I would like to copy all encryption certificates associated with one marker-file onto a set of other files.
Sure, there's the QueryUsersOnEncryptedFile
function that returns a PENCRYPTION_CERTIFICATE_HASH_LIST
, and there's the AddUsersToEncryptedFile
function, that takes a PENCRYPTION_CERTIFICATE_LIST
.
So, as far as I understand, to copy the certificates over, these hashes need to be converted back into a list of certificates.
To make this transition, I've been messing around with CertFindCertificateInStore
. That worked up to some extend, but not for all certificates, I don't even know which certificates store(s) I should query... I did tried a few : CA
, ROOT
, MY
, SPC
, Trust
, TrustedPeople
, AuthRoot
(and even AddressBook
, which seems to contain an out-dated cache of certificates, as some where already expired) but none of them gave me access to all certificates that I have hashes for.
So, how can I reliably map a certificate hash back to the certificate itself? (Some example code would be nice.)
Thanks in advance!
As a side-note:
I would also like to remove all other certificates from these same target files. For this purpose, there's a function available, called RemoveUsersFromEncryptedFile
, which also takes a PENCRYPTION_CERTIFICATE_HASH_LIST
.
I imagine this list could be gathered by first calling QueryUsersOnEncryptedFile
on each file, and pass the resulting certificate hash list to RemoveUsersFromEncryptedFile
(on the same file).
But there's a caveat: I don't want to loose all certificates, or the files won't be accessible to anyone anymore! Can I safely zero-out my own (and by extension any other allowed) certificate hash from this intermediate hash list? (Given that there's also a dedicated FreeEncryptionCertificateHashList
function.)
I found the answer myself : There's an API called
DuplicateEncryptionInfoFile
which does exactly what I need. I should have searched a bit further...Thanks for reading though, I hope this question + answer will help someone, someday ;-)