Disable HMAC by default

Due to the potential of a key confusion vulnerability in support of HMAC-SHA1,
the HMAC-SHA1 "signing" algorithm has been disabled by default.

Previously, in certain situations it was possible to bypass signing checks
by maliciously changing the algorithm to HMAC-SHA1 and using the
public key as the HMAC secret.

If you need to validate an HMAC signature, you now must first call
SignedXml.enableHMAC().