I had a working WS-Policy which was encrypting the SOAP body with a UsernameToken using Basic128 encryption, then I modified the policy to use Basic256 encryption instead. I got the following stack trace cause:
Caused by: org.apache.cxf.ws.policy.PolicyException: Cannot encrypt data
Since the exception was short on detail, I went to the source code and found that AbstractBindingBuilder.java:294 was simply throwing away the rest of the Exception object. There's a method existing already to take the exception too so I changed that line to call it and now get the following MUCH more useful error message on the end of the stack trace:
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Invalid AES key length: 20 bytes
Original Exception was java.security.InvalidKeyException: Invalid AES key length: 20 bytes
I chose priority Major because without this user will report the error "cannot encrypt data" which will give developers very little to go on. The only way to find the real problem is to attach a debugger which is not an option for everybody.
I'll attach a patch to this issue to resolve this.