When encrypting a SOAP message using WSE 2.0, the default behavior is to encrypt the body of the SOAP message only. What if you wish to encrypt more of the message? The listing below shows how I went about encrypting the UsernameToken and Signature elements of a message. It should be noted that the solution developed did not route messages through an intermediary so encrypting the signature was not an issue.
//
// Sign the Message using a UsernameToken
//
// Create the UsernameToken we use to sign the message
UsernameToken userToken = new UsernameToken("phil", "notverysecret",
PasswordOption.SendNone);
// Sign the message with the UsernameToken
MessageSignature sig = new MessageSignature(userToken);
requestContext.Security.Elements.Add(sig);
//
// Encrypt elements in the SOAP header using an X509 cert.
//
// First of all create an encrypting token
X509SecurityToken encryptingToken = GetServerToken();
// Encrypt the UsernameToken element in the SOAP header
requestContext.Security.Elements.Add(
new EncryptedData( encryptingToken, "#" + userToken.Id ) );
// The Signature element doesn't have an Id - we need to create one
Guid id = Guid.NewGuid();
// Assign the Id we created to the Signature
sig.Signature.Id = id.ToString();
requestContext.Security.Elements.Add(
new EncryptedData( encryptingToken, "#" + sig.Signature.Id) );
If you are using WSE 3.0 rather than WSE 2.0 things should be easier. I haven't used WSE 3.0 myself as yet, but I understand encrypting the digital signature is now better supported and more straightforward.