You have reached the BTC Piñata.


BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.


BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on Xen, and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge runs until the above address no longer contains the 10 bitcoins it started with, or until we lose interest.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. Now, we want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.


Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.


This is the CA:

-----BEGIN CERTIFICATE-----
MIIE2TCCAsGgAwIBAgIJAO523QGQ3UklMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
BAMMDUJUQyBQaW5hdGEgQ0EwHhcNMTcwMTExMTgyNDQ4WhcNMTgwMTExMTgyNDQ4
WjAYMRYwFAYDVQQDDA1CVEMgUGluYXRhIENBMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAqfNSYc/1rsHrgi46NsddYvnrkRQaA+BhX5bKFREro8eWEe4d
IPD4Ck35wc8Qq6maUUfmNqerO72t2ZynSQ7iTYmUAXnIkfjlzZ0ckd05FnGJvNOj
LouiAru2StbKCBPGqKn1RI9fHu3vtKstxYA/4Wj9qltFvAS3CUXoRCF52ThEdI8S
MUdfcLvDs8sMACpvvDifAyrabuNtNPlNjbWuGXDZZsjicFnWyNWpOlF0wlJ/AM1j
Viotc5I0K5VfqetEQmXFvTexsepJ8wbXueuW5zRS+cwa8wmDUnHVtAqa/N3CZSmp
TML6863Z4FEa5vU0ZgRWpiF5KlvGAzBEgGtozqyHPrwrvpPzl6K9sCzSHMIMcfo8
IH3l6kfNkzqrVualsB7HJpt1JhdVm9Zu90h+r8G6Kfosbljj7T5LRTePJFl8pcTd
o1Uem/1NTAZQvMwsa9j6YXF3NiWYKZ0AaZWpHKLAoBXcL7eGlizADRE/0TmXkJRl
WYCxg7s6fIeH1NfDCLro+NwEx3n66l860kIH9+VEqWSKJoPD6n7RQgtDyG46vcGi
jlsO50L6xTM+8kn/60v+izHA552a00Hzvon+v0/Cejw3yQfRGwNbnWFVzK4xJbvc
wsMtuwqy8eN5Cq6qummNRdBOj6t1ZABLcj8UxZmY3hYkg9OYJWwNsuqs030CAwEA
AaMmMCQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZI
hvcNAQELBQADggIBACTGzlYTuQfRuK/lOsklIWHGMW1u/FVa78iOnT976cDdRPnJ
J9iJ632tQ7gqaoqheKZduj2NvGyqm9n97Du+9mQbRcgAm8CKa5Rgz/MUdTbtJ5VY
YA3g9494mUmmHu6y4uir5XECR/3grvBmqOcaFiHXIws6n2nrDF6Pt4JKHsZNz7pZ
QdcNVHEH+Cd6QH+FgnGuUdYqoMLMBXTLhG3UtOGdNO+4kU18qWQoC1DosBYsvkpn
a8QmCabkilDX0FvHGQXAbx9PjIBGaAbq0244rnjSAj4QyERcJgjDK5mgjVHAzqW0
8cL0xGfGS+bfQCiTDrDrZNxDxsTAcy6DiNXnEPhz3t3qhqZUM3DbL6VWn1Ol9Z5T
2MXMaRGYxCeI/4eWPjDqePJvMgZWrTWxntSrswHMAg1YAihCLifpUEcN69n9VXf/
kIIkZWp91mj8WoxdVyMcrpbeGMvSaLu+BwmoeZ8g/6WVa8vAvnta4mF//MAyi4Bo
e6L3qu4Z+93Tz4OkWXd7u3kuqRgfgCQNQMNDOQxSt0EuT5xdI8UyGzD+zQdLe56x
VE8mWVPxA/DbovpjsS2xoFk+tPkDsdGAlg05tJ/CP7j/jEXEH3oxgw0q3tG2KhDH
SEdUgPErfznE5EwweY2OgWx8ppOgDqWwE5I/qzsjd6kufz2v1BECVv7nueoP
-----END CERTIFICATE-----