.org/archive/id/draft-farrell-tls-pemesni-05.html>.
    ///
    /// Appears as "ECHCONFIG" in PEM files.
    EchConfigList,
}

[ctz]

Sorry for delay on this one. Here's a list of CRLs for public issuers (top 20, DER-encoded):

12759372	out/371a00dc/DigiCertG5TLSRSA4096SHA3842021CA1-1.crl
10935863	out/9a6ec012/accvca120_der.crl
9141514	out/cb3ccbb7/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
2364354	out/49e7a442/d-trust_ssl_class_3_ca_1_2009.der.crl
2364354	out/49e7a442/d-trust_ssl_class_3_ca_1_2009.crl
731650	out/f1c1b50a/SSL.com-TLS-I-RSA-R1.crl
731650	out/97552015/SSL.com-TLS-I-RSA-R1.crl
731650	out/4200f504/SSL.com-TLS-I-RSA-R1.crl
664167	out/c32ffd9f/SSL.com-TLS-I-ECC-R2.crl
664167	out/945bbc82/SSL.com-TLS-I-ECC-R2.crl
664167	out/55903859/SSL.com-TLS-I-ECC-R2.crl
345026	out/85666a56/SSLcom-SubCA-SSL-RSA-4096-R1.crl
310304	out/d947432a/85QyHZnkuAw.crl
245048	out/e3b6a2db/servicesca.crl
245048	out/d48d3d23/servicesca.crl
205058	out/96bcec06/19.crl
94249	out/7bb647a6/SectigoPublicServerAuthenticationCAEVR36.crl
93350	out/eec5496b/d-trust_ssl_class_3_ca_1_ev_2009.der.crl
93350	out/eec5496b/d-trust_ssl_class_3_ca_1_ev_2009.crl

So a 10MB limit would be inappropriate. I suggest 64MB as a start?

[djc]

Bumped the limit to 64 MB.