From b249bd75e65514e91a381d2dc12590ed8488e5bb Mon Sep 17 00:00:00 2001
From: Michele Balistreri <michele@bitgamma.com>
Date: Wed, 20 Mar 2019 13:18:24 +0300
Subject: [PATCH] make the iteration count for PBKDF2 configurable per-device

---
 .../im/status/keycard/desktop/LedgerUSBChannel.java  |  5 +++++
 .../im/status/keycard/applet/KeycardCommandSet.java  |  2 +-
 .../main/java/im/status/keycard/io/CardChannel.java  | 12 ++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/desktop/src/main/java/im/status/keycard/desktop/LedgerUSBChannel.java b/desktop/src/main/java/im/status/keycard/desktop/LedgerUSBChannel.java
index 8c837e1..4133e86 100644
--- a/desktop/src/main/java/im/status/keycard/desktop/LedgerUSBChannel.java
+++ b/desktop/src/main/java/im/status/keycard/desktop/LedgerUSBChannel.java
@@ -161,4 +161,9 @@ public class LedgerUSBChannel implements CardChannel {
   public boolean isConnected() {
     return hidDevice.isOpen();
   }
+
+  @Override
+  public int pairingPasswordPBKDF2IterationCount() {
+    return 50000;
+  }
 }
diff --git a/lib/src/main/java/im/status/keycard/applet/KeycardCommandSet.java b/lib/src/main/java/im/status/keycard/applet/KeycardCommandSet.java
index 3333bf7..04e74b0 100644
--- a/lib/src/main/java/im/status/keycard/applet/KeycardCommandSet.java
+++ b/lib/src/main/java/im/status/keycard/applet/KeycardCommandSet.java
@@ -181,7 +181,7 @@ public class KeycardCommandSet {
 
     try {
       SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256", "BC");
-      PBEKeySpec spec = new PBEKeySpec(pairingPassword.toCharArray(), "Keycard Pairing Password Salt".getBytes(), 50000, 32 * 8);
+      PBEKeySpec spec = new PBEKeySpec(pairingPassword.toCharArray(), "Keycard Pairing Password Salt".getBytes(), apduChannel.pairingPasswordPBKDF2IterationCount(), 32 * 8);
       key = skf.generateSecret(spec);
     } catch (Exception e) {
       throw new RuntimeException("Is Bouncycastle correctly initialized?");
diff --git a/lib/src/main/java/im/status/keycard/io/CardChannel.java b/lib/src/main/java/im/status/keycard/io/CardChannel.java
index 8f65d9b..20bb7bb 100644
--- a/lib/src/main/java/im/status/keycard/io/CardChannel.java
+++ b/lib/src/main/java/im/status/keycard/io/CardChannel.java
@@ -20,4 +20,16 @@ public interface CardChannel {
    * @return true if connected, false otherwise
    */
   boolean isConnected();
+
+  /**
+   * Returns the iteration count for deriving the pairing key from the pairing password. The default is 50000 and is
+   * should only be changed for devices where the PBKDF2 is calculated on-board and the resource do not permit a
+   * high iteration count. If a lower count is used other security mechanism should be used to prevent brute force
+   * attacks.
+   *
+   * @return the iteration count
+   */
+  default int pairingPasswordPBKDF2IterationCount() {
+    return 50000;
+  }
 }