[FEATURE] Add new CLI option --crypto-policy

[oberstet]

Feature Description

A user might have a compliance posture which requires to only use NIST/FIPS approved ciphers and cryptographic primitives.

When the new option is set to --crypto-policy=nist-algorithms, crossbar will reject node configurations that effectively use secp256k1 and keccak-256 (Ethereum integration) and fail hard.

See: crossbario/autobahn-python#1846

---

Category	Algorithm	Usage in WAMP	NIST/FIPS Compatible
Elliptic Curves
	secp256r1 (P-256)	Transport Encryption	✅ Yes (SP 800-186)
	curve25519	Session Authentication (WAMP-Cryptosign)	✅ Yes (SP 800-186)
	secp256k1	Data Signatures (Certificates, E2E)	❌ No
Hash Functions
	SHA-256	Session Authentication (WAMP-Cryptosign)	✅ Yes (FIPS 180-4)
	Keccak-256	Data Signatures (Certificates, E2E)	❌ No (differs from SHA3-256)
Signature Schemes
	Ed25519	Session Authentication (WAMP-Cryptosign)	✅ Yes (FIPS 186-5)
	ECDSA	Data Signatures (Ethereum, Certificates, E2E)	⚠️ Depends on curve

Notes on ECDSA:

• ECDSA + secp256r1 (P-256): ✅ FIPS compatible
• ECDSA + secp256k1: ❌ Not FIPS compatible (Ethereum uses this)

---

Summary for --crypto-policy=nist-algorithms mode:

Feature	NIST-Only Mode
TLS transport (secp256r1)	✅ Allowed
WAMP-Cryptosign auth (Ed25519/curve25519/SHA-256)	✅ Allowed
WAMP-Cryptosign certificates with secp256k1	❌ Blocked
WAMP E2E encryption (secp256k1/keccak256)	❌ Blocked
Ethereum integration	❌ Blocked

So core WAMP-Cryptosign authentication is actually NIST-compatible.

It's specifically the WAMP Ethereum-integration features (certificates with secp256k1 signatures, and transactions with keccak256 hashes) that break compliance.

Checklist

• I have searched existing issues to avoid duplicates
• I have described the problem clearly
• I have provided use cases
• I have considered alternatives
• I have assessed impact and breaking changes