[Feature request] Implement equivalent of certreq -sign for CSRs in native code

[jalliot]

certreq -sign allows to sign CSRs with personal certificates, allowing to use the "This number of authorized signatures" feature from the "Issuance requirements" tab of certificate templates. It is also used for enrolment agents to sign on behalf of someone else I believe (I never used that feature though).

Having this in native code would be really helpful, especially because currently there are some things that can only be done with this command. SignedCms never worked for me but I managed to use the X509Enrollment COM classes to sign a PKCS#10, never a PKCS#7 or CMC directly.

Note that this should work with any kind of CSP/KSP. In my environment for instance I am using a signing certificate stored on a smart card and using a 3rd party KSP (which is why SignedCms did not work if I recall correctly...).

    $csr = Get-CertificateRequest -Path $Path
    if ($csr.RequestType -eq [System.Security.Cryptography.X509CertificateRequests.X509CertificateRequestType]::PKCS10) {
        $pkcs10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
        $pkcs10.InitializeDecode([Convert]::ToBase64String($csr.RawData), 0x1)
        $pkcs7 = New-Object -ComObject X509enrollment.CX509CertificateRequestPkcs7
        $pkcs7.InitializeFromInnerRequest($pkcs10)
        $signer = New-Object -ComObject X509Enrollment.CSignerCertificate
        $signer.Initialize(0, 0, 0xC, $cert.Thumbprint)
        $pkcs7.SignerCertificate = $signer
        $pkcs7.Encode()
        $pkcs7.RawData(0x0) | Out-File -FilePath $outFile -Force
        [void] [Runtime.InteropServices.Marshal]::ReleaseComObject($pkcs7)
        [void] [Runtime.InteropServices.Marshal]::ReleaseComObject($pkcs10)
        [void] [Runtime.InteropServices.Marshal]::ReleaseComObject($signer)
    } else {
        certreq.exe -sign -cert $cert.Thumbprint $Path $outFile
    }