Decrypting a stash (.sth) file

HCL Domino saves it certificates in a .kyr file. IBM WebSphere saves it certificates in a Java Keystore / .jks format. Both formats allow you to save the password for the keystores in a stash file which has the extension .sth. The stash files allow you to do most actions without entering a password. You can for example see which certificates are in a .kyr file by using the command

kyrtool.exe show certs -k martdj.nl.kyr

No password needed. What however if you want to extract the certificates from the store, including the private key, to for example put them in .pem format? I had this case recently, as a colleague had given me the company wildcard certificate in .kyr and .jks format, but for nginx I needed the .pem format and he was not available. Apparently it’s pretty easy to get the password from the stash file. This script does it.
#!/usr/bin/perl
use strict;
die "Usage: $0 <stash file>n" if $#ARGV != 0;
my $file=$ARGV[0];
open(F,$file) || die "Can't open $file: $!";
my $stash;
read F,$stash,1024;
my @unstash=map { $_^0xf5 } unpack("C*",$stash);
foreach my $c (@unstash) {
last if $c eq 0;
printf "%c",$c;
}
printf " ";

Save it as, for example, decrypt-stash.pl. Make it executable (chmod +x) and run it on a OS with Perl installed as ./decrypt-stash.pl <your .sth-file>. Any Domino server will always have perl installed, as otherwise you can’t install Domino.

With the password I could easily convert the certificates in my java keystore to .pem format.

Thanks to GEEKFLARE for the code!