hcuImages.i

 <?php

/*
 * 2/20/18 MH
 * Demo front and back images and the 'Image not found' image nochecksgl.gif moved
 * from file path to cloudfront URL.  Changed test for demo image is_readable to
 * retrieve https headers and test for 200 OK status and file type image.  Note that
 * nocheckdbl.gif also moved to cloudfront, although it does not appear to be used
 * at this time.  Using hard-coded cloudfront domain instead of HB_ENV value because
 * code is shared by both banking and admin, which doesn't have HB_ENV set.
 */
/* This was ImageSOLO on mammoth
 * For Odyssey, separate the retrieval logic from the security at the top
 * Both Admin and Banking will have a container to handle security & credentials
 * which then includes this library for the actual retrieval.
 *
 * NOTE: I am assuming the database handle $dbh is established before this include
 *          and that dms_imp_val.i has been included
 *
 * 3/6/17 All three formerly separate 'get raw image' scripts, RawImage, FedImage,
 * and FiservImage have been converted to functions.  Code tested & deployed on
 * Mammoth, now porting to Odyssey.
 *
 * These are the surviving image vendors 2/14/2017
 * ALLOYA
 *   SUNCORP still exists, but should move to ALLOYA
 * CATALYST
 *   WESCORP still exists, but should move to CATALYST
 * CORP1
 * CORPAM
 * CSI
 * DEMO
 * EASCORP
 * FEDIMAGE
 * FISERV
 * FIS_IMGCTR
 * IMAGEPOINT *new (Bluepoint) for Lone Star
 * MAC
 * MACIMGONLY
 * MISSOURI
 * MNIPC
 * MVI
 * PALMETTO
 * SECORP
 * SYNERGENT *NEW (VSOFT) for MISSFCU
 * VOLCORP
 */

require_once('LogSSO.i');
require_once('cutrusted.i');
require_once('SSOEncryption.i');


if (!empty($adm)) {
    $inc_adm = "&adm=1";
} else {
    $inc_adm = "";
}

if (empty($CKITEM) || empty($CKHASH)) {
    # error Invalid Request (missing parameters)
  NoImage("Invalid Request (missing parameters)", $adm);
    exit;
}
    #[CKITEM]= "${Cu}|${Cn}|${accounttype}|${cert}|${tracenumber}";
    #[CKHASH]= sha1("${Cu}${Cn}${accounttype}${cert}${tracenumber}cierto");

  //$ckitem=hcu_decrypturl($CKITEM,$chk_key);

/*
 * On Mammoth, there are 3 ways to access the ImageSOLO check retrieval program.
 *
 * 1) From the Member History hcuHistory list, when the transaction represents a check
 * clearing the check number is rendered as a link to ImageSOLO.  Parameters passed on
 * the URL represent the transaction in the database, NOT ENOUGH INFO to retrieve the
 * check image independently.
 *
 * 2) From the Member hcuArchiveCheck script, which allows the member to key in info
 * about a check clearing transaction.  The transaction is generally presumed to have
 * aged out of our database.  Parameters passed on the URL include enough info to retrieve
 * the image from the vendor.  The ‘CKARCHIVE=1’ is included to notify ImageSOLO that
 * it should use the info passed without looking up a transaction in the history table.
 *
 * 3) From the Admin MemCheck script, which allows admin staff to key in enough info
 * to retrieve a check image.  The ‘CKARCHIVE=1’ parameter is included in this method
 * also.
 *
 * Note that Admin folks are allowed to key in some things that, on the member
 * side, are only retrieved from the database, including MICR.
 *
 * In all 3 methods, the transaction info is passed in a pipe-delimited list as CKITEM,
 * and because it contains potentially sensitive info, it is encrypted using the function
 * hcu_encrypturl  before passing on the URL line.
 *
 * Because ImageSOLO was called from both the admin side and the member side, we had to
 * dance a little with the security and credentials.  For Odyssey we decided to split
 * the image retrieval portion of ImageSOLO into an include file hcuImages.i which could
 * then be included from either the admin code line or the member code line.
 *
 * The idea was that the existing admin MemCheck would remain to allow admin folks to key
 * in details about the image to be retrieved, and it would then post to a new, separate
 * script which included hcuImages.i for the retrieval.  This would leave the parameter
 * passing intact and consistent across all 3 entry points.  But the admin script was
 * implemented instead as a single script, which means the parameters are not encoded
 * for transport on the URL.  hcuImages.i was also updated to eliminate the hcu_decrypturl
 * call, because the new admin method doesn’t use it.  This effectively breaks the code f
 * rom the member side.  The single script method may be workable for the hcuArhciveCheck
 * script, but it does not work at all for the hcuHistory list.
 *
 * So, ugly as it is, we need to skip the hcu_decrypturl if CKARCHIVE is set and unpack
 * parameters from CKITEM directly.  But is CKARCHIVE is NOT set, we need to decrypt
 * before unpacking.
 * 3/15/17 MH Because hcuArchiveCheck also uses CKARCHIVE I added a distinct setting -
 * aMemberImages sends CKARCHIVE=1 = use what you got as is,
 * hcuArchiveCheck sends CKARCHIVE=2 = use what you got but hcu_decrypt first.
 *
 * Further coding exposes that....
 * aMemberImages.prg introduced a new CHK_URL variable as the base URL for the link to
 * the reverse side of the check.  But the member side scripts have no knowledge of this
 * new variable and there are no programmer notes or warnings about needing it to make
 * things work.
 * 3/15/17 MH Added CHK_URL to ImageSOLO.prg  - not a bad way to solve the problem
 * since now the admin and the member side use distinct scripts instead of sharing.
 *
 * Also, aMemberImages.prg script is setting values for $_REQUEST.
 * $_REQUEST is a super-global, and we don't want to be messing with it.  To resolve
 * that problem, I am moving the dmsimpval stuff that sanitizes and imports variables
 * from the $_REQUEST out of hcuImages.i.  This means aMemberImages.prg need not muck
 * with $_REQUEST and that ImageSOLO.prg must import the values from $_REQUEST.  May
 * need to adjust a little for where some of the other variables get set.
 * 3/15/17 MH Notified Matt that setting $_REQUEST is not something we want to do and
 * recoded to import functions to get what we need from $_REQUEST when necessary
 *
 * There are also some problems with the display block itself and understanding when
 * to include style sheets, etc.  To simplify this, the display block will move out of
 * hcuImages.i and into the script which includes hcuImages.i - aMemberImages.prg,
 * ImageSOLO.prg, and hcuArchiveCk.prg.
 * 3/15/17 MH Left these as is - still don't like it but not much gain for the pain
 * of moving.
 *
 *
 * aMemberImages.prg also appears to have dropped code that sent special values for sortkey
 * for specific vendors, like this:
 *
 * if ($img_vendor == 'FEDIMAGE') $sortkey = $check_number;
 * elseif ($img_vendor == 'MAC') $sortkey = $check_micr;
 * else $sortkey = '';
 *
 * Turns out this code dropped on the Mammoth upgrade - when switching from using ImageSRC
 * to ImageSOLO.  Dropping this code breaks those interfaces for some clients when retrieving
 * images from the admin portal.
 * 3/15/17 MH put this code back in place.  No good way to test yet
 *
 */

  if ( $CKARCHIVE == "1"  || $CKARCHIVE == "2") {
    if ( $CKARCHIVE == "1" ) {
      # got here from admin with all lookup parameters in CKITEM
      // for this path all the transaction-specific information was passed in
      $ckitem = hcu_decrypturl($CKITEM,$chk_key);
      list ($iCu,$img,$check,$amount,$date,$rt,$micr,$iCn,$sk) = explode("|",$ckitem,9);
    } elseif ( $CKARCHIVE == "2" ) {
      # got here hcuArchiveCheck with all lookup parameters in CKITEM
      #  CKITEM is hcu_encrypted
      $ckitem = hcu_decrypturl($CKITEM,$chk_key);
      list ($iCu,$img,$check,$amount,$date,$rt,$micr,$iCn,$sk) = explode("|",$ckitem,9);
    }
    if ( $CKHASH != sha1("{$iCu}{$img}{$check}{$amount}{$date}{$rt}{$micr}{$CKARCHIVE}{$iCn}cierto") ) {
      # error Invalid Request (corrupt parameters)
      NoImage("Invalid Request (corrupt parameters) ", $adm);
      exit;
    }

    // But we need the image vendor credentials
    $sql = "select ckhexkey, ckorgid, ckurl
            from cuadmin where cu='$iCu'";

    $sth = db_query($sql,$dbh);
    list ($ckhexkey, $ckorgid, $ckurl)=db_fetch_array($sth,0);
  } else {
      # got here from hcuHistory
      # CKITEM hcu_encrypted for transport in the _REQUEST
    $ckitem = hcu_decrypturl($CKITEM,$chk_key);
    list ($iCu,$iCn,$iAt,$iCt,$iTrace) = explode("|",$ckitem,5);

    if ($CKHASH != sha1("${iCu}${iCn}${iAt}${iCt}${iTrace}cierto")) {
      # error Invalid Request (corrupt parameters)
      NoImage("Invalid Request (corrupt parameters) ", $adm);
      exit;
    }

    $sql = "select trim(rt) as rt,
         trim(img) as img, ckhexkey, ckorgid, ckurl
        from cuadmin where cu='$iCu'";

    $sth = db_query($sql,$dbh);
    list ($rt,$img,$ckhexkey,$ckorgid,$ckurl)=db_fetch_array($sth,0);

   $sql = "select trim(micraccount) as micr,
         trim(checknumber) as check,
         trim(sortkey) as sk,
         h.amount,
         to_char(date,'mm/dd/yyyy') as date
     from ${iCu}accounthistory h join ${iCu}accountbalance b on
       (h.accountnumber = b.accountnumber and h.accounttype=b.accounttype
         and h.certnumber = b.certnumber) where h.accountnumber='$iCn'
         and h.accounttype='$iAt' and h.certnumber='$iCt' and
         h.tracenumber = '$iTrace';";

    $sth = db_query($sql,$dbh);
    list ($micr,$check,$sk,$amount,$date)=db_fetch_array($sth,0);
    $amount=sprintf("%.2f",abs($amount));

     # override micr and rt if needed
    # clear the 'micr overridden' flag
    $ovmicr = 0;
    $sql = "select trim(rt), trim(micraccount)
            from cuovermicr where cu='$iCu' and accountnumber='$iCn'
            and accounttype='$iAt' and startcheck <= " . intval($check) .
            " order by startcheck desc limit 1";
    $sth = db_query($sql,$dbh);

    if (db_num_rows($sth) == 1 ) {
     # we got a hit, override the micr and rt
        # set a 'micr overridden' flag so we don't discard the changes later
        # (ISUCU / Scenic Falls)
     list($rt, $micr) = db_fetch_array($sth,0);
     $ovmicr = 1;
    }
    # HB_ENV['Fset3'] is set from member banking, but not from admin
    # presumably admin folks would type correct info, not rely on override?
    if ($HB_ENV['Fset3'] & GetFlagsetValue('CU3_SORTKEY_MICR')) {
        # now override date / micr from history record if sortkey contains a comma
        if (preg_match('/,/',$sk)) {
            list($date36,$micr36) = explode(',',trim($sk),2);
            $date=base_convert("$date36",36,10);
           # base convert loses leading zeros, so put 'em back
            $date = substr("000000$date",-6,6);

            # mmddyy to mm/dd/yyyy
            $date = substr($date,0,2) . "/" . substr($date,2,2) . "/20" . substr($date,4,2);
            $micr=base_convert("$micr36",36,10);
        }
    }
    if ("$sk" == 'ECHECK' ) {
      NoImage("This is an electronic check. An online image is not available.  Please contact the Credit Union if you need a copy of the check for a dispute. ", $adm);
      exit;
    }
}

header("Expires: Sat 20 May 1995 03:32:38 GMT");
header("Pragma: no-cache");
header("Cache-Control: no-cache, must-revalidate");

$CKSIDE = (trim($CKSIDE) == "" ? "F" : trim($CKSIDE));

/*
 * Sometimes we need to adjust the vendor &/or credentials when they have
 * switched to a new service or data is presented in an odd way
 * Here are some examples of how to handle that
 *
if ($Cu == "WVANGFCU") {
# WVANGFCU will convert from PALMETTO to VOLCORP effective 04/01/2014

    $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
    if ($ymd < '20140401') {
        $img = 'PALMETTO';
        $ckhexkey = '80e07c88ef3eee2344abebf882332485';
    }
}
 */
if ($Cu == "COFCU") {
# COFCU converted from FIS_IMGCTR to CATALYST 11/13/18.  Old images are expected
# to be ported to Catalyst, but that hasn't happened yet

    $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
    if ($ymd < '20181113') {
        NoImage("Images prior to November 13, 2018 are not available.  Please contact credit union for assistance.");
        exit;
    }
}

if ($Cu == "MISSFCU") {
# MISSFCU will convert from CORPAM to SYNERGENT effective 05/22/2017

    $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
    if ($ymd < '20170522') {
        $img = 'CORPAM';
        $ckhexkey = '60e07c67ef3eee2744abebf562332464';
    }
}

if ($Cu == 'ISUCU') {
    if (trim($sortkey) != '') {
        # checks clearing under PTFCU rt# will have alternate micr in sortkey
        # and will get images from WESCORP interface
        $micr = "$sortkey";
        $rt = "324173697";
        $img = 'WESCORP';
} elseif (strlen($iCn) == 8 && substr($iCn,0,2) == '75') {
        if ($ovmicr != 1) {
            # Scenic Falls member
            $micr = substr($iCn,2);
#            $rt = '324173150';
        }
    } else {
        # always pad to 12 char beginning with 7300000 for isucu retrieval from catalyst
        if (strlen(trim($micr)) < 12 ) {
            $micr = "73" . substr("0000000000" . trim($micr), -10, 10);
        }
    }
}
/*
 *
 * Sometimes the cu doesn't process the file right or can't post on a
 * particular day and we need to block requests with a particular date
 * Here is an example
if ($Cu == "HUNTFCU") {

# HUNTFCU switched to VOLCORP w/31 days history.  Older checks not available

    $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
    if ($ymd < '20130415') {
        NoImage("Online images are not available for checks clearing prior to 04/15/2013.<br>Please contact the credit union for assistance.");
        exit;
    }
}
*/

$trusted = cutrusted_read($dbh, array('Cu' => $iCu, 'trustedid' => 'HcuCheckImages'));
if ($trusted['status']['Response'] == 'false') {
    NoImage("Feature not set up correctly", $adm);
    exit;
}

/**
 *  The trusted detail could be coming from the
 *  master record which will cause a warning that
 *  "data" is undefined.
 *
 *  This key is undefined because the cutm_readdflt
 *  function in cutrusted.i on line 394 uses empty()
 *  to determine if the hcuLogging value exists.
 *
 *  If the hcuLogging value exists, it will always be 0
 *  in the master record which is also considered empty
 *  causing the "data" key/value not to be created.
 */
$parms = $trusted["data"];
$loggingFlag = trim($parms["hcuLogging"]);

if (strlen($loggingFlag) > 0) {
  $enable = $loggingFlag == -1;

  if (!$enable) {
    $loggingFlag = str_replace(" ", "", $loggingFlag);
    $testArray = explode(",", $loggingFlag);
    $enable = in_array($iCn, $testArray);
  }

  if ($enable) {

    // these are used inside the plugin to test if logging and info to log.
    $parms["logging"] = "enabled";
    $parms["environment"] = array("Cu" => $iCu, // credit union
      "memberId" => $iCn, // member id
      "SSOVendor" => $img, // image vendor
      "userIP" => $_SERVER['REMOTE_ADDR'], // user's ip address
      "dbConn" => $dbh);                  // database connection
  }
}

switch ($img) {
    case 'WESCORP':
    case 'MAC':
    case 'MACIMGONLY':
    case 'DEMO':
    case 'SUNCORP':
        # don't need anything from the database -- nothing there we use
        break;

    case 'ALLOYA':
    case 'FEDIMAGE':
    case 'CATALYST':
    case 'SECORP':
    case 'CORP1':
    case 'PALMETTO':
    case 'VOLCORP':
    case 'CORPAM':
    case 'MISSOURI':
    case 'CSI':
    case 'FISERV':
    case 'EASCORP':
    case 'MNIPC':
    case 'MVI':
    case 'FIS_IMGCTR':
    case 'IMAGEPOINT':
    case 'SYNERGENT':
    default:
        # these require monitor values - make sure we have something
        if ("${ckhexkey}${ckorgid}${ckurl}" == "") {
            # error feature not set
            NoImage("Invalid Request (feature parameters not set)", $adm);
            exit;
        }
}

function NoImage($whynot, $adm) {
# re-write this to return error structure?
    global $MC;

  print <<< EOF
  <?xml version="1.0"?><!DOCTYPE html>
  <html  xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
    <title>{$MC->msg('Cleared Check Detail')}</title>
    <meta name="robots" content="noindex,nofollow" />
    <meta http-equiv="X-UA-Compatible" content="IE=8" />
EOF;

  // no branding, yes grid, default Kendo, no home banking styling
  if ($adm != "1") { setIncludeFiles( FALSE, TRUE, "default", FALSE ); }

  print <<< EOF
    <script language=\"JavaScript\"><!--
      if (window.focus)
      {
         window.focus();
      }
      if (window.moveTo)
      {
         window.moveTo(0,0);
      }

      if (document.all)
      {
        top.window.resizeTo((screen.availWidth * .85),(screen.availHeight * .85));
      }
      else if (document.layers||document.getElementById)
      {
        if (top.window.outerHeight<screen.availHeight||top.window.outerWidth<screen.availWidth)
        {
          top.window.outerHeight = (screen.availHeight * .85);
          top.window.outerWidth = (screen.availWidth * .85);
        }
      }
//--></script>
   </head>
   <body>
EOF;

  print <<< ERRORMSG
    <div style='text-align:center;'>
    <div class="k-block k-error-colored">
    <div class="k-header k-error-colored">{$MC->msg('Cleared Check Detail')}</div>
    <div class="container_12" style='padding: 5px;'>
      <div class="grid_12"></div>
      <br>
      <div class="clear"></div>
      <div class="grid_12">{$MC->msg('CLEARED CHECK')}</div>
      <div class="clear"></div>
      <br>
      <div class="grid_12">{$whynot}</div>
      <div class="clear"></div>
      <br>
    </div>
    </div>
ERRORMSG;
}

# set default height and width for image
$iheight='198';
$iwidth='440';

switch ($img) {
    case 'FIS_IMGCTR':

        $iheight = '283';
        $iwidth = '620';
        $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
        $view = strtolower($CKSIDE);
        $server="https://netimagelr5.fidelityifs.com/imgreq/imgreqis.dll?";
        $server = $ckurl;
        $src = "fn=ce&id=${ckorgid}&acct=${micr}&check=${check}&amt=${amount}&side=${view}&date=${ymd}";
        $front = RawImage($img, $server, $src, $Cu);
        break;

   case 'SYNERGENT':
        $iheight='285';
        $iwidth='621';

        if ("$micr"=="") {
              NoImage("Your account is not set up to view check images. (No MICR)<br>Please contact the credit union for assistance.");
             exit;
        }

        $ymd = ( substr($date,6,4) . substr($date,0,2) . substr($date,3,2));
        $view = strtolower($CKSIDE);
//        $server = "https://eresearch.synergentcorp.com/NetHomebanking/vsoft.dll";
        $server = $ckurl;
        $amt = str_replace(".", "", $amount);
        $src = "?fn=ci&id=$ckorgid&acct=${micr}&check=$check&date=$ymd&side=$view&amt=$amt&index=1";
        $front = RawImage($img, $server, $src, $Cu);

        break;

   case 'MVI':
        $fb = (trim($CKSIDE) == "F" ? "1" : "2");
        $mvi_query = gmdate('Y-m-d H:i:s') . ",Checks,$micr,$check,$date,$date,$fb";

        // ENCRYPTION with openssl
        // The MCRYPT based encryption is still available as encrypt_mvi_mcrypt in
        // SSOEncryption.i script if for some reason we want to go back to mcrypt
        // based encryption
        $mvi_data = encrypt_mvi_openssl($mvi_query, $ckhexkey);

        $front = "$ckurl?contenttype=jpg&data=$mvi_data";
        $front = RawImage($img, '', $front, $Cu);

        break;

    case 'CATALYST':
    case 'SWCORP':
        $iheight = '281';
        $iwidth = '625';
        $key = "";
        for ($i = 0; $i < strlen($ckhexkey); $i+=2) {
            $key .= chr(hexdec(substr($ckhexkey, $i, 2)));
        }
        /*
         * Simplot has 12 digit micr printed on check
         * but format inherited from old Western Bridge (Wescorp)
         * only uses last 6.
         */
//    if ($Cu == 'SCU') { $micr = substr($micr,-6,6); } # disabled 12/29/16 MH -
//                                                      # no images with this on

        if (($Cu == 'SPCTFCU' || $Cu == 'SNOCOPE') && "$sk" > '') {
            $tn = $sk;
            $urlacct = '';
            $text = "${tn}${amount}${check}${date}${rt}${ckorgid}";
        } else {
            $tn = 0;
            $urlacct = "Account=$micr&";
            $text = "${micr}${amount}${check}${date}${rt}${ckorgid}";
        }

        $mac = hash_hmac('MD5', $text, $key);

        $front = "https://image.swcorp.org/cgi-bin/$ckurl?${urlacct}Amount=$amount&Serial=$check&Date=$date&CUID=$rt&RQSTRID=$ckorgid&Sequence=$tn&ImageFB=$CKSIDE&MAC=$mac";
        $front = RawImage($img, '', $front, $Cu);
        break;

    case 'SECORP':
        $iheight = '280';
        $iwidth = '620';

        $key = "";
        for ($i = 0; $i < strlen($ckhexkey); $i+=2) {
            $key .= chr(hexdec(substr($ckhexkey, $i, 2)));
        }

        if ("$micr" == "") {
            NoImage("Your account is not set up to view check images. (No MICR)<br>Please contact the credit union for assistance.");
            exit;
        }

        $amt = str_replace(".", "", $amount);
        $text = "${micr}${amt}${check}${date}${rt}";
        $mac = hash_hmac('MD5', $text, $key);

        if (!empty($ckurl)) {
            $front = "{$ckurl}?RT=$rt&PDATE=$date&ACCT=$micr&AMT=$amt&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
        } else {
            #$front = "https://www.secorp.org/homebanking/hbimage.asp?RT=$rt&PDATE=$date&ACCT=$micr&AMT=$amt&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
            $front = "https://ww70.corpone.org/homebanking/hbimage.asp?RT=$rt&PDATE=$date&ACCT=$micr&AMT=$amt&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
            # changed 4/8/2019. DeltaCU appears to work well; VRCU works when a correct micr is present, but it isn't always
            # on April 1 2019 change URL to https://ww70.corpone.org/homebanking/hbimage.asp and update DELTACU and VRCU to NOT override the default URL
            #
            # Following URL is apparently from an old change that didn't work -- left it here so we don't lose the history
            #$front = "https://members.corpone.org/homebanking/hbimage.asp?RT=$rt&PDATE=$date&ACCT=$micr&AMT=$amt&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
        }
        $front = RawImage($img, '', $front, $Cu);

        break;

    case 'PALMETTO':
#
# Date is required
#
        switch ($Cu) {
            case 'WVANGFCU':
                $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
                if ($ymd < '20100702') {
                    NoImage("Images are not available for checks clearing prior to July 2, 2010<br>Please contact the credit union for assistance.");
                    exit;
                }
                break;
            case "TRIAG":
                if (substr($micr, 0, 4) != '2190') {
                    $micr = '2190' . substr("0000000000000$micr", -9, 9);
                }
                break;
            case "FLCCU":
            case "FRFCU":
                $dstamp = strtotime("$date");
                $fiveback = date("m/d/Y", $dstamp - (86400 * 5));
                $date = "{$fiveback}::{$date}";
                break;
        }

        $key = "";
        for ($i = 0; $i < strlen($ckhexkey); $i+=2) {
            $key .= chr(hexdec(substr($ckhexkey, $i, 2)));
        }

        $text = "${micr}${amount}${check}${date}${rt}";
        $mac = hash_hmac('MD5', $text, $key);

        $front = "https://hb.creditunionimages.com/homebanking/hbimage.asp?RT=$rt&PDATE=$date&ACCT=$micr&AMT=$amount&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
        $front = RawImage($img, '', $front, $Cu);
        break;

    case 'VOLCORP':
        $iheight = '280';
        $iwidth = '620';

        $qdate = $date;

        switch ($Cu) {
            case 'CURC':
                $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
                if ($ymd < '20100614') {
                    NoImage("Images are not available for checks clearing prior to June 14, 2010<br>Please contact the credit union for assistance.");
                    exit;
                }
                break;
            case 'MIDTNFCU':
                # Middle Tennessee is posting a day late, so adjust
                # but only if this request is not from the admin side
                if ($inc_adm == "") {
                    $ymd = BumpDate($date);
                    $qdate = substr($ymd,4,2) . "/" . substr($ymd,6,2) . "/" . substr($ymd,0,4);
                }
                break;
        }

# 8/8/11 don't let request go through if no micr -- might show check from wrong accounts
        if (trim($micr) == '') {
            NoImage("Your account is not set up correctly to view images (missing micr).<br>Please contact the credit union for assistance.");
            exit;
        }
        if (($Cu == 'HSCU') && (substr($micr, 0, 7) != '7106300')) {
            $micr = "7106300$micr";
        }

        $key = "";
        for ($i = 0; $i < strlen($ckhexkey); $i+=2) {
            $key .= chr(hexdec(substr($ckhexkey, $i, 2)));
        }

# VOLCORP is apparently treating RT# as numeric, not string, so
# leading zero on our side disappears on their side and causes hash
# mismatch ('Authentication Error').  So we'll play nice and drop the
# zero here.  VOLCORP is working on an upgrade that will fix this problem.

        $rt = ltrim($rt, '0');

        $amt = str_replace(".", "", $amount);
        $text = "${micr}${amt}${check}${qdate}${rt}";
        $mac = hash_hmac('MD5', $text, $key);

#        $front = "https://www.volcorp.org/homebanking/hbimage.asp?RT=$rt&PDATE=$qdate&ACCT=$micr&AMT=$amt&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
# Volcorp redesigned website; url (hostname) changes as below
        $front = "https://eservices.volcorp.org/homebanking/hbimage.asp?RT=$rt&PDATE=$qdate&ACCT=$micr&AMT=$amt&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
                $front = RawImage($img, '', $front, $Cu);
        break;

    case 'CORPAM':

        if ($Cu == 'SONOMA') {
            $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));

            if ($ymd < '20140616') {
                NoImage("Images are not available online for checks clearing prior to June 16, 2014<br>Please contact Sonoma Federal Credit Union at 707 527-6216 for assistance.");
                exit;
            }
            # $ovmicr set when admin micr override is used
            # don't change the micr again if it is already overridden
            if ($ovmicr != 1) {
                if (substr($micr, 0, 8) != '82600000' && $micr <> '100108') {
                    $micr = substr("82600000", 0, 14 - strlen($micr)) . $micr;
                }
            }
        }

        $key = "";
        for ($i = 0; $i < strlen($ckhexkey); $i+=2) {
            $key .= chr(hexdec(substr($ckhexkey, $i, 2)));
        }

        $amt = str_replace(".", "", $amount);
        $text = "${micr}${amt}${check}${date}${rt}";
        $mac = hash_hmac('MD5', $text, $key);

        $front = "https://images.corpam.org/homebanking/hbimage.asp?RT=$rt&PDATE=$date&ACCT=$micr&AMT=$amt&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
        $front = RawImage($img, '', $front, $Cu);
        break;

    case 'WESCORP':
        $iheight = '300';
        $iwidth = '629';
        $idate = "";

        if ($Cu == 'ALCU' && "$sk" == 'ECHECK') {
            NoImage("This is an electronic check. An online image is not available.  Please contact the Credit Union if you need a copy of the check for a dispute. ");
            exit;
        }
        if (($Cu == 'ISUCU') && (trim($sk) != '')) {
            $micr = "$sk";
            $rt = "324173697";
        }

        if (($Cu == 'PRRFCU') && (substr($micr, 0, 2) != '79')) {
            $micr = "79$micr";
        }
        $server="https://image.wescorp.org/scripts/afs/afswebapi/afswebapi.dll?";
        $src = "StreamImage&CUID=$rt&Account=${micr}&Serial=$check&Amount=${amount}&ImageFB=$CKSIDE$idate";
        $front = RawImage($img, $server, $src, $Cu);

        break;

    case 'MAC':
        $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
        if ($Cu == "LEFCU") {
            if ($ymd > '20111130' && $ymd < '20111213' && $inc_adm == "") {

                # L'Oreal switched to MidAtlantic Dec 1, but posted on wrong day until 12/14
                # so for those dates back up 1 business day -- but only if not an adm request

                $dstamp = strtotime("$date");
                $wday = date("w", $dstamp); # day of week 0=Sunday
                switch ($wday) {
                    case 1: # Monday, back up to Friday
                        $ymd = date("Ymd", $dstamp - (86400 * 3));
                        break;
                    default: # back up one day
                        $ymd = date("Ymd", $dstamp - 86400);
                        break;
                }
            }
        }
#
        switch ($Cu) {
            case 'FCFCU':
                if ((substr($micr, 0, 3) != '013')) {
                    $micr = '013' . substr($micr, -7, 7);
                }
                $tn = 0;
                break;
            default:
                $tn = 0;
        }
        $ID = hash('MD5', ($micr . "DMS20070314" . $rt . $tn . $ymd . $amount . $check));
        $filename = "https://images.midatlanticcorporate.org/image/checkimage_w.asp?aba=$rt&accountnumber=${micr}&amount=$amount&date=$ymd&serialnumber=$check&frontback=ON&tracernumber=$tn&id=$ID";

        if (HCU_array_key_value("logging", $parms) == "enabled") {
            $logParms = $parms["environment"];            // get the environment info passed in
            $logParms["token"] = '';                      // the id used across all communications in session
            $logParms["txnId"] = time();                  // the id for this transaction
            $logParms["logPoint"] = "Mac CK";             // this action in a readable form
            $logParms["request"] = "ID: $ID \n$filename"; // the request
            $logParms["reply"] = "";                      // the response
            LogSSOActivity($logParms);
        }

        header("Location: $filename");
        print $MC->msg("Loading Data");
        exit;
        break;

    case 'MACIMGONLY':
        $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
        switch ($Cu) {
            case 'FCFCU':
                if ((substr($micr, 0, 3) != '013')) {
                    $micr = '013' . substr($micr, -7, 7);
                }
                $tn = 0;
                break;
            default:
                $tn = 0;
        }
        $ID = hash('MD5', ($micr . "DMS20070314" . $rt . $tn . $ymd . $amount . $check));
        $ImageFB = ($CKSIDE == 'B' ? 'ON' : 'OFF');
        $server = "https://images.midatlanticcorporate.org/image/checkimage.asp?";
        $src = "aba=$rt&accountnumber=${micr}&amount=$amount&date=$ymd&serialnumber=$check&frontback=$ImageFB&tracernumber=$tn&id=$ID";
        $front = RawImage($img, $server, $src, $Cu);

        break;

    case 'CORP1':
        $iheight = '246';
        $iwidth = '550';

        $server = "https://ww10.corpone.org/showdraft/DIshowdraft.asp?";
        $src = "rt=$rt&rs=$ckhexkey&ac=$micr&sn=$check&am=$amount&dc=$date&face=$CKSIDE";
        $front = RawImage($img, $server, $src, $Cu);

        break;

    case 'MNIPC':
        # 7/17/14 add ArchiveConfig to url string.
        // (Using ckurl because MNIPC sets longer value than will fit in the ckorgid or ckhexkey column)
        $server = "https://Ryan.mnipc.com/scripts/afs/afswebapi/afswebapi.dll?StreamImage?";
        $src = "RT=$rt&Account=${micr}&Serial=$check&Amount=$amount&ImageFB=$CKSIDE&ArchiveConfig=$ckurl";
        $front = RawImage($img, $server, $src, $Cu);

        break;

    case 'ALLOYA':
        # this is the new interface from Alloya in partnership with Catalyst
        # 12/19/16 older Alloya interface renamed ALLOYA_VS
        # copied Catalyst interface & modified URL
        # also dropped conditional code to use $tn trace number instead of micr account
        # see CATALYST if you need that back
        # also copied the 'bail if no micr' block from older ALLOYA interface... kinda like it
        # but it won't work if you re-engage the trace number block

        if ("$micr" == "") {
            NoImage("Your account is not set up to view check images. (No MICR)<br>Please contact the credit union for assistance.");
            exit;
        }
        $iheight = '281';
        $iwidth = '625';
        $key = "";
        for ($i = 0; $i < strlen($ckhexkey); $i+=2) {
            $key .= chr(hexdec(substr($ckhexkey, $i, 2)));
        }
        $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
        # Alloya interface drops leading zero from rt#
        $rt = ltrim($rt, '0');
        $text = "${micr}${amount}${check}${ymd}${rt}${ckorgid}";
        $mac = hash_hmac('MD5', $text, $key);

        $front = "https://imageview.alloyacorp.org/NetHomeBanking/$ckurl?Account=$micr&Amount=$amount&Serial=$check&Date=$ymd&CUID=$rt&RQSTRID=$ckorgid&ImageFB=$CKSIDE&MAC=$mac";
        $front = RawImage($img, '', $front, $Cu);

        break;

    case 'IMAGEPOINT':
        $iheight = '285';
        $iwidth = '621';

        if ("$micr" == "") {
            NoImage("Your account is not set up to view check images. (No MICR)<br>Please contact the credit union for assistance.");
            exit;
        }

        $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
        $amt = str_replace(".", "", $amount); # decimal point implied

//        $server = "https://iparchive.lonestarcu.org/ipfawebapi/query.aspx?";
        $server = $ckurl;
        $src = "fn=iteminq&id=$ckorgid&acct=${micr}&check=$check&date=$ymd&side=$CKSIDE&amt=$amt&index=1";
        $front = RawImage($img, $server, $src, $Cu);
        break;

    case 'DEMO':
        $front = democheck($CKSIDE);
        break;

    case 'SUNCORP':
        $iheight = '297';
        $iwidth = '660';
        /*
         * WEBERCU (Wasatch Peaks) merged w/Alliance CU -- use alternate MICR if it is provided
         * to get check images for formerly-Alliance members
         */
        if (($Cu == 'WEBERCU') && (trim($sk) != '')) {
            $micr = "$sk";
            $rt = "324377590";
        }
        $server = "https://imageconnect.suncorp.coop/scripts/afs/afswebapi/afswebapi.dll?StreamImage?";
        $src = "TR=$rt&Account=${micr}&Serial=$check&Amount=${amount}&ImageFB=$CKSIDE";
        $front = RawImage($img, $server, $src, $Cu);

        break;

    case 'MISSOURI':
        if ($Cu == "KRAFTCOR") {
# KRAFTCOR switched to MISSOURI.  Older checks not available

            $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
            if ($ymd < '20151201') {
                NoImage("Online images are not available for checks clearing prior to 12/01/2015.<br>Please contact the credit union for assistance.");
                exit;
            }
        }
        $server = "https://www.lipcgatekeeper.org:2000";
        $front = "$ckurl?Acct=$micr&Cnum=$check&Amt=$amount&Img=$CKSIDE";

        $miss = "$server$front";
        $fd = fopen($miss, 'rb');
        if ($fd) {
            $fx = fgets($fd, 4096);
            if (preg_match("/NO MATCH FOUND/", $fx) || preg_match("/INVALID REQUEST/", $fx)) {
                $front = "Check Image Not Found";
            } else {
                $fx = str_replace("<IMG SRC=\"", "", $fx);
                $fx = str_replace("\">", "", $fx);
                $front = RawImage($img, '', $fx, $Cu);

            }
        } else {
            $front = "Check Image Not Found";
        }

        break;

    case 'EASCORP':
#
# 3/9/10 Eascorp changing to unique requestor id and key for each cu
# requestor id is routing# dash DMS
# secret key will come from monitor Check Security Key

        $key = "";
        for ($i = 0; $i < strlen($ckhexkey); $i+=2) {
            $key .= chr(hexdec(substr($ckhexkey, $i, 2)));
        }

        $session = substr('000000000' . strval(rand(1, 999999999)), -9);
        if ($iCu != 'STCU') {
            $micr = substr('0000000000' . $micr, -10);
        }
        $timestamp = gmmktime();

        $text = "${rt}-DMS${session}${timestamp}${rt}${iCn}${micr}";
        $mac = hash_hmac('MD5', $text, $key);
        $src = "https://www.member-data.com/hb/hb_ckcp.ashx";

        $dxml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>
                                <request>
                                <requestor>${rt}-DMS</requestor>
                <session>$session</session>
                <timestamp>$timestamp</timestamp>
                <routing>$rt</routing>
                <member>$iCn</member>
                <ck-account>$micr</ck-account>
                <ck-date>$date</ck-date>
                <ck-ck-number>$check</ck-ck-number>
                <ck-amount>$amount</ck-amount>
                <MAC>$mac</MAC>
                                </request>";


#$cmd="/usr/bin/curl --show-error --dump-header '/tmp/xmlhead' --include --data-binary '$dxml' -H 'Content-Type: text/xml' $src";

        $cmd = "/usr/bin/curl --silent --data-binary '$dxml' -H 'Content-Type: text/xml' $src";

        $fd = popen("$cmd", "r");

        $response = "";
        if ($fd) {
            do {
                $data = @fread($fd, 8192);
                if (strlen($data) == 0) {
                    break;
                }
                $response .= $data;
            } while (true);

            pclose($fd);
        }

        $nocheck = 0;
        if (!preg_match("#<URL>#s", $response)) {
            $nocheck = 1;
        }

        $url = preg_replace("#</URL>.*$#s", "", $response, -1);
        $url = preg_replace("#.*<URL>#s", "", $url, -1);
        $src = "https://$url";

        if (HCU_array_key_value("logging", $parms) == "enabled") {
            $logParms = $parms["environment"];            // get the environment info passed in
            $logParms["token"] = '';                      // the id used across all communications in session
            $logParms["txnId"] = time();                  // the id for this transaction
            $logParms["logPoint"] = "Eascorp CK";         // this action in a readable form
            $logParms["request"] = $cmd;                  // the request
            $logParms["reply"] = "URL $src \n$response";  // the response
            LogSSOActivity($logParms);
        }

        if (!$nocheck) {
            header("Location: $src");
            print $MC->msg("Loading Data");
        } else {
            print $MC->msg("Check Image Not Found");
        }
        exit;
        break;

    case 'CSI':
#
# Date is required and must match with corporate clearing date
#
        $key = "";
        for ($i = 0; $i < strlen($ckhexkey); $i+=2) {
            $key .= chr(hexdec(substr($ckhexkey, $i, 2)));
        }

        $text = "${micr}${amount}${check}${date}${rt}";
        $mac = hash_hmac('MD5', $text, $key);

        $front = "https://hb.csiimage.com/homebanking/hbimage.asp?RT=$rt&PDATE=$date&ACCT=$micr&AMT=$amount&CKNUM=$check&F_B=$CKSIDE&MAC=$mac";
        $front = RawImage($img, '', $front, $Cu);
        break;

    case 'FEDIMAGE':

        switch ($Cu) {
            case "SFEFCU":
                $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
                if ($ymd < '20101201') {
                    NoImage("Images are not available for checks clearing prior to December 1, 2010<br>Please contact the credit union for assistance.");
                    exit;
                }
                $bytrace = 0;
                break;
//      case "FIRSTLIB":
//          # treat micrs beginning with 11800 as commercial accounts, passing
//          // check number in XML query as 'Aux On Us' instead of 'Check Number'
//          // waiting for client to confirm this is dependable method of identifying
//          // commercial accounts before committing / deploying MHall
//          if (substr($micr,0,5) == '11800') {
//            $bytrace=2;
//          } else {
//              $bytrace=0;
//          }
//       break;
            default:
                $bytrace = 0;
        }
        # $certfile, $pass, url used to come from FedSpecs.i.
        # Moving those things into monitor for easier support
        # but note that FedSpecs.i had FQ path for certfile, but monitor entry
        # is limited to 32 char & I don't want to mess with it now.
        # So assume the location is in cu sslforms directory.
        #
        # Odyssey uses shared ssl certs directory
        # ckhexkey value should start with 'test/certs/cks/' or 'prod/certs/cks/'
        # note that ckhexkey value is varchar(50), and the required prefix uses 15
        # so... be brief with the cert file names!

        $certSecretId = trim($ckhexkey);

    /**
     *  Retrieve and decrypt the cert file
     */
        $certfile = GetAwsCertFile($certSecretId, HOMECU_ENC_CERT_DIR, HOMECU_DOCK_CERT_DIR);

        if ($certfile == '' || !(is_readable($certfile))) {
             NoImage("Invalid Request (feature parameters not set)" , $adm);
             exit;
        }
        $pass = $ckorgid;
        $server = $ckurl;
        # FedImageGL gets the image links & call FedImageSI to get image stream
        # so what we get here is data:image/gif followed by encoded image bytes ready to display
        $imglist = FedImageGL($Cu, $date, $amount, $check, $rt, $micr, $sk, $bytrace, $certfile, $pass, $server);
        $front = $imglist['Front'];
        $back = $imglist['Back'];
        break;

    case 'FISERV':
#
# by default, the date value passed to Fiserv is the date of the check
# but ICCCU has some special processing because they get the file late
# from Fiserv.  See switch by $Cu in FiservImage script
# 2/23/17
# ICCCU went away, now KONECU posts the file late and uses the date adjustment,
# and FiservImage is now a function rather than a separate script.
#
        $iheight = '273';
        $iwidth = '627';
        $server = "https://www.fiservcws.com/ui/wsinterface.asmx";
#               $orgid="44444451"; # testing

        switch ($Cu) {
            case 'CAOFCU':
                $ymd = ( substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2));
                if ($ymd < '20091001') {
                    NoImage("Online images are not available for checks cleared prior to October 1, 2009.<br><br>&nbsp;Please contact the Credit Union for images of these checks.");
                    exit;
                }
                break;
        }

        $text = "${Cu}${amount}${check}${micr}${rt}${date}${ckorgid}";
        $front = FiservImage($Cu, $CKSIDE, $amount, $check, $micr, $rt, $date, $ckorgid);
        break;
}

  print <<< EOF
  <?xml version="1.0"?><!DOCTYPE html>
  <html  xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
    <title>{$MC->msg('Cleared Check Detail')}</title>
    <meta name="robots" content="noindex,nofollow" />
    <meta http-equiv="X-UA-Compatible" content="IE=8" />
EOF;

setIncludeFiles( FALSE, TRUE, "default", FALSE );


  print <<< EOF
    <script language=\"JavaScript\"><!--
      if (window.focus)
      {
         window.focus();
      }
      if (window.moveTo)
      {
         window.moveTo(0,0);
      }

      if (document.all)
      {
        top.window.resizeTo((screen.availWidth * .85),(screen.availHeight * .85));
      }
      else if (document.layers||document.getElementById)
      {
        if (top.window.outerHeight<screen.availHeight||top.window.outerWidth<screen.availWidth)
        {
          top.window.outerHeight = (screen.availHeight * .85);
          top.window.outerWidth = (screen.availWidth * .85);
        }
      }
//--></script>
   </head>
   <body>
EOF;
?>
  <div class="text-center">
    <div class="well well-sm col-sm-12 ">
      <div class="text-left">
        <label><?php echo $MC->msg('Date Cleared') ?>:</label>
        <label style="font-weight: normal;"><?php echo $date; ?></label><br>
        <label><?php echo $MC->msg('Check Number') ?>:</label>
        <label style="font-weight: normal;"><?php echo $check; ?></label><br>
        <label><?php echo $MC->msg('Amount') ?>:</label>
        <label style="font-weight: normal;"><?php echo $amount; ?>
      </div>
      <?php
      print "<br>";
      // Display the front image
      if ($front == "Check Image Not Found") {
        print $MC->msg('Check Image Not Found') . "<br>";
      } else {
        print "<img src='$front' height='$iheight' width='$iwidth' alt='" . $MC->msg('Please Wait') . "...' border=1>";
        print "<br>";

        /**
         * FEDIMAGE is the only vendor that gives front and back
         * images on request, display both at the same time and
         * skip the View back / front button.
         */
        if ($img == "FEDIMAGE") {
          // Check if back image exists
          // Add extra break to get some space beteween images
          if ($back != "NO") {
            print "<br>";
            print "<img src='$back' height='$iheight' width='$iwidth' alt='" . $MC->msg('Please Wait') . "...' border=1>";
          }
        } else {
          if (empty($back)) {
            // Show View Back / Front button here for other vendors
            $NextCKSIDE = ($CKSIDE == 'F' ? 'B' : 'F');
            $view = ($NextCKSIDE == 'F' ? 'Front' : 'Back');
            $viewCaption = $MC->msg("View $view");

            print "<br><a id='ckViewBtn' class='k-button' href=\"{$CHK_URL}cu=$Cu&CKITEM=${CKITEM}&CKARCHIVE={$CKARCHIVE}&CKHASH=${CKHASH}" . ($inc_adm ? "&adm=1" : "" ) . "&CKSIDE=$NextCKSIDE\">$viewCaption</a>";
          }
        }
      }
      ?>
      <br>&nbsp;
      </div>
    </div>
  </div>
 </body>
</html>

<?php

            /**
             * democheck Retrieves dummy check image for demo purposes
             * @param string $ckside pick 'F'ront or 'B'ack
             * @return string base64 encoded image bytes
             */
            function democheck($ckside) {
                $theader = "data:image/jpg";
                # using hard-coded path instead of HB_ENV['cloudfrontDomainName']
                # because this runs from both banking and admin (HB_ENV undefined in admin)
                $imagefile = "https://d1kryjpwpzirc7.cloudfront.net/odyssey/images/demo_chk" . strtolower($ckside) . ".jpg";

                $nctypehead = "data:image/gif";
                $nocheck = "https://d1kryjpwpzirc7.cloudfront.net/odyssey/images/nochecksgl.gif";
                $headers = get_headers($imagefile,1);
                if ( stristr( $headers[0], '200 OK') !== false && stristr( $headers['Content-Type'], 'image') !== false ) {
                    $imagebytes = file_get_contents($imagefile);
                } else {
                    $imagebytes = file_get_contents($nocheck);
                    $theader = $nctypehead;
                }
                return $theader . ';base64,' . base64_encode($imagebytes);
            }

            /**
             * RawImage Retrieves the raw bytes for an image
             * @global array $parms get settings for vendor logging
             * @param string $img which image vendor cuadmin.img
             * @param string $server  host portion of vendor URL
             * @param string $src http query portion of vendor URL
             * @param string $Cu  client code
             * @param array $opts   loophole for passing additional vendor-specific options
             * @return string base64 encoded image bytes
             */
            function RawImage($img, $server, $src, $Cu, $opts = array() ) {
// accept $opts as a parameter and add to it -
// allow interfaces a loophole for specifying other settings if needed
// used later to set stream options
// ignore errors on the stream operation
// so we can catch them after & still have the content

                $opts['http']['ignore_errors'] = true;

# set some defaults
                # using hard-coded path instead of HB_ENV['cloudfrontDomainName']
                # because this runs from both banking and admin (HB_ENV undefined in admin)
                $nocheck = "https://d1kryjpwpzirc7.cloudfront.net/odyssey/images/nochecksgl.gif";
                $nctypehead = "data:image/gif";

                $curlopts = array(
                    CURLOPT_RETURNTRANSFER => 1,
                    CURLOPT_SSL_VERIFYPEER => 0,
                    CURLOPT_SSL_VERIFYHOST => 0,
                    CURLOPT_HEADER => FALSE,
                    CURLOPT_URL => "${server}${src}");

                $ch = curl_init();
//curl_setopt($ch, CURLOPT_VERBOSE, true);
//$verbose = fopen('/tmp/fstrace', 'a+');
//curl_setopt($ch, CURLOPT_STDERR, $verbose);

                curl_setopt_array($ch, $curlopts);

                $respERR = '';
                $imagebytes = curl_exec($ch);
                $respHTTP = curl_getinfo($ch, CURLINFO_HTTP_CODE);
                $respTYPE = curl_getinfo($ch, CURLINFO_CONTENT_TYPE); # gets NULL if no valid Content-Type
                $respCURL = curl_errno($ch);

                if ($respCURL) {
                    # curl error
                    $respERR = "HCUERROR: Connection Failed cURL $respCURL";
                } elseif ($respHTTP > 400 && $respHTTP < 600) {
                    # HTTP Response 4xx client error or 5xx server error
                    $respERR = "HCUERROR: Connection Failed HTTP $respHTTP ";
                } elseif (!isset($imagebytes) || $imagebytes == '') {
                    # no response
                    $respERR = "HCUERROR: Empty Response";
                } elseif (is_null($respTYPE) || strtolower(substr($respTYPE, 0, 5)) != 'image') {
                    # Content-Type header missing or not an image
                    $respERR = "HCUERROR: Response Not an Image";
                } else {
                    # should be good response
                    $theader = "data:" . trim($respTYPE);
                }

                global $parms;
                if (HCU_array_key_value("logging", $parms) == "enabled") {
                    $logParms = $parms["environment"];            // get the environment info passed in
                    $logParms["token"] = '';                      // the id used across all communications in session
                    $logParms["txnId"] = time();                  // the id for this transaction
                    $logParms["logPoint"] = "$img RawImage";      // this action in a readable form
                    $logParms["request"] = "${server}${src}";     // the request
                    $logParms["reply"] = "$respERR\n";            // the response
                    if (is_null($respTYPE) || strtolower(substr($respTYPE, 0, 5)) != 'image') {
                      $logParms["reply"] .= $imagebytes;
                    } else {
                      $logParms["reply"] .= "(IMAGE DATA)\n";     // This is a string
                    }
                    LogSSOActivity($logParms);
                }

                if ($respERR != '') {
                    $theader = $nctypehead;
                    $imagebytes = file_get_contents($nocheck);
                }

                return $theader . ';base64,' . base64_encode($imagebytes);
            }

            /**
             * FiservImage builds query and retrieves image from Fiserv
             * @global array $parms get settings for vendor logging
             * @param string $Cu  client cu code cuadmin.cu
             * @param string $view    pick 'F'ront or 'B'ack image
             * @param currency $amount  check amount
             * @param string $check   check number
             * @param string $micr    member micr
             * @param string $rt      cu routing / transit cuadmin.rt
             * @param string $ckdate  check date
             * @param string $orgid   client orgid issued by Fiserv
             * @return string base64 encoded image bytes
             */
            function FiservImage($Cu, $view, $amount, $check, $micr, $rt, $ckdate, $orgid) {
                # only one client (Konecu) on this interface, and none of their images work
                # turns out they are posting a day late - use BumpDate to adjust
                #  2/15/17 moving on to FedImage
#$front="FiservImage?cu=$Cu&view=$CKSIDE&amount=$amount&check=$check&micr=$micr&rt=$rt&date=$date&orgid=$ckorgid{$inc_adm}&imgkey=$imgkey";
#   $prid="Test";
#   $prpwd="i+PJQ7Fgn/+/xRqtZm0KBK34PJ0=";
                $prid = "HomeCU";
                $prpwd = "osSqERHPDtl5w5zsz3UDYl7X8ks=";
                $server = "https://www.fiservcws.com/ui/wsinterface.asmx";

                $dstamp = strtotime("$ckdate");

                switch ($Cu) {
                    case "ICCCU":
                    case "KONECU":
                        $ymd = BumpDate($ckdate);
                        break;
                    default:
                        $ymd = date("Ymd", $dstamp);
                        break;
                }

                $datetime = (date("Y-m-d") . "T" . date("H:i:sO"));

                $dxml = '<fiAPI xmlns="http://integration.fiapi.com" ';
                $dxml .= 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ';
                $dxml .= 'xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ';
                $dxml .= 'xsi:schemaLocation="http://integration.fiapi.com fiDocumentInquiry.xsd"> ';
                $dxml .= '<fiHeader Version="2.0"> ';
                $dxml .= '<Service Version="1.0" Name="FiservArchiveAccessAPI"> ';
                $dxml .= '<DateTime>' . $datetime . '</DateTime> ';
                $dxml .= '<UUID>12345678-1234-1234-1234-123456789012</UUID> ';
                $dxml .= '</Service> ';
                $dxml .= '<Security> ';
                $dxml .= '<AuthenticationMaterial> ';
                $dxml .= '<PrincipalPWD>' . $prpwd . '</PrincipalPWD> ';
                $dxml .= '</AuthenticationMaterial> ';
                $dxml .= '<PrincipalID>' . $prid . '</PrincipalID> ';
                $dxml .= '</Security> ';
                $dxml .= '<Client Version="1.3"> ';
                $dxml .= '<VendorID>Vendor Name</VendorID> ';
                $dxml .= '<AppID>CWS</AppID> ';
                $dxml .= '<OrgID>' . $orgid . '</OrgID> ';
                $dxml .= '<SessionID>88888888-4444-4444-4444-123456789012</SessionID> ';
                $dxml .= '</Client> ';
                $dxml .= '<DataSource> ';
                $dxml .= '<URI /> ';
                $dxml .= '</DataSource> ';
                $dxml .= '</fiHeader> ';
                $dxml .= '<Request TypeOfRequest="DocumentInquiryRq" RequestID="123" Echo="0"> ';
                $dxml .= '<Date>' . $ymd . '</Date> ';
                $dxml .= '<Class>Check</Class> ';
                $dxml .= '<Type>GetImage</Type> ';
                $dxml .= '<Condition> ';
                $dxml .= '<Detail>ItemSeqNum</Detail> ';
                $dxml .= '<Operator>EQ</Operator> ';
                $dxml .= '<Value>0</Value> ';
                $dxml .= '</Condition> ';
                $dxml .= '<Condition> ';
                $dxml .= '<Detail>CheckAmt</Detail> ';
                $dxml .= '<Operator>EQ</Operator> ';
                $dxml .= '<Value>' . $amount . '</Value> ';
                $dxml .= '</Condition> ';
                $dxml .= '<Condition> ';
                $dxml .= '<Detail>TransCode</Detail> ';
                $dxml .= '<Operator>EQ</Operator> ';
                $dxml .= '<Value>' . $check . '</Value> ';
                $dxml .= '</Condition> ';
                $dxml .= '<Condition> ';
                $dxml .= '<Detail>AccountNum</Detail> ';
                $dxml .= '<Operator>EQ</Operator> ';
                $dxml .= '<Value>' . $micr . '</Value> ';
                $dxml .= '</Condition> ';
                $dxml .= '<Condition> ';
                $dxml .= '<Detail>TrRoutNum</Detail> ';
                $dxml .= '<Operator>EQ</Operator> ';
                $dxml .= '<Value>' . $rt . '</Value> ';
                $dxml .= '</Condition> ';
                $dxml .= '<Condition> ';
                $dxml .= '<Detail>SerialNum</Detail> ';
                $dxml .= '<Operator>EQ</Operator> ';
                $dxml .= '<Value>' . $check . '</Value> ';
                $dxml .= '</Condition> ';
                $dxml .= '<RequestData ID="1" Name="1" Date="1" Class="1" Type="1"> ';
                $dxml .= '<Page View="' . $view . '" Format="gif">1</Page> ';
                $dxml .= '</RequestData> ';
                $dxml .= '<RequestMetaData /> ';
                $dxml .= '</Request> ';
                $dxml .= '</fiAPI>';

                $dxml = htmlspecialchars($dxml, ENT_NOQUOTES);

                $os = '<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  ';
                $os .= 'xmlns:xsd="http://www.w3.org/2001/XMLSchema" ';
                $os .= 'xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> ';
                $os .= '<soap:Body> ';
                $os .= '<SubmitRequest xmlns="urn:Fiserv.CWS"> ';
                $os .= '<FiAPIRequest>' . $dxml . '</FiAPIRequest> ';
                $os .= '</SubmitRequest> ';
                $os .= '</soap:Body> ';
                $os .= '</soap:Envelope> ';

                $response = "";
                # using hard-coded path instead of HB_ENV['cloudfrontDomainName']
                # because this runs from both banking and admin (HB_ENV undefined in admin)
                $nocheck = "https://d1kryjpwpzirc7.cloudfront.net/odyssey/images/nochecksgl.gif";
                $nctypehead = "data:image/gif";
                $front = "Check Image Not Found";

                $cmd = "/usr/bin/curl --silent --data-binary '$os' -H 'Content-Type: text/xml' -H 'SOAPAction: \"urn:Fiserv.CWS/SubmitRequest\"' '$server'";

# use embedded curl to get results, check errors

                $curlopts = array(
                    CURLOPT_RETURNTRANSFER => 1,
                    CURLOPT_SSL_VERIFYPEER => 0,
                    CURLOPT_SSL_VERIFYHOST => 0,
                    CURLOPT_HEADER => FALSE,
                    CURLOPT_POSTFIELDS => $os,
                    CURLOPT_URL => "$server");
                $reqHeaders = array('Content-Type: text/xml', 'SOAPAction: "urn:Fiserv.CWS/SubmitRequest"');

                $ch = curl_init();
//curl_setopt($ch, CURLOPT_VERBOSE, true);
//$verbose = fopen('/tmp/fstrace', 'a+');
//curl_setopt($ch, CURLOPT_STDERR, $verbose);

                curl_setopt_array($ch, $curlopts);
                curl_setopt($ch, CURLOPT_HTTPHEADER, $reqHeaders);

                $respERR = '';
                $response = curl_exec($ch);
                $respHTTP = curl_getinfo($ch, CURLINFO_HTTP_CODE);
                $respTYPE = curl_getinfo($ch, CURLINFO_CONTENT_TYPE); # gets NULL if no valid Content-Type
                $respCURL = curl_errno($ch);

                if ($respCURL) {
                    # curl error
                    $respERR = "HCUERROR: Connection Failed cURL $respCURL";
                } elseif ($respHTTP > 400 && $respHTTP < 600) {
                    # HTTP Response 4xx client error or 5xx server error
                    $respERR = "HCUERROR: Connection Failed HTTP $respHTTP ";
                } elseif (!isset($response) || $response == '') {
                    # no response
                    $respERR = "HCUERROR: Empty Response";
//    } elseif (is_null($respTYPE) || strtolower(substr($respTYPE,0,5)) != 'image') {
//    FiServ returns XML, not just the image
//        # Content-Type header missing or not an image
//        $respERR = "HCUERROR: Response Not an Image";
                }

                if ($respERR == '') {
                    # set xml to catch errors, and remember the current setting
                    $xmlerr_setting = libxml_use_internal_errors(true);

                    $xml = simplexml_load_string($response);

                    # retrieve any errors encountered on the load
                    $xmlerrors = libxml_get_errors();
                    # clear the internal buffer
                    libxml_clear_errors();
                    # put the setting back to previous state
                    libxml_use_internal_errors($xmlerr_setting);

                    if (!is_object($xml)) {
                        $respERR = "HCUERROR INVALID XML: ";
                        # if we need to print ea. error this would do it
                        # but really just want to know the doc. didn't load
//                        foreach ($xmlerrors as $error) {
//                            $respERR .= $error->message;
//                        }
                    }

# look for soap level error
                    $xml->registerXPathNamespace('s', "http://schemas.xmlsoap.org/soap/envelope/");
                    $errorresponse = $xml->xpath("//s:Fault");
                    if (is_array($errorresponse) && count($errorresponse)) {
                        $respERR = "HCUERROR: " . $errorresponse[0]->faultcode . " " . $errorresponse[0]->faultstring;
                    } else {
# got this far, guess good document first -
                        $xml->registerXPathNamespace('chk', 'http://integration.fiapi.com');
# xml always returns an array.  But there will only by 1, so use [0]
                        $respType = $xml->xpath("//chk:Response")[0]['TypeOfResponse'][0];
                        if ($respType == 'DocumentInquiryRs') {
                            $image = $xml->xpath("//chk:Page")[0];
                            $theader = "data:image/" . $image['Format'];
                            $imagebytes = base64_decode($image->Value);
                        } elseif ($respType == 'ERROR') {
                            $respAPI = $xml->xpath("//chk:Status")[0];
                            $respERR = "HCUERROR: " . $respAPI->StatusCode . " " . $respAPI->Desc;
                        } else {
                            $respERR = "HCUERROR: Unexpected XML content";
                        }
                    }
                }
                if ($respERR != '') {
                    $theader = $nctypehead;
                    $imagebytes = file_get_contents($nocheck);
                }
                global $parms;
                if (HCU_array_key_value("logging", $parms) == "enabled") {
                    $logParms = $parms["environment"];          // get the environment info passed in
                    $logParms["token"] = '';                    // the id used across all communications in session
                    $logParms["txnId"] = time();                // the id for this transaction
                    $logParms["logPoint"] = "FiServ Image";     // this action in a readable form
                    $logParms["request"] = "$cmd";              // the request
                    $logParms["reply"] = "$respERR\n";          // the response
                    // On successful inquiry of check image, whether or not we get
                    // a real check image or check image not found the vendor will
                    // return xml content.

                    // We want to log everything but the image data itself, so we
                    // replace the Page->Value with '(IMAGE DATA)'
                    // Page:
                    //    Number:   page number
                    //    Format:   image format -> gif
                    //    View:     front or back -> F / B
                    //    Value:    image bytes

                    // The Page->Value is contained rather deep in the xml structure
                    // chk:Response->DocumentInquiryRs->Document->Page->Value
                    if ($respType == "DocumentInquiryRs") {
                      $xmlPage = $xml->xpath("//chk:Page")[0];
                      $xmlPage->Value = "(IMAGE DATA)";
                      $logParms["reply"] .= $xml->asXML();
                    } else {
                      // Error, no iamge data. Log response from core
                      $logParms["reply"] .= $response;
                    }
                    LogSSOActivity($logParms);
                }


                return $theader . ';base64,' . base64_encode($imagebytes);
            }

/**
 * BumpDate Function to bump a processing date back to the previous work date
 * build a list of Federal holidays, and if we landed on a holiday
 * back up some more.
 * @param string $ckdate  date of the check to be considered
 * @return string YMD date to be used in image retrieval
 */
            function BumpDate($ckdate) {
                $dstamp = strtotime("$ckdate");

                $wday = date("w", $dstamp); # day of week 0=Sunday
                switch ($wday) {
                    case 1: # Monday, back up to Friday
                        $ymd = date("Ymd", $dstamp - (86400 * 3));
                        break;
                    default: # back up one day
                        $ymd = date("Ymd", $dstamp - 86400);
                        break;
                }
                # build list of holidays for year of ckdate
                # if we landed on a holiday, back up to the prior workday from the array
                $year = substr($ymd, 0, 4);
                $holidays = BumpHolidays($year, $year);
                if (array_key_exists($ymd, $holidays)) {
                    $ymd = $holidays[$ymd];
                }

                return $ymd;
            }

/**
 * FedImageSI retrieves a single image from FedImage service
 * @global array $parms used to get the settings for vendor logging
 * @param string $Cu          client code cuadmin.cu
 * @param string $src         link to retrieve the image
 * @param string $certfile    name of client sslcert in /home/{cu}/sslforms
 * @param string $pass        password for the client sslcert
 * @param string $server      FedImage URL
 * @return string base64 encoded image bytes
 */
            function FedImageSI($Cu, $src, $certfile, $pass, $server) {

                $response = "";
                # using hard-coded path instead of HB_ENV['cloudfrontDomainName']
                # because this runs from both banking and admin (HB_ENV undefined in admin)
                $nocheck = "https://d1kryjpwpzirc7.cloudfront.net/odyssey/images/nochecksgl.gif";
                $nctypehead = "data:image/gif";
                $front = "Check Image Not Found";

                $cmd = "/usr/bin/curl --silent  -E $certfile:$pass $src";

                $curlopts = array(
                    CURLOPT_RETURNTRANSFER => 1,
                    CURLOPT_SSL_VERIFYPEER => 0,
                    CURLOPT_SSL_VERIFYHOST => 0,
                    CURLOPT_HEADER => FALSE,
                    CURLOPT_SSLCERT => $certfile,
                    CURLOPT_SSLCERTPASSWD => $pass,
                    CURLOPT_URL => "$src");
//    $reqHeaders = array('Content-Type: text/xml');
                $reqHeaders = array();

                $ch = curl_init();
//curl_setopt($ch, CURLOPT_VERBOSE, true);
//$verbose = fopen('/tmp/fstrace', 'a+');
//curl_setopt($ch, CURLOPT_STDERR, $verbose);

                curl_setopt_array($ch, $curlopts);
//    curl_setopt($ch, CURLOPT_HTTPHEADER, $reqHeaders);

                $respERR = '';
                $imagebytes = curl_exec($ch);
                $respHTTP = curl_getinfo($ch, CURLINFO_HTTP_CODE);
                $respTYPE = curl_getinfo($ch, CURLINFO_CONTENT_TYPE); # gets NULL if no valid Content-Type
                $respCURL = curl_errno($ch);

                if ($respCURL) {
                    # curl error
                    $respERR = "HCUERROR: Connection Failed cURL $respCURL";
                } elseif ($respHTTP > 400 && $respHTTP < 600) {
                    # HTTP Response 4xx client error or 5xx server error
                    $respERR = "HCUERROR: Connection Failed HTTP $respHTTP ";
                } elseif (!isset($imagebytes) || $imagebytes == '') {
                    # no response
                    $respERR = "HCUERROR: Empty Response";
                } elseif (is_null($respTYPE) || strtolower(substr($respTYPE, 0, 5)) != 'image') {
                    # Content-Type header missing or not an image
                    $respERR = "HCUERROR: Response Not an Image";
                } else {
                    # should be good response
                    $theader = "data:" . trim($respTYPE);
                }

                global $parms;
                if (HCU_array_key_value("logging", $parms) == "enabled") {
                    $logParms = $parms["environment"];        // get the environment info passed in
                    $logParms["token"] = '';                  // the id used across all communications in session
                    $logParms["txnId"] = time();              // the id for this transaction
                    $logParms["logPoint"] = "FedImage SI";    // this action in a readable form
                    $logParms["request"] = "$cmd";            // the request
                    $logParms["reply"] = "$respERR\n";        // the response
                    if (is_null($respTYPE) || strtolower(substr($respTYPE, 0, 5)) != 'image') {
                      $logParms["reply"] .= $imagebytes;      // response from core
                    } else {
                      $logParms["reply"] .= "(IMAGE DATA)\n"; // This is a string
                    }
                    LogSSOActivity($logParms);
                }

                if ($respERR != '') {
                    $theader = $nctypehead;
                    $imagebytes = file_get_contents($nocheck);
                }

                return $theader . ';base64,' . base64_encode($imagebytes);
            }

/**
 * FedImageGL gets the links for front & back images for a particular check
 * FedImage check retrieval works in 2 steps.  This function is the first
 * step, getting the links for the front and back of the requested check
 *
 * @global array $parms used to pass in the settings for vendor logging
 * @param string $Cu      client code cuadmin.cu
 * @param string $ckdate  home banking date accounthistory.date
 * @param currency $amount  check amount accounthistory.amount
 * @param string $check   check number accounthistory.checknumber
 * @param string $rt      cu routing & transit (ABA) number cuadmin.rt
 * @param string $micr    member micr accountbalance.micraccount
 * @param string $sk      accounthistory.sortkey - contains tracenumber
 * @param string $bytrace some clients retrieve by trace# instead of micr /check#
 * @param string $certfile    name of client sslcert in /home/{cu}/sslforms
 * @param string $pass        password for the client sslcert
 * @param string $server      FedImage URL
 * @return array w/status and, if found, the base64 encoded image bytes
 */
            function FedImageGL($Cu, $ckdate, $amount, $check, $rt, $micr, $sk, $bytrace, $certfile, $pass, $server) {
                # get links to images (front and back?)
# "/FedImage?cu=$Cu&mode=gl&date=$date&amount=$amount&check=$check&rt=$rt&micr=$micr&sk=$sk&bytrace=$bytrace{$inc_adm}&imgkey=$imgkey";
                /*
                  # FedSpecs.i provides 4 variables per client:
                  $fvtype="BW" for everyone
                  $certfile=path to client certificate
                  $passwd=password for client certificate
                  $server="https://www.federalreserve.org/image/DexGateway/servlets/DexGateway";
                 *
                 * change to set these in the monitor, and then FedSpecs.i is not needed
                 */

# get link to image
                $fvtype = "BW";
                $ymd = ( substr($ckdate, 6, 4) . substr($ckdate, 0, 2) . substr($ckdate, 3, 2));
                $amt = str_replace(".", "", $amount);

                $dxml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>
<requestPackage>
<itemRequest>
<userRequestId>user</userRequestId>
<description>Retrieve images</description>
<itemSelection>
<itemType>both</itemType>
<timeout>100</timeout>
<maxItemsReturned>1</maxItemsReturned>
<criteria>
<connector>AND</connector>
<field>
<name>Routing and Transit Number</name>
<operator>EQ</operator>
<value>$rt</value>
</field>
<field>
<name>Process Date</name>
<operator>EQ</operator>
<value>$ymd</value>
</field>
";
                if ($bytrace == 1) {
                    # query by Item Sequence Number
                    $dxml .= "<field>
<name>Item Sequence Number</name>
<operator>EQ</operator>
<value>$sk</value>
</field>
";
                } elseif ($bytrace == 2) {
                    # Tongass business accounts have check# in Aux On Us instead
                    $dxml .= "<field>
<name>Aux On Us</name>
<operator>EQ</operator>
<value>$check</value>
</field>
";
                } else {
                    $dxml .= "<field>
";
                    if ($Cu == 'SFEFCU' || $Cu == 'IUCU') {
                        $dxml .= "<name>Check Number</name>
";
                    } else {
                        $dxml .= "<name>Process Control</name>
";
                    }
                    $dxml .= "<operator>EQ</operator>
<value>$check</value>
</field>
";
                }
                $dxml .="<field>
<name>Account Number</name>
<operator>EQ</operator>
<value>$micr</value>
</field>
<field>
<name>Amount</name>
<operator>EQ</operator>
<value>$amt</value>
</field>
</criteria>
<view>
<viewType>F$fvtype</viewType>
<compression>PNG</compression>
<density>0</density>
<binarize>0</binarize>
</view>
<view>
<viewType>B$fvtype</viewType>
<compression>PNG</compression>
<density>0</density>
<binarize>0</binarize>
</view>
</itemSelection>
</itemRequest>
</requestPackage>";

                $response = "";
                # using hard-coded path instead of HB_ENV['cloudfrontDomainName']
                # because this runs from both banking and admin (HB_ENV undefined in admin)
                $nocheck = "https://d1kryjpwpzirc7.cloudfront.net/odyssey/images/nochecksgl.gif";
                $nctypehead = "data:image/gif";
                $front = "Check Image Not Found";
                $back = "NO";

                $cmd = "/usr/bin/curl --silent --data-binary '$dxml' -H 'Content-Type: text/xml' -E $certfile:$pass $server";

# use embedded curl to get results, check errors

                $curlopts = array(
                    CURLOPT_RETURNTRANSFER => 1,
                    CURLOPT_SSL_VERIFYPEER => 0,
                    CURLOPT_SSL_VERIFYHOST => 0,
                    CURLOPT_HEADER => FALSE,
                    CURLOPT_SSLCERT => $certfile,
                    CURLOPT_SSLCERTPASSWD => $pass,
                    CURLOPT_POSTFIELDS => $dxml,
                    CURLOPT_URL => "$server");
                $reqHeaders = array('Content-Type: text/xml');

                $ch = curl_init();
//curl_setopt($ch, CURLOPT_VERBOSE, true);
//$verbose = fopen('/tmp/fstrace', 'a+');
//curl_setopt($ch, CURLOPT_STDERR, $verbose);

                curl_setopt_array($ch, $curlopts);
                curl_setopt($ch, CURLOPT_HTTPHEADER, $reqHeaders);

                $respERR = 'Success';
                $response = curl_exec($ch);
                $respHTTP = curl_getinfo($ch, CURLINFO_HTTP_CODE);
                $respTYPE = curl_getinfo($ch, CURLINFO_CONTENT_TYPE); # gets NULL if no valid Content-Type
                $respCURL = curl_errno($ch);

                if ($respCURL) {
                    # curl error
                    $respERR = "HCUERROR: Connection Failed cURL $respCURL";
                } elseif ($respHTTP > 400 && $respHTTP < 600) {
                    # HTTP Response 4xx client error or 5xx server error
                    $respERR = "HCUERROR: Connection Failed HTTP $respHTTP ";
                } elseif (!isset($response) || $response == '') {
                    # no response
                    $respERR = "HCUERROR: Empty Response";
                }

                if ($respERR == 'Success') {
# got this far, guess good document first -
# but try to handle xml load errors
                    # set xml to catch errors, and remember the current setting
                    $xmlerr_setting = libxml_use_internal_errors(true);

                    $xml = simplexml_load_string($response);

                    # retrieve any errors encountered on the load
                    $xmlerrors = libxml_get_errors();
                    # clear the internal buffer
                    libxml_clear_errors();
                    # put the setting back to previous state
                    libxml_use_internal_errors($xmlerr_setting);

                    if ($xml === FALSE ) {
                        # if we need to print ea. error this would do it
                        # but really just want to know the doc. didn't load
//                        foreach($xmlerrors as $error) {
//                            echo "\t", $error->message;
//                        }
                        $respERR = "HCUERROR: Invalid XML";
                        $imagebytes = file_get_contents($nocheck);
                        $front = $nctypehead . ';base64,' . base64_encode($imagebytes);
                        $back = "NO";
                    } else {
                    $respCode = $xml->xpath("//returnCode");
                    $retcode = 0;
                    foreach ($respCode as $code) {
                        $retcode += $code;
                    }
# check that $retcode == 0 ?
                    $respLinks = $xml->xpath("//imageKey");
                    if (HCU_array_key_value(0,$respLinks) && HCU_array_key_value(1,$respLinks)) {
                        $front = FedImageSI($Cu, $respLinks[0], $certfile, $pass, $server);
                        $back = FedImageSI($Cu, $respLinks[1], $certfile, $pass, $server);
                    } else {
                        $respERR = "HCUERROR: No Image Links ($retcode)";
                        $imagebytes = file_get_contents($nocheck);
                        $front = $nctypehead . ';base64,' . base64_encode($imagebytes);
                        $back = "NO";
                    }
                }
            }

                global $parms;
                if (HCU_array_key_value("logging", $parms) == "enabled") {
                    $logParms = $parms["environment"];          // get the environment info passed in
                    $logParms["token"] = '';                    // the id used across all communications in session
                    $logParms["txnId"] = time();                // the id for this transaction
                    $logParms["logPoint"] = "FedImage GL";      // this action in a readable form
                    $logParms["request"] = "$cmd";              // the request
                    $logParms["reply"] = "$respERR\n$response"; // the response
                    LogSSOActivity($logParms);
                }
# Status = 'Success' or error message
                return array('Status' => $respERR, 'Front' => $front, 'Back' => $back);
            }
/**
 * BumpHolidays Builds a list of federal holidays between $Start & $End
 * and a corresponding substitute processing date to be used for image retrieval
 * @param string $Start   beginning year
 * @param string $End     ending year
 * @return array holiday dates & respective substitute date
 */
            function BumpHolidays($Start, $End) {
//================================================= ================
//This function programmatically determines Federal Holidays landing
// between the given start and end YY
// adapted from code Written by Jana Bauer,
// which was adapted from code obtained at
//http://www.tek-tips.com/faqs.cfm?fid=6003
//
//adapted 2017 to return list of holiday & corresponding previous work day
//================================================= ================

                $holidays = array();
                for ($i = $Start; $i <= $End; $i++) {
                    for ($m = 1; $m <= 12; $m++) {
                        switch ($m) {
                            case 3:
                            case 4:
                            case 6:
                            case 8:
//                No holidays in these months
                                break;

                            case 1:
                                // New Year's Day 1/1 or closest Monday / Friday
                                $dtHoliday = mktime(12, 0, 0, 1, 1, $i);
                                $dtHoliday = GetNearestWeekday($dtHoliday);
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));
                                // MLK Day 3rd Monday in January
                                $dow = idate('w', $dtHoliday);
                                # find first Monday
                                switch ($dow) {
                                    case 0: #Sunday
                                        $dtHoliday += 86400;
                                        break;
                                    case 1: #already Monday
                                        break;
                                    case 2:
                                        $dtHoliday += (86400 * 6);
                                        break;
                                    case 3:
                                        $dtHoliday += (86400 * 5);
                                        break;
                                    case 4:
                                        $dtHoliday += (86400 * 4);
                                        break;
                                    case 5:
                                        $dtHoliday += (86400 * 3);
                                        break;
                                    case 6:
                                        $dtHoliday += (86400 * 2);
                                        break;
                                }
                                $dtHoliday += (86400 * 14); # add 2 weeks to get 3rd Monday
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));
                                break;

                            case 2:
                                // President's Day 3rd Monday in February
                                $dtHoliday = mktime(12, 0, 0, 2, 1, $i);
                                $dow = idate('w', $dtHoliday);
                                # find first Monday
                                switch ($dow) {
                                    case 0: #Sunday
                                        $dtHoliday += 86400;
                                        break;
                                    case 1: #already Monday
                                        break;
                                    case 2:
                                        $dtHoliday += (86400 * 6);
                                        break;
                                    case 3:
                                        $dtHoliday += (86400 * 5);
                                        break;
                                    case 4:
                                        $dtHoliday += (86400 * 4);
                                        break;
                                    case 5:
                                        $dtHoliday += (86400 * 3);
                                        break;
                                    case 6:
                                        $dtHoliday += (86400 * 2);
                                        break;
                                }
                                $dtHoliday += (86400 * 14); # add 2 weeks to get 3rd Monday
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));
                                break;

                            case 5:
                                // Memorial Day Last Monday in May
                                $dtHoliday = mktime(12, 0, 0, 5, 31, $i);
                                $dow = idate('w', $dtHoliday);
                                # find last day & back up
                                switch ($dow) {
                                    case 0: #Sunday
                                        $dtHoliday -= (86400 * 6);
                                        break;
                                    case 1: #already Monday
                                        break;
                                    case 2:
                                        $dtHoliday -= 86400;
                                        break;
                                    case 3:
                                        $dtHoliday -= (86400 * 2);
                                        break;
                                    case 4:
                                        $dtHoliday -= (86400 * 3);
                                        break;
                                    case 5:
                                        $dtHoliday -= (86400 * 4);
                                        break;
                                    case 6:
                                        $dtHoliday -= (86400 * 5);
                                        break;
                                }
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));
                                break;

                            case 7:
                                // Independence Day 7/4 or Closest Friday / Monday
                                $dtHoliday = mktime(12, 0, 0, 7, 4, $i);
                                $dtHoliday = GetNearestWeekday($dtHoliday);
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));

                                break;

                            case 9:
                                // Labor Day 1st Monday in September
                                $dtHoliday = mktime(12, 0, 0, 9, 1, $i);
                                $dow = idate('w', $dtHoliday);
                                # find first Monday
                                switch ($dow) {
                                    case 0: #Sunday
                                        $dtHoliday += 86400;
                                        break;
                                    case 1: #already Monday
                                        break;
                                    case 2:
                                        $dtHoliday += (86400 * 6);
                                        break;
                                    case 3:
                                        $dtHoliday += (86400 * 5);
                                        break;
                                    case 4:
                                        $dtHoliday += (86400 * 4);
                                        break;
                                    case 5:
                                        $dtHoliday += (86400 * 3);
                                        break;
                                    case 6:
                                        $dtHoliday += (86400 * 2);
                                        break;
                                }
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));
                                break;

                            case 10:
                                // Columbus Day 2nd Monday in October
                                $dtHoliday = mktime(12, 0, 0, 10, 1, $i);
                                $dow = idate('w', $dtHoliday);
                                # find first Monday
                                switch ($dow) {
                                    case 0: #Sunday
                                        $dtHoliday += 86400;
                                        break;
                                    case 1: #already Monday
                                        break;
                                    case 2:
                                        $dtHoliday += (86400 * 6);
                                        break;
                                    case 3:
                                        $dtHoliday += (86400 * 5);
                                        break;
                                    case 4:
                                        $dtHoliday += (86400 * 4);
                                        break;
                                    case 5:
                                        $dtHoliday += (86400 * 3);
                                        break;
                                    case 6:
                                        $dtHoliday += (86400 * 2);
                                        break;
                                }
                                $dtHoliday += (86400 * 7); # add 1 week to get 2nd Monday
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));
                                break;

                            case 11:
                                // Veteran's Day 11/11 or Following Monday
                                $dtHoliday = mktime(12, 0, 0, 11, 11, $i);
                                $dtHoliday = GetNearestWeekday($dtHoliday);
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));

                                // Thanksgiving Day 4th Thursday in November
                                $dtHoliday = mktime(12, 0, 0, 11, 1, $i);
                                $dow = idate('w', $dtHoliday);
                                # find first Thursday
                                switch ($dow) {
                                    case 0: #Sunday
                                        $dtHoliday += (86400 * 4);
                                        break;
                                    case 1: #Monday
                                        $dtHoliday += (86400 * 3);
                                        break;
                                    case 2:
                                        $dtHoliday += (86400 * 2);
                                        break;
                                    case 3:
                                        $dtHoliday += 86400;
                                        break;
                                    case 4:
                                        break;
                                    case 5:
                                        $dtHoliday += (86400 * 6);
                                        break;
                                    case 6:
                                        $dtHoliday += (86400 * 5);
                                        break;
                                }
                                $dtHoliday += (86400 * 21); # add 3 weeks to get 4th Thursday
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));
                                break;

                            case 12:
                                // Christmas Day 12/25 or closest Friday / Monday
                                $dtHoliday = mktime(12, 0, 0, 12, 25, $i);
                                $dtHoliday = GetNearestWeekday($dtHoliday);
                                $holidays[date('Ymd', $dtHoliday)] = date('Ymd', GetPreviousWeekday($dtHoliday));

                                break;
                        }
                    }
                }

                return $holidays;
            }

            /**
             * GetPreviousWeekday Returns previous week day
             * Sunday & Monday move to previous Friday
             * Tues - Saturday move backward one day
             * @param timestamp $dtTimeStamp date to be examined
             * @return int timestamp of adjusted day
             */
            Function GetPreviousWeekday($dtTimeStamp) {
//Note Sunday = 0, Saturday = 6
                $intWeekday = idate('w', $dtTimeStamp);
                switch ($intWeekday) {
                    case 0: #Sunday - move back to Friday
                        $dtTimeStamp -= (2 * 86400);
                        break;
                    case 1: # Monday - move back to Friday
                        $dtTimeStamp -= (3 * 86400);
                        break;
                    case 2:# Tuesday - Saturday - move back one day
                    case 3:
                    case 4:
                    case 5:
                    case 6:
                    default:
                        $dtTimeStamp -= 86400;
                        break;
                }
                return $dtTimeStamp;
            }

            /**
             * GetNearestWeekday adjusts timestamp if needed to hit a weekday
             * @param timestamp $dtTimeStamp date to examine
             * @return int timestamp adjusted to nearest weekday -
             * Sunday moves forward to Monday
             * Saturday moves back to Friday
             */
            Function GetNearestWeekday($dtTimeStamp) {
//Note Sunday = 0, Saturday = 6
                $intWeekday = idate('w', $dtTimeStamp);
                switch ($intWeekday) {
                    case 0: #Sunday - move forward to Monday
                        $dtTimeStamp += 86400;
                        break;
                    case 6: #Saturday - move back to Friday
                        $dtTimeStamp -= 86400;
                        break;
                    case 1: # Monday - Friday - do nothing
                    case 2:
                    case 3:
                    case 4:
                    case 5:
                    default:
                        break;
                }
                return $dtTimeStamp;
            }
?>