Skip to content

Zero Trust

Certificate Validation

The Zero Trust module provides a reusable Certificate Validation service for validating remote SSL certificates. It allows you to configure acceptable SSL policy errors and handle certificate validation in a consistent manner across your application.

Installation

If you want to install zero trust;

  • Add the GridLab.Abp.ZeroTrust NuGet package to your project:

    Install-Package GridLab.Abp.ZeroTrust

  • Add the AbpZeroTrustModule to the dependency list of your module:

    [DependsOn(
    //...other dependencies
    typeof(AbpZeroTrustModule) // <-- Add module dependency like that
)]
public class YourModule : AbpModule
{
}

  • Locate the appsettings.json file in your project.

  • Add a new section for secure transtport layer settings. This section should include the Ssl key.

    {
  "ZeroTrust": {
    "Ssl": {
      "AcceptablePolicyErrors": [
        "None",
        "RemoteCertificateNotAvailable",
        "RemoteCertificateNameMismatch",
        "RemoteCertificateChainErrors"
      ]
    }
  }
}

You can also control behaviour without using appsettings.json file with help of CertificateValidationOptions class

context.Services.Configure<CertificateValidationOptions>(options =>
{
    options.AcceptablePolicyErrors = acceptablePolicyErrors;
});

Using Certificate Validation

The CertificateValidationService class implements the ICertificateValidationService interface and provides the logic for validating remote SSL certificates.

To use the CertificateValidationService in your classes, you need to inject it via dependency injection. Here is an example of how to do that:

public class ExampleClass
{
    private readonly ICertificateValidationService _certificateValidationService;

    public ExampleClass(ICertificateValidationService certificateValidationService)
    {
        _certificateValidationService = certificateValidationService;
    }

    public void ValidateCertificate()
    {
        var sender = new object();
        var certificate = new X509Certificate();
        var chain = new X509Chain();
        var sslPolicyErrors = SslPolicyErrors.None;

        bool isValid = _certificateValidationService.RemoteCertificateValidationCallback(sender, certificate, chain, sslPolicyErrors);

        // Additional logic based on the validation result
    }
}

You can also use it in the callbacks of many high-level clients as in the following example:

    var redisConfiguration = configuration["Redis:Configuration"]!;
    var redisOptions = ConfigurationOptions.Parse(redisConfiguration);

    redisOptions.CertificateValidation += (sender, certificate, chain, sslPolicyErrors) =>
    {
        return _certificateValidationService.RemoteCertificateValidationCallback(sender, certificate, chain, sslPolicyErrors);
    };