From 7abd8a9a1887d1f2baa6307f75c55d494c0983cb Mon Sep 17 00:00:00 2001
From: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com>
Date: Thu, 15 Jan 2026 13:22:19 -0600
Subject: [PATCH] have htdestroytoken handle CA cert path and file

---
 htdestroytoken  | 16 +++++++++++++++-
 htgettoken.spec |  4 ++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/htdestroytoken b/htdestroytoken
index ed99e25..d344773 100755
--- a/htdestroytoken
+++ b/htdestroytoken
@@ -19,6 +19,8 @@ usage()
 VERBOSE=true
 RMREFRESH=false
 HTGETOPTS=""
+CAFILE=""
+CAPATH="${X509_CERT_DIR:-/etc/grid-security/certificates}"
 for ARG; do
     case $ARG in
         -h) usage;;
@@ -26,6 +28,11 @@ for ARG; do
         -f) RMREFRESH=true;;
         *)  if $RMREFRESH; then
                 HTGETOPTS="$HTGETOPTS $ARG"
+                if [[ "$ARG" = "--cafile="* ]]; then
+                    CAFILE="${ARG#--cafile=}"
+                elif [[ "$ARG" = "--capath="* ]]; then
+                    CAPATH="${ARG#--capath=}"
+                fi
             else
                 usage
             fi;;
@@ -54,8 +61,15 @@ if $RMREFRESH && [ -f "$VTFILE" ]; then
         echo "  at path $BEARERURL"
     fi
     # be careful to not let the vault token show up in a ps list; send to stdin
+    CURLOPTS="-q -f -m 5"
+    if [ -n "$CAFILE" ]; then
+        CURLOPTS="$CURLOPTS --cacert $CAFILE"
+    fi
+    if [ -n "$CAPATH" ]; then
+        CURLOPTS="$CURLOPTS --capath $CAPATH"
+    fi
     if ! (echo -n "X-Vault-Token: ";cat $VTFILE) | \
-                curl -q -f -m 5 -H @- -X DELETE "$BEARERURL"; then
+                curl $CURLOPTS -H @- -X DELETE "$BEARERURL"; then
         echo "$ME: Unable to delete refresh token" >&2
         exit 3
     fi
diff --git a/htgettoken.spec b/htgettoken.spec
index 540a961..937b005 100644
--- a/htgettoken.spec
+++ b/htgettoken.spec
@@ -77,6 +77,10 @@ rm -rf $RPM_BUILD_ROOT
 
 # - Have htdecodetoken take advantage of new scitokens-verify ability
 #   to read from stdin, when available.
+# - Add support in htdestroytoken -f for getting a CA cert directory
+#   from ${X509_CERT_DIR:-/etc/grid-security/certificates} or from 
+#   a --capath option, and to get a CA cert file from a --cafile option,
+#   mirroring the behavior of htgettoken.
 
 * Mon Dec  1 2025 Dave Dykstra <dwd@fnal.gov> 2.5-1
 - Add htdestroytoken -f option to force a removal of a refresh token in