Add encrypt-then-MAC using HMAC and the same encryption key

[fdemmer]

Maybe a step towards key rotation (#22) is detecting valid key before decrypting.

In any case, i was annoyed by the cryptic (little pun intended :)) DjangoUnicodeDecodeError that resulted from having the wrong key and was looking to actually detect valid credentials before attempting to decrypt. So i added a HMAC (default, md5) signature between $AES$ and the cyphertext. Now invalid key raises a SignatureException.

This still works with unsigned database values, as it simply checks for the number of items when splitting the value at the $. I also ripped out the encryption stuff into its own class, which has a sign attribute to get back the old behavior (incl the DjangoUnicodeDecodeError).

[mlavin]

django.utils.crypto has a constant_time_compare for this same backport.

[mlavin]

I like the direction of this change though it has some issues on Python 3. I think #22 will most likely be address (if I can ever find the time) by moving to https://github.com/orcasgit/django-fernet-fields which uses the MultiFernet to handle the rotation. This is a nice intermediate step.

[codecov-io]

Current coverage is 92.21%

Merging #69 into master will decrease coverage by -1.33% as of d6906c7

@@            master     #69   diff @@
======================================
  Files           11      11       
  Stmts          403     437    +34
  Branches        32      35     +3
  Methods          0       0       
======================================
+ Hit            377     403    +26
- Partial         10      13     +3
- Missed          16      21     +5

Review entire Coverage Diff as of d6906c7

Powered by Codecov. Updated on successful CI builds.

[mlavin]

Sorry it took me awhile to get back to this. Thank you for contributing! ❤️

[fdemmer]

@mlavin thanks for merging. do you have a new release planned with this in current master?

[mlavin]

I pushed out a release today. Thank you again for this contribution and your patience!