1dcmsign(1) OFFIS DCMTK dcmsign(1)
2
6 dcmsign - Sign and Verify DICOM Files
7
10 dcmsign [options] dcmfile-in [dcmfile-out]
11
13 The dcmsign utility reads a DICOM file (dcmfile-in), performs a digital
14 signature operation and, if any modification has taken place, writes
15 the DICOM object to an output file (dcmfile-out).
16 Five digital signature operations are supported:
18 · verification of all signatures in the DICOM file
20 · creation of a new digital signature located in the main dataset,
21 · creation of a new digital signature in an item of a sequence embedded
22 within the dataset,
23 · removal of a single digital signature from the DICOM file, and
24 · removal of all digital signatures from the DICOM file.
26 dcmfile-in DICOM input filename to be processed
27 dcmfile-out DICOM output filename
30 general options
31 -h --help
32 print this help text and exit
33 --version
35 print version information and exit
36 --arguments
38 print expanded command line arguments
39 -q --quiet
41 quiet mode, print no warnings and errors
42 -v --verbose
44 verbose mode, print processing details
45 -d --debug
47 debug mode, print debug information
48 -ll --log-level [l]evel: string constant
50 (fatal, error, warn, info, debug, trace)
51 use level l for the logger
52 -lc --log-config [f]ilename: string
54 use config file f for the logger
55 input options
56 input file format:
57 +f --read-file
59 read file format or data set (default)
60 +fo --read-file-only
62 read file format only
63 -f --read-dataset
65 read data set without file meta information
66 input transfer syntax:
68 -t= --read-xfer-auto
70 use TS recognition (default)
71 -td --read-xfer-detect
73 ignore TS specified in the file meta header
74 -te --read-xfer-little
76 read with explicit VR little endian TS
77 -tb --read-xfer-big
79 read with explicit VR big endian TS
80 -ti --read-xfer-implicit
82 read with implicit VR little endian TS
83 signature commands
84 --verify
85 verify all signatures (default)
86 +s --sign [p]rivate key file, [c]ertificate file: string
88 create signature in main object
89 +si --sign-item [k]eyfile, [c]ertfile, [i]tem location: string
91 create signature in sequence item
92 +r --remove [s]ignature UID: string
94 remove signature
95 +ra --remove-all
97 remove all signatures from data set
98 signature creation options (only with --sign or --sign-item):
99 private key password:
100 +ps --std-passwd
102 prompt user to type password on stdin (default)
103 +pw --use-passwd [p]assword: string
105 use specified password
106 -pw --null-passwd
108 use empty string as password
109 key and certificate file format:
111 -pem --pem-keys
113 read keys/certificates as PEM file (default)
114 -der --der-keys
116 read keys/certificates as DER file
117 digital signature profile:
119 -pf --profile-none
121 don't enforce any signature profile (default)
122 +pb --profile-base
124 enforce base RSA signature profile
125 +pc --profile-creator
127 enforce creator RSA signature profile
128 +pa --profile-auth
130 enforce authorization signature profile
131 MAC algorithm:
133 +mr --mac-ripemd160
135 use RIPEMD 160 (default)
136 +ms --mac-sha1
138 use SHA-1
139 +mm --mac-md5
141 use MD 5
142 tag selection:
144 -t --tag
146 [t]ag: "gggg,eeee" or dictionary name
147 sign only specified tag
148 (this option can be specified multiple times)
149 -tf --tag-file [f]ilename: string
151 read list of tags from text file
152 signature format:
154 -fn --format-new
156 use correct DICOM signature format (default)
157 -fo --format-old
159 use old (pre-3.5.4) DCMTK signature format, non-conformant
160 if signature includes compressed pixel data
161 output options
162 output transfer syntax:
163 +t= --write-xfer-same
165 write with same TS as input (default)
166 +te --write-xfer-little
168 write with explicit VR little endian TS
169 +tb --write-xfer-big
171 write with explicit VR big endian TS
172 +ti --write-xfer-implicit
174 write with implicit VR little endian TS
175 length encoding in sequences and items:
177 +e --length-explicit
179 write with explicit lengths (default)
180 -e --length-undefined
182 write with undefined lengths
183 other output options:
185 +d --dump [f]ilename: string
187 dump byte stream fed into the MAC codec to file
188 (only with --sign or --sign-item)
190 Files and Parameters
191 The dcmsign utility reads and writes a number of files and file formats
192 which are described in this section.
193 Public Key Certificates are expected in X.509v3 format, either with PEM
194 or DER encoding. The dcmsign utility currently supports RSA and DSA
195 public keys, although only RSA keys are defines in the Security
196 Profiles of the DICOM standard.
197 Private Keys are expected in PEM or DER encoding. PEM is recommended
198 (and default) because this allows one to keep private keys in encrypted
199 form. Command line options control the behavior of dcmsign when an
200 encrypted PEM key is opened (see above). In general it is not
201 recommended to specify the encryption password in the command line
202 because the command line may be visible to other processes in the
203 system, e.g. 'ps -ef'.
204 The list of data elements to sign can either be read from a file or
205 specified on the command line or both (in this case the keys are
206 combined).
207 On the command line, attribute keys are specified as
208 --tag "gggg,eeee" where gggg and eeee are the hexadecimal group
209 and element numbers
210 --tag "Name" where 'Name' is a symbolic attribute name from
211 the DICOM dictionary (see below).
212 When attribute tags are read from file with the --tag-file option, a
213 plain text file of max. 64 kbyte is expected. Tags within the file are
214 either symbolic names from the data dictionary or have the format
215 (gggg,eeee) (with braces). Tags are separated by one or more whitespace
216 characters.
217 The --sign-item operation requires a location string that describes in
218 which sequence item a signature is to be created. The location string
219 has the following format:
220 SequenceName[index].SequenceName[index].SequenceName[index](...)
221 where SequenceName is either a symbolic attribute name from the data
222 dictionary or a numeric tag in the format (gggg,eeee) and index is an
223 unsigned decimal integer for the item number, starting with zero for
224 the first item in a sequence. As an example, the following location
225 string
226 ReferencedSeriesSequence[0].ReferencedImageSequence[1]
227 would cause a digital signature to be created in the second item of the
228 ReferencedImageSequence (0008,1140) which is located in the first item
229 of the ReferencedSeriesSequence (0008,1115) which is located in the
230 main DICOM dataset.
232 The level of logging output of the various command line tools and
233 underlying libraries can be specified by the user. By default, only
234 errors and warnings are written to the standard error stream. Using
235 option --verbose also informational messages like processing details
236 are reported. Option --debug can be used to get more details on the
237 internal activity, e.g. for debugging purposes. Other logging levels
238 can be selected using option --log-level. In --quiet mode only fatal
239 errors are reported. In such very severe error events, the application
240 will usually terminate. For more details on the different logging
241 levels, see documentation of module 'oflog'.
242 In case the logging output should be written to file (optionally with
243 logfile rotation), to syslog (Unix) or the event log (Windows) option
244 --log-config can be used. This configuration file also allows for
245 directing only certain messages to a particular output stream and for
246 filtering certain messages based on the module or application where
247 they are generated. An example configuration file is provided in
248 <etcdir>/logger.cfg.
250 All command line tools use the following notation for parameters:
251 square brackets enclose optional values (0-1), three trailing dots
252 indicate that multiple values are allowed (1-n), a combination of both
253 means 0 to n values.
254 Command line options are distinguished from parameters by a leading '+'
255 or '-' sign, respectively. Usually, order and position of command line
256 options are arbitrary (i.e. they can appear anywhere). However, if
257 options are mutually exclusive the rightmost appearance is used. This
258 behavior conforms to the standard evaluation rules of common Unix
259 shells.
260 In addition, one or more command files can be specified using an '@'
261 sign as a prefix to the filename (e.g. @command.txt). Such a command
262 argument is replaced by the content of the corresponding text file
263 (multiple whitespaces are treated as a single separator unless they
264 appear between two quotation marks) prior to any further evaluation.
265 Please note that a command file cannot contain another command file.
266 This simple but effective approach allows one to summarize common
267 combinations of options/parameters and avoids longish and confusing
268 command lines (an example is provided in file <datadir>/dumppat.txt).
270 The dcmsign utility will attempt to load DICOM data dictionaries
271 specified in the DCMDICTPATH environment variable. By default, i.e. if
272 the DCMDICTPATH environment variable is not set, the file
273 <datadir>/dicom.dic will be loaded unless the dictionary is built into
274 the application (default for Windows).
275 The default behavior should be preferred and the DCMDICTPATH
276 environment variable only used when alternative data dictionaries are
277 required. The DCMDICTPATH environment variable has the same format as
278 the Unix shell PATH variable in that a colon (':') separates entries.
279 On Windows systems, a semicolon (';') is used as a separator. The data
280 dictionary code will attempt to load each file specified in the
281 DCMDICTPATH environment variable. It is an error if no data dictionary
282 can be loaded.
284 Copyright (C) 2000-2014 by OFFIS e.V., Escherweg 2, 26121 Oldenburg,
285 Germany.
286Version 3.6.2 Fri Jul 14 2017 dcmsign(1)