You have reached the BTC Piñata.


BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.


BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on Xen, and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge runs until the above address no longer contains the 10 bitcoins it started with, or until we lose interest.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. Now, we want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.


Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.


This is the CA:

-----BEGIN CERTIFICATE-----
MIIE2TCCAsGgAwIBAgIJAN8j4e+hW6sYMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
BAMMDUJUQyBQaW5hdGEgQ0EwHhcNMTcxMjE0MTgxMTE4WhcNMTgxMjE0MTgxMTE4
WjAYMRYwFAYDVQQDDA1CVEMgUGluYXRhIENBMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAoN70BYMcYw2zqAgualYsaJLLHoE3QZbVq10PQ6PMNA/lxrgI
jOQGdJ6fHPtoidHI8B2jFfpDVKpru3fiQ42z960KH2350crqToMh2MOM0EuhupPV
9qzRoaEf/W6UPHMkuxWG+dFzBFZx9m+rw4z0lIm2mruNskAZf/WaAukWTY3u7vlp
0DznRTE+fPRC0J82GkYgb23Iq7mBZpYXEtDGaGxOAzng3smDfJrIf2gD06xUMGnz
fEswcVMhqQLfFV384rU4b2njwqhvN2YZs0f1rqluwCKtdiHJQWP4zVXsLSW89LvN
qDZDezSr8DUCY3ivMgJuvHIsIa9Sp4TlKTQ4gN+2KQph2LN4fTsd261k1tXLcie4
PSu4xbq4h2RDZSpmZv1US0a1bW0PYMb+8FuerIQENIa1vPRKktIoDqYs5BhtBHD6
fi2dfrdbY0vxUOXDNyjFfF1p/okPtad2efge2qT39ehEEiE7gu8PkQ1CpjpgUHnA
V3j/DQaLRKctxUx9GK3eBDfUpFSvemc/81+8QKWe1VxbAmni1EzmRMwb+o/klPFZ
pQdhQh/Mhau+0s6AutWUHZAN3jULHM6AnUtvRcqvQiiw0MU55yKc6wHEPZfr7xdj
9rlpoYJDrZF4rLEWXuBV55y+Gly8ylW59sfio9JstOmvLOgfCUmXrWTLvucCAwEA
AaMmMCQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZI
hvcNAQELBQADggIBAImRfePS5qxDNM31DRaE2f9FrcmilQREIKNkM4Z77XH4643U
70uVzmsr1UzfxRL9PoDAjavkDf5p+RJOSWX+EntquznjzTs7T9P2Jxnkef51xf8t
daNO2fodzcayXDgfaDHS0KzHSPe7l5OBW/ZPqG1IH5MlrXN53gOFhS674WDNKQx1
8WCTf3nORD1tM3LHNtq6hvuoUKgFby8OUvNHLCEYiR04l99FypNitNLrBII2ALZL
CYSgjTVwt6k7o5KR9NaPVJsy7I6jMAz5fp+HzLQKJANRRPe02oiTuYyqSpa/rqY/
5ol3EudmJNC5ch3idpha0BKqpMFOkwcE8iNdlh3l/lRZnMiWQw8ajzGmxO44ZUlL
cko+c3FxGqh938GC8a5HDpofK+ahJ2UXTQUKOjX5oOt8AYHq8AE/hNayG7mgtr6U
c1AzqJ6jBRZKdBDDmIQYJYTianeUFeZG3DCS4upSF8dDNt/f/6NFWSfGQkKnqKpx
0yVIJjiaHK3sZpZmhANzwmwQOFX/PXwcFB0KNd/W6jdbuzEkmIkISnt2U06L44Ei
zR0fX+wYiIvluCx9DUJtovgUHxoP14g/a78WXhJawsfGyqt4nv7l7lF/Xmei4o0/
Vpo0cyXa9mUw0XjZYWHYQX2yHGMEwgvveooSCKjhorjzhcqD5BCLmrsLPzNc
-----END CERTIFICATE-----