Private transactions integration pr (#6422)

* Private transaction message added * Empty line removed * Private transactions logic removed from client into the separate module * Fixed compilation after merge with head * Signed private transaction message added as well * Comments after the review fixed * Private tx execution * Test update * Renamed some methods * Fixed some tests * Reverted submodules * Fixed build * Private transaction message added * Empty line removed * Private transactions logic removed from client into the separate module * Fixed compilation after merge with head * Signed private transaction message added as well * Comments after the review fixed * Encrypted private transaction message and signed reply added * Private tx execution * Test update * Main scenario completed * Merged with the latest head * Private transactions API * Comments after review fixed * Parameters for private transactions added to parity arguments * New files added * New API methods added * Do not process packets from unconfirmed peers * Merge with ptm_ss branch * Encryption and permissioning with key server added * Fixed compilation after merge * Version of Parity protocol incremented in order to support private transactions * Doc strings for constants added * Proper format for doc string added * fixed some encryptor.rs grumbles * Private transactions functionality moved to the separate crate * Refactoring in order to remove late initialisation * Tests fixed after moving to the separate crate * Fetch method removed * Sync test helpers refactored * Interaction with encryptor refactored * Contract address retrieving via substate removed * Sensible gas limit for private transactions implemented * New private contract with nonces added * Parsing of the response from key server fixed * Build fixed after the merge, native contracts removed * Crate renamed * Tests moved to the separate directory * Handling of errors reworked in order to use error chain * Encodable macro added, new constructor replaced with default * Native ethabi usage removed * Couple conversions optimized * Interactions with client reworked * Errors omitting removed * Fix after merge * Fix after the merge * private transactions improvements in progress * private_transactions -> ethcore/private-tx * making private transactions more idiomatic * private-tx encryptor uses shared FetchClient and is more idiomatic * removed redundant tests, moved integration tests to tests/ dir * fixed failing service test * reenable add_notify on private tx provider * removed private_tx tests from sync module * removed commented out code * Use plain password instead of unlocking account manager * remove dead code * Link to the contract changed * Transaction signature chain replay protection module created * Redundant type conversion removed * Contract address returned by private provider * Test fixed * Addressing grumbles in PrivateTransactions (#8249) * Tiny fixes part 1. * A bunch of additional comments and todos. * Fix ethsync tests. * resolved merge conflicts * final private tx pr (#8318) * added cli option that enables private transactions * fixed failing test * fixed failing test * fixed failing test * fixed failing test
2018-04-09 16:14:33 +02:00
parent c039ab79b5
commit e6f75bccfe
90 changed files with 2745 additions and 192 deletions
--- a/parity/blockchain.rs
+++ b/parity/blockchain.rs
@@ -25,6 +25,7 @@ use hash::{keccak, KECCAK_NULL_RLP};
 use ethereum_types::{U256, H256, Address};
 use bytes::ToPretty;
 use rlp::PayloadInfo;
+use ethcore::account_provider::AccountProvider;
 use ethcore::client::{Mode, DatabaseCompactionProfile, VMType, BlockImportError, Nonce, Balance, BlockChainClient, BlockId, BlockInfo, ImportBlock};
 use ethcore::db::NUM_COLUMNS;
 use ethcore::error::ImportError;
@@ -39,6 +40,7 @@ use helpers::{to_client_config, execute_upgrades, open_client_db, client_db_conf
 use dir::Directories;
 use user_defaults::UserDefaults;
 use fdlimit;
+use ethcore_private_tx;

 #[derive(Debug, PartialEq)]
 pub enum DataFormat {
@@ -389,6 +391,9 @@ fn execute_import(cmd: ImportBlockchain) -> Result<(), String> {
 		restoration_db_handler,
 		&cmd.dirs.ipc_path(),
 		Arc::new(Miner::with_spec(&spec)),
+		Arc::new(AccountProvider::transient_provider()),
+		Box::new(ethcore_private_tx::NoopEncryptor),
+		Default::default()
 	).map_err(|e| format!("Client service error: {:?}", e))?;

 	// free up the spec in memory.
@@ -576,6 +581,9 @@ fn start_client(
 		restoration_db_handler,
 		&dirs.ipc_path(),
 		Arc::new(Miner::with_spec(&spec)),
+		Arc::new(AccountProvider::transient_provider()),
+		Box::new(ethcore_private_tx::NoopEncryptor),
+		Default::default()
 	).map_err(|e| format!("Client service error: {:?}", e))?;

 	drop(spec);
--- a/parity/cli/mod.rs
+++ b/parity/cli/mod.rs
@@ -350,6 +350,35 @@ usage! {
 			"--password=[FILE]...",
 			"Provide a file containing a password for unlocking an account. Leading and trailing whitespace is trimmed.",

+		["Private transactions options"]
+			FLAG flag_private_enabled: (bool) = false, or |c: &Config| c.private_tx.as_ref()?.enabled,
+			"--private-tx-enabled",
+			"Enable private transactions.",
+
+			ARG arg_private_signer: (Option<String>) = None, or |c: &Config| c.private_tx.as_ref()?.signer.clone(),
+			"--private-signer=[ACCOUNT]",
+			"Specify the account for signing public transaction created upon verified private transaction.",
+
+			ARG arg_private_validators: (Option<String>) = None, or |c: &Config| c.private_tx.as_ref()?.validators.as_ref().map(|vec| vec.join(",")),
+			"--private-validators=[ACCOUNTS]",
+			"Specify the accounts for validating private transactions. ACCOUNTS is a comma-delimited list of addresses.",
+
+			ARG arg_private_account: (Option<String>) = None, or |c: &Config| c.private_tx.as_ref()?.account.clone(),
+			"--private-account=[ACCOUNT]",
+			"Specify the account for signing requests to secret store.",
+
+			ARG arg_private_sstore_url: (Option<String>) = None, or |c: &Config| c.private_tx.as_ref()?.sstore_url.clone(),
+			"--private-sstore-url=[URL]",
+			"Specify secret store URL used for encrypting private transactions.",
+
+			ARG arg_private_sstore_threshold: (Option<u32>) = None, or |c: &Config| c.private_tx.as_ref()?.sstore_threshold.clone(),
+			"--private-sstore-threshold=[NUM]",
+			"Specify secret store threshold used for encrypting private transactions.",
+
+			ARG arg_private_passwords: (Option<String>) = None, or |c: &Config| c.private_tx.as_ref()?.passwords.clone(),
+			"--private-passwords=[FILE]...",
+			"Provide a file containing passwords for unlocking accounts (signer, private account, validators).",
+
 		["UI options"]
 			FLAG flag_force_ui: (bool) = false, or |c: &Config| c.ui.as_ref()?.force.clone(),
 			"--force-ui",
@@ -462,7 +491,7 @@ usage! {
 			"--jsonrpc-interface=[IP]",
 			"Specify the hostname portion of the JSONRPC API server, IP should be an interface's IP address, or all (all interfaces) or local.",

-			ARG arg_jsonrpc_apis: (String) = "web3,eth,pubsub,net,parity,parity_pubsub,traces,rpc,shh,shh_pubsub", or |c: &Config| c.rpc.as_ref()?.apis.as_ref().map(|vec| vec.join(",")),
+			ARG arg_jsonrpc_apis: (String) = "web3,eth,pubsub,net,parity,private,parity_pubsub,traces,rpc,shh,shh_pubsub", or |c: &Config| c.rpc.as_ref()?.apis.as_ref().map(|vec| vec.join(",")),
 			"--jsonrpc-apis=[APIS]",
 			"Specify the APIs available through the JSONRPC interface using a comma-delimited list of API names. Possible names are: all, safe, web3, net, eth, pubsub, personal, signer, parity, parity_pubsub, parity_accounts, parity_set, traces, rpc, secretstore, shh, shh_pubsub. You can also disable a specific API by putting '-' in the front, example: all,-personal. safe contains following apis: web3, net, eth, pubsub, parity, parity_pubsub, traces, rpc, shh, shh_pubsub",

@@ -495,7 +524,7 @@ usage! {
 			"--ws-interface=[IP]",
 			"Specify the hostname portion of the WebSockets server, IP should be an interface's IP address, or all (all interfaces) or local.",

-			ARG arg_ws_apis: (String) = "web3,eth,pubsub,net,parity,parity_pubsub,traces,rpc,shh,shh_pubsub", or |c: &Config| c.websockets.as_ref()?.apis.as_ref().map(|vec| vec.join(",")),
+			ARG arg_ws_apis: (String) = "web3,eth,pubsub,net,parity,parity_pubsub,private,traces,rpc,shh,shh_pubsub", or |c: &Config| c.websockets.as_ref()?.apis.as_ref().map(|vec| vec.join(",")),
 			"--ws-apis=[APIS]",
 			"Specify the APIs available through the WebSockets interface using a comma-delimited list of API names. Possible names are: all, safe, web3, net, eth, pubsub, personal, signer, parity, parity_pubsub, parity_accounts, parity_set, traces, rpc, secretstore, shh, shh_pubsub. You can also disable a specific API by putting '-' in the front, example: all,-personal. safe contains following apis: web3, net, eth, pubsub, parity, parity_pubsub, traces, rpc, shh, shh_pubsub",

@@ -520,7 +549,7 @@ usage! {
 			"--ipc-path=[PATH]",
 			"Specify custom path for JSON-RPC over IPC service.",

-			ARG arg_ipc_apis: (String) = "web3,eth,pubsub,net,parity,parity_pubsub,parity_accounts,traces,rpc,shh,shh_pubsub", or |c: &Config| c.ipc.as_ref()?.apis.as_ref().map(|vec| vec.join(",")),
+			ARG arg_ipc_apis: (String) = "web3,eth,pubsub,net,parity,parity_pubsub,parity_accounts,private,traces,rpc,shh,shh_pubsub", or |c: &Config| c.ipc.as_ref()?.apis.as_ref().map(|vec| vec.join(",")),
 			"--ipc-apis=[APIS]",
 			"Specify custom API set available via JSON-RPC over IPC using a comma-delimited list of API names. Possible names are: all, safe, web3, net, eth, pubsub, personal, signer, parity, parity_pubsub, parity_accounts, parity_set, traces, rpc, secretstore, shh, shh_pubsub. You can also disable a specific API by putting '-' in the front, example: all,-personal. safe contains: web3, net, eth, pubsub, parity, parity_pubsub, traces, rpc, shh, shh_pubsub",

@@ -1014,6 +1043,7 @@ struct Config {
 	ipc: Option<Ipc>,
 	dapps: Option<Dapps>,
 	secretstore: Option<SecretStore>,
+	private_tx: Option<PrivateTransactions>,
 	ipfs: Option<Ipfs>,
 	mining: Option<Mining>,
 	footprint: Option<Footprint>,
@@ -1057,6 +1087,18 @@ struct Account {
 	fast_unlock: Option<bool>,
 }

+#[derive(Default, Debug, PartialEq, Deserialize)]
+#[serde(deny_unknown_fields)]
+struct PrivateTransactions {
+	enabled: Option<bool>,
+	signer: Option<String>,
+	validators: Option<Vec<String>>,
+	account: Option<String>,
+	passwords: Option<String>,
+	sstore_url: Option<String>,
+	sstore_threshold: Option<u32>,
+}
+
 #[derive(Default, Debug, PartialEq, Deserialize)]
 #[serde(deny_unknown_fields)]
 struct Ui {
@@ -1501,6 +1543,15 @@ mod tests {
 			flag_no_hardware_wallets: false,
 			flag_fast_unlock: false,

+			// -- Private Transactions Options
+			flag_private_enabled: true,
+			arg_private_signer: Some("0xdeadbeefcafe0000000000000000000000000000".into()),
+			arg_private_validators: Some("0xdeadbeefcafe0000000000000000000000000000".into()),
+			arg_private_passwords: Some("~/.safe/password.file".into()),
+			arg_private_account: Some("0xdeadbeefcafe0000000000000000000000000000".into()),
+			arg_private_sstore_url: Some("http://localhost:8082".into()),
+			arg_private_sstore_threshold: Some(0),
+
 			flag_force_ui: false,
 			flag_no_ui: false,
 			arg_ui_port: 8180u16,
@@ -1834,6 +1885,7 @@ mod tests {
 				http_port: Some(8082),
 				path: None,
 			}),
+			private_tx: None,
 			ipfs: Some(Ipfs {
 				enable: Some(false),
 				port: Some(5001),
--- a/parity/cli/tests/config.full.toml
+++ b/parity/cli/tests/config.full.toml
@@ -23,6 +23,15 @@ unlock = ["0xdeadbeefcafe0000000000000000000000000000"]
 password = ["~/.safe/password.file"]
 keys_iterations = 10240

+[private_tx]
+enabled = true
+signer = "0xdeadbeefcafe0000000000000000000000000000"
+validators = ["0xdeadbeefcafe0000000000000000000000000000"]
+passwords = "~/.safe/password.file"
+account = "0xdeadbeefcafe0000000000000000000000000000"
+sstore_url = "http://localhost:8082"
+sstore_threshold = 0
+
 [ui]
 force = false
 disable = false
--- a/parity/configuration.rs
+++ b/parity/configuration.rs
@@ -38,13 +38,14 @@ use rpc_apis::ApiSet;
 use parity_rpc::NetworkSettings;
 use cache::CacheConfig;
 use helpers::{to_duration, to_mode, to_block_id, to_u256, to_pending_set, to_price, geth_ipc_path, parity_ipc_path,
-to_bootnodes, to_addresses, to_address, to_gas_limit, to_queue_strategy};
+to_bootnodes, to_addresses, to_address, to_gas_limit, to_queue_strategy, passwords_from_files};
 use dir::helpers::{replace_home, replace_home_and_local};
 use params::{ResealPolicy, AccountsConfig, GasPricerConfig, MinerExtras, SpecType};
 use ethcore_logger::Config as LogConfig;
 use dir::{self, Directories, default_hypervisor_path, default_local_path, default_data_path};
 use dapps::Configuration as DappsConfiguration;
 use ipfs::Configuration as IpfsConfiguration;
+use ethcore_private_tx::{ProviderConfig, EncryptorConfig};
 use secretstore::{NodeSecretKey, Configuration as SecretStoreConfiguration, ContractAddress as SecretStoreContractAddress};
 use updater::{UpdatePolicy, UpdateFilter, ReleaseTrack};
 use run::RunCmd;
@@ -341,6 +342,7 @@ impl Configuration {

 			let verifier_settings = self.verifier_settings();
 			let whisper_config = self.whisper_config();
+			let (private_provider_conf, private_enc_conf, private_tx_enabled) = self.private_provider_config()?;

 			let run_cmd = RunCmd {
 				cache_config: cache_config,
@@ -379,6 +381,9 @@ impl Configuration {
 				ipfs_conf: ipfs_conf,
 				ui_conf: ui_conf,
 				secretstore_conf: secretstore_conf,
+				private_provider_conf: private_provider_conf,
+				private_encryptor_conf: private_enc_conf,
+				private_tx_enabled,
 				dapp: self.dapp_to_open()?,
 				ui: self.args.cmd_ui,
 				name: self.args.arg_identity,
@@ -934,6 +939,29 @@ impl Configuration {
 		Ok(conf)
 	}

+	fn private_provider_config(&self) -> Result<(ProviderConfig, EncryptorConfig, bool), String> {
+		let provider_conf = ProviderConfig {
+			validator_accounts: to_addresses(&self.args.arg_private_validators)?,
+			signer_account: self.args.arg_private_signer.clone().and_then(|account| to_address(Some(account)).ok()),
+			passwords: match self.args.arg_private_passwords.clone() {
+				Some(file) => passwords_from_files(&vec![file].as_slice())?,
+				None => Vec::new(),
+			},
+		};
+
+		let encryptor_conf = EncryptorConfig {
+			base_url: self.args.arg_private_sstore_url.clone(),
+			threshold: self.args.arg_private_sstore_threshold.unwrap_or(0),
+			key_server_account: self.args.arg_private_account.clone().and_then(|account| to_address(Some(account)).ok()),
+			passwords: match self.args.arg_private_passwords.clone() {
+				Some(file) => passwords_from_files(&vec![file].as_slice())?,
+				None => Vec::new(),
+			},
+		};
+
+		Ok((provider_conf, encryptor_conf, self.args.flag_private_enabled))
+	}
+
 	fn network_settings(&self) -> Result<NetworkSettings, String> {
 		let http_conf = self.http_config()?;
 		let net_addresses = self.net_addresses()?;
@@ -1468,6 +1496,9 @@ mod tests {
 			ipfs_conf: Default::default(),
 			ui_conf: Default::default(),
 			secretstore_conf: Default::default(),
+			private_provider_conf: Default::default(),
+			private_encryptor_conf: Default::default(),
+			private_tx_enabled: false,
 			ui: false,
 			dapp: None,
 			name: "".into(),
--- a/parity/main.rs
+++ b/parity/main.rs
@@ -53,14 +53,15 @@ extern crate ethcore_logger;
 extern crate ethcore_migrations as migrations;
 extern crate ethcore_miner as miner;
 extern crate ethcore_network as network;
+extern crate ethcore_private_tx;
 extern crate ethcore_service;
 extern crate ethcore_transaction as transaction;
 extern crate ethereum_types;
-extern crate migration as migr;
-extern crate kvdb;
-extern crate kvdb_rocksdb;
 extern crate ethkey;
 extern crate ethsync;
+extern crate kvdb;
+extern crate kvdb_rocksdb;
+extern crate migration as migr;
 extern crate node_health;
 extern crate panic_hook;
 extern crate parity_hash_fetch as hash_fetch;
--- a/parity/modules.rs
+++ b/parity/modules.rs
@@ -21,7 +21,7 @@ use ethsync::{self, AttachedProtocol, SyncConfig, NetworkConfiguration, Params,
 use ethcore::snapshot::SnapshotService;
 use light::Provider;

-pub use ethsync::{EthSync, SyncProvider, ManageNetwork};
+pub use ethsync::{EthSync, SyncProvider, ManageNetwork, PrivateTxHandler};
 pub use ethcore::client::ChainNotify;
 use ethcore_logger::Config as LogConfig;

@@ -32,6 +32,7 @@ pub fn sync(
 	net_cfg: NetworkConfiguration,
 	client: Arc<BlockChainClient>,
 	snapshot_service: Arc<SnapshotService>,
+	private_tx_handler: Arc<PrivateTxHandler>,
 	provider: Arc<Provider>,
 	_log_settings: &LogConfig,
 	attached_protos: Vec<AttachedProtocol>,
@@ -42,6 +43,7 @@ pub fn sync(
 		chain: client,
 		provider: provider,
 		snapshot_service: snapshot_service,
+		private_tx_handler,
 		network_config: net_cfg,
 		attached_protos: attached_protos,
 	},
--- a/parity/rpc_apis.rs
+++ b/parity/rpc_apis.rs
@@ -22,6 +22,7 @@ use std::sync::{Arc, Weak};
 pub use parity_rpc::signer::SignerService;
 pub use parity_rpc::dapps::{DappsService, LocalDapp};

+use ethcore_service::PrivateTxService;
 use ethcore::account_provider::AccountProvider;
 use ethcore::client::Client;
 use ethcore::miner::Miner;
@@ -40,6 +41,7 @@ use parity_rpc::dispatch::{FullDispatcher, LightDispatcher};
 use parity_rpc::informant::{ActivityNotifier, ClientNotifier};
 use parity_rpc::{Metadata, NetworkSettings, Host};
 use parking_lot::{Mutex, RwLock};
+use ethcore_private_tx::Provider as PrivateTransactionManager;
 use updater::Updater;

 #[derive(Debug, PartialEq, Clone, Eq, Hash)]
@@ -70,6 +72,8 @@ pub enum Api {
 	Rpc,
 	/// SecretStore (UNSAFE: arbitrary hash signing)
 	SecretStore,
+	/// Private transaction manager (Safe)
+	Private,
 	/// Whisper (Safe)
 	// TODO: _if_ someone guesses someone else's key or filter IDs they can remove
 	// BUT these are all ephemeral so it seems fine.
@@ -98,6 +102,7 @@ impl FromStr for Api {
 			"traces" => Ok(Traces),
 			"rpc" => Ok(Rpc),
 			"secretstore" => Ok(SecretStore),
+			"private" => Ok(Private),
 			"shh" => Ok(Whisper),
 			"shh_pubsub" => Ok(WhisperPubSub),
 			api => Err(format!("Unknown api: {}", api))
@@ -183,6 +188,7 @@ fn to_modules(apis: &HashSet<Api>) -> BTreeMap<String, String> {
 			Api::Traces => ("traces", "1.0"),
 			Api::Rpc => ("rpc", "1.0"),
 			Api::SecretStore => ("secretstore", "1.0"),
+			Api::Private => ("private", "1.0"),
 			Api::Whisper => ("shh", "1.0"),
 			Api::WhisperPubSub => ("shh_pubsub", "1.0"),
 		};
@@ -214,6 +220,7 @@ pub struct FullDependencies {
 	pub sync: Arc<SyncProvider>,
 	pub net: Arc<ManageNetwork>,
 	pub secret_store: Option<Arc<AccountProvider>>,
+	pub private_tx_service: Option<Arc<PrivateTxService>>,
 	pub miner: Arc<Miner>,
 	pub external_miner: Arc<ExternalMiner>,
 	pub logger: Arc<RotatingLogger>,
@@ -385,7 +392,10 @@ impl FullDependencies {
 							);
 						}
 					}
-				}
+				},
+				Api::Private => {
+					handler.extend_with(PrivateClient::new(self.private_tx_service.as_ref().map(|p| p.provider())).to_delegate());
+				},
 			}
 		}
 	}
@@ -437,6 +447,7 @@ pub struct LightDependencies<T> {
 	pub geth_compatibility: bool,
 	pub remote: parity_reactor::Remote,
 	pub whisper_rpc: Option<::whisper::RpcFactory>,
+	pub private_tx_service: Option<Arc<PrivateTransactionManager>>,
 	pub gas_price_percentile: usize,
 }

@@ -587,12 +598,18 @@ impl<C: LightChainClient + 'static> LightDependencies<C> {
 						let whisper = whisper_rpc.make_handler(self.net.clone());
 						handler.extend_with(::parity_whisper::rpc::Whisper::to_delegate(whisper));
 					}
-				}
+				},
 				Api::WhisperPubSub => {
 					if let Some(ref whisper_rpc) = self.whisper_rpc {
 						let whisper = whisper_rpc.make_handler(self.net.clone());
 						handler.extend_with(::parity_whisper::rpc::WhisperPubSub::to_delegate(whisper));
 					}
+				},
+				Api::Private => {
+					if let Some(ref tx_manager) = self.private_tx_service {
+						let private_tx_service = Some(tx_manager.clone());
+						handler.extend_with(PrivateClient::new(private_tx_service).to_delegate());
+					}
 				}
 			}
 		}
@@ -629,6 +646,7 @@ impl ApiSet {
 			Api::Rpc,
 			Api::Whisper,
 			Api::WhisperPubSub,
+			Api::Private,
 		].into_iter().cloned().collect();

 		match *self {
@@ -693,6 +711,7 @@ mod test {
 		assert_eq!(Api::Traces, "traces".parse().unwrap());
 		assert_eq!(Api::Rpc, "rpc".parse().unwrap());
 		assert_eq!(Api::SecretStore, "secretstore".parse().unwrap());
+		assert_eq!(Api::Private, "private".parse().unwrap());
 		assert_eq!(Api::Whisper, "shh".parse().unwrap());
 		assert_eq!(Api::WhisperPubSub, "shh_pubsub".parse().unwrap());
 		assert!("rp".parse::<Api>().is_err());
@@ -712,7 +731,7 @@ mod test {
 	fn test_api_set_unsafe_context() {
 		let expected = vec![
 			// make sure this list contains only SAFE methods
-			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::Whisper, Api::WhisperPubSub,
+			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::Whisper, Api::WhisperPubSub, Api::Private,
 		].into_iter().collect();
 		assert_eq!(ApiSet::UnsafeContext.list_apis(), expected);
 	}
@@ -721,7 +740,7 @@ mod test {
 	fn test_api_set_ipc_context() {
 		let expected = vec![
 			// safe
-			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::Whisper, Api::WhisperPubSub,
+			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::Whisper, Api::WhisperPubSub, Api::Private,
 			// semi-safe
 			Api::ParityAccounts
 		].into_iter().collect();
@@ -732,7 +751,7 @@ mod test {
 	fn test_api_set_safe_context() {
 		let expected = vec![
 			// safe
-			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::SecretStore, Api::Whisper, Api::WhisperPubSub,
+			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::SecretStore, Api::Whisper, Api::WhisperPubSub, Api::Private,
 			// semi-safe
 			Api::ParityAccounts,
 			// Unsafe
@@ -747,7 +766,8 @@ mod test {
 			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::SecretStore, Api::Whisper, Api::WhisperPubSub,
 			Api::ParityAccounts,
 			Api::ParitySet, Api::Signer,
-			Api::Personal
+			Api::Personal,
+			Api::Private,
 		].into_iter().collect()));
 	}

@@ -757,13 +777,14 @@ mod test {
 			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::SecretStore, Api::Whisper, Api::WhisperPubSub,
 			Api::ParityAccounts,
 			Api::ParitySet, Api::Signer,
+			Api::Private
 		].into_iter().collect()));
 	}

 	#[test]
 	fn test_safe_parsing() {
 		assert_eq!("safe".parse::<ApiSet>().unwrap(), ApiSet::List(vec![
-			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::Whisper, Api::WhisperPubSub,
+			Api::Web3, Api::Net, Api::Eth, Api::EthPubSub, Api::Parity, Api::ParityPubSub, Api::Traces, Api::Rpc, Api::Whisper, Api::WhisperPubSub, Api::Private,
 		].into_iter().collect()));
 	}
 }
--- a/parity/run.rs
+++ b/parity/run.rs
@@ -50,7 +50,7 @@ use parity_rpc::{NetworkSettings, informant, is_major_importing};
 use parking_lot::{Condvar, Mutex};
 use updater::{UpdatePolicy, Updater};
 use parity_version::version;
-
+use ethcore_private_tx::{ProviderConfig, EncryptorConfig, SecretStoreEncryptor};
 use params::{
 	SpecType, Pruning, AccountsConfig, GasPricerConfig, MinerExtras, Switch,
 	tracing_switch_to_bool, fatdb_switch_to_bool, mode_switch_to_bool
@@ -120,6 +120,9 @@ pub struct RunCmd {
 	pub ipfs_conf: ipfs::Configuration,
 	pub ui_conf: rpc::UiConfiguration,
 	pub secretstore_conf: secretstore::Configuration,
+	pub private_provider_conf: ProviderConfig,
+	pub private_encryptor_conf: EncryptorConfig,
+	pub private_tx_enabled: bool,
 	pub dapp: Option<String>,
 	pub ui: bool,
 	pub name: String,
@@ -388,6 +391,7 @@ fn execute_light_impl(cmd: RunCmd, logger: Arc<RotatingLogger>) -> Result<Runnin
 		geth_compatibility: cmd.geth_compatibility,
 		remote: event_loop.remote(),
 		whisper_rpc: whisper_factory,
+		private_tx_service: None, //TODO: add this to client.
 		gas_price_percentile: cmd.gas_price_percentile,
 	});

@@ -622,6 +626,9 @@ fn execute_impl<Cr, Rr>(cmd: RunCmd, logger: Arc<RotatingLogger>, on_client_rq:
 		restoration_db_handler,
 		&cmd.dirs.ipc_path(),
 		miner.clone(),
+		account_provider.clone(),
+		Box::new(SecretStoreEncryptor::new(cmd.private_encryptor_conf, fetch.clone()).map_err(|e| e.to_string())?),
+		cmd.private_provider_conf,
 	).map_err(|e| format!("Client service error: {:?}", e))?;

 	let connection_filter_address = spec.params().node_permission_contract;
@@ -630,6 +637,9 @@ fn execute_impl<Cr, Rr>(cmd: RunCmd, logger: Arc<RotatingLogger>, on_client_rq:

 	// take handle to client
 	let client = service.client();
+	// take handle to private transactions service
+	let private_tx_service = service.private_tx_service();
+	let private_tx_provider = private_tx_service.provider();
 	let connection_filter = connection_filter_address.map(|a| Arc::new(NodeFilter::new(Arc::downgrade(&client) as Weak<BlockChainClient>, a)));
 	let snapshot_service = service.snapshot_service();

@@ -697,6 +707,7 @@ fn execute_impl<Cr, Rr>(cmd: RunCmd, logger: Arc<RotatingLogger>, on_client_rq:
 		net_conf.clone().into(),
 		client.clone(),
 		snapshot_service.clone(),
+		private_tx_service.clone(),
 		client.clone(),
 		&cmd.logger_config,
 		attached_protos,
@@ -705,6 +716,15 @@ fn execute_impl<Cr, Rr>(cmd: RunCmd, logger: Arc<RotatingLogger>, on_client_rq:

 	service.add_notify(chain_notify.clone());

+	// provider not added to a notification center is effectively disabled
+	// TODO [debris] refactor it later on
+	if cmd.private_tx_enabled {
+		service.add_notify(private_tx_provider.clone());
+		// TODO [ToDr] PrivateTX should use separate notifications
+		// re-using ChainNotify for this is a bit abusive.
+		private_tx_provider.add_notify(chain_notify.clone());
+	}
+
 	// start network
 	if network_enabled {
 		chain_notify.start();
@@ -796,6 +816,7 @@ fn execute_impl<Cr, Rr>(cmd: RunCmd, logger: Arc<RotatingLogger>, on_client_rq:
 		pool: cpu_pool.clone(),
 		remote: event_loop.remote(),
 		whisper_rpc: whisper_factory,
+		private_tx_service: Some(private_tx_service.clone()),
 		gas_price_percentile: cmd.gas_price_percentile,
 	});

--- a/parity/snapshot.rs
+++ b/parity/snapshot.rs
@@ -21,6 +21,7 @@ use std::path::{Path, PathBuf};
 use std::sync::Arc;

 use hash::keccak;
+use ethcore::account_provider::AccountProvider;
 use ethcore::snapshot::{Progress, RestorationStatus, SnapshotService as SS};
 use ethcore::snapshot::io::{SnapshotReader, PackedReader, PackedWriter};
 use ethcore::snapshot::service::Service as SnapshotService;
@@ -35,6 +36,7 @@ use helpers::{to_client_config, execute_upgrades, client_db_config, open_client_
 use dir::Directories;
 use user_defaults::UserDefaults;
 use fdlimit;
+use ethcore_private_tx;

 /// Kinds of snapshot commands.
 #[derive(Debug, PartialEq, Clone, Copy)]
@@ -192,7 +194,10 @@ impl SnapshotCommand {
 			&snapshot_path,
 			restoration_db_handler,
 			&self.dirs.ipc_path(),
-			Arc::new(Miner::with_spec(&spec))
+			Arc::new(Miner::with_spec(&spec)),
+			Arc::new(AccountProvider::transient_provider()),
+			Box::new(ethcore_private_tx::NoopEncryptor),
+			Default::default()
 		).map_err(|e| format!("Client service error: {:?}", e))?;

 		Ok(service)