I would like to copy all encryption certificates associated with one marker-file onto a set of other files.
Sure, there's the QueryUsersOnEncryptedFile function that returns a PENCRYPTION_CERTIFICATE_HASH_LIST, and there's the AddUsersToEncryptedFile function, that takes a PENCRYPTION_CERTIFICATE_LIST.
So, as far as I understand, to copy the certificates over, these hashes need to be converted back into a list of certificates.
To make this transition, I've been messing around with CertFindCertificateInStore. That worked up to some extend, but not for all certificates, I don't even know which certificates store(s) I should query... I did tried a few : CA, ROOT, MY, SPC, Trust, TrustedPeople, AuthRoot (and even AddressBook, which seems to contain an out-dated cache of certificates, as some where already expired) but none of them gave me access to all certificates that I have hashes for.
So, how can I reliably map a certificate hash back to the certificate itself? (Some example code would be nice.)
Thanks in advance!
As a side-note:
I would also like to remove all other certificates from these same target files. For this purpose, there's a function available, called RemoveUsersFromEncryptedFile, which also takes a PENCRYPTION_CERTIFICATE_HASH_LIST.
I imagine this list could be gathered by first calling QueryUsersOnEncryptedFile on each file, and pass the resulting certificate hash list to RemoveUsersFromEncryptedFile (on the same file).
But there's a caveat: I don't want to loose all certificates, or the files won't be accessible to anyone anymore! Can I safely zero-out my own (and by extension any other allowed) certificate hash from this intermediate hash list? (Given that there's also a dedicated FreeEncryptionCertificateHashList function.)
I found the answer myself : There's an API called
DuplicateEncryptionInfoFilewhich does exactly what I need. I should have searched a bit further...Thanks for reading though, I hope this question + answer will help someone, someday ;-)