make the iteration count for PBKDF2 configurable per-device

desktop/src/main/java/im/status/keycard/desktop/LedgerUSBChannel.java

@@ -161,4 +161,9 @@ public class LedgerUSBChannel implements CardChannel {
   public boolean isConnected() {
     return hidDevice.isOpen();
   }
+
+  @Override
+  public int pairingPasswordPBKDF2IterationCount() {
+    return 50000;
+  }
 }

lib/src/main/java/im/status/keycard/applet/KeycardCommandSet.java

@@ -181,7 +181,7 @@ public class KeycardCommandSet {
 
     try {
       SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256", "BC");
-      PBEKeySpec spec = new PBEKeySpec(pairingPassword.toCharArray(), "Keycard Pairing Password Salt".getBytes(), 50000, 32 * 8);
+      PBEKeySpec spec = new PBEKeySpec(pairingPassword.toCharArray(), "Keycard Pairing Password Salt".getBytes(), apduChannel.pairingPasswordPBKDF2IterationCount(), 32 * 8);
       key = skf.generateSecret(spec);
     } catch (Exception e) {
       throw new RuntimeException("Is Bouncycastle correctly initialized?");

lib/src/main/java/im/status/keycard/io/CardChannel.java

@@ -20,4 +20,16 @@ public interface CardChannel {
    * @return true if connected, false otherwise
    */
   boolean isConnected();
+
+  /**
+   * Returns the iteration count for deriving the pairing key from the pairing password. The default is 50000 and is
+   * should only be changed for devices where the PBKDF2 is calculated on-board and the resource do not permit a
+   * high iteration count. If a lower count is used other security mechanism should be used to prevent brute force
+   * attacks.
+   *
+   * @return the iteration count
+   */
+  default int pairingPasswordPBKDF2IterationCount() {
+    return 50000;
+  }
 }