dcmsign(1)
NAME
dcmsign - Sign and Verify DICOM Files
SYNOPSIS
dcmsign [options] dcmfile-in [dcmfile-out]
DESCRIPTION
The dcmsign utility reads a DICOM file (dicomfile-in), performs a digital signature operation and, if any modification has taken place, writes the DICOM object to an output file (dicomfile-out).
Five digital signature operations are supported:
- o verification of all signatures in the DICOM file
o creation of a new digital signature located in the main dataset,
o creation of a new digital signature in an item of a sequence embedded - within the dataset,
- o removal of a single digital signature from the DICOM file, and
o removal of all digital signatures from the DICOM file.
PARAMETERS
dcmfile-in DICOM input filename to be processed
dcmfile-out DICOM output filename
OPTIONS
- general options
- -h --help
print this help text and exit
- --version
print version information and exit
- -v --verbose
- verbose mode, print processing details
- -d --debug
- debug mode, print debug information
- +d --dump [f]ilename: string
- dump byte stream fed into the MAC codec to file
(only with --sign or --sign-item) - input options
- input file format:
+f --read-fileread file format or data set (default) - +fo --read-file-only
- read file format only
- -f --read-dataset
- read data set without file meta information
- input transfer syntax:
-t= --read-xfer-autouse TS recognition (default)- -td --read-xfer-detect
- ignore TS specified in the file meta header
- -te --read-xfer-little
- read with explicit VR little endian TS
- -tb --read-xfer-big
- read with explicit VR big endian TS
- -ti --read-xfer-implicit
- read with implicit VR little endian TS
- signature commands
- --verify
verify all signatures (default)
- +s --sign private key file, certificate file: string
- create signature in main object
- +si --sign-item keyfile, certfile, item location: string
- create signature in sequence item
- +r --remove signature UID: string
- remove signature
- +ra --remove-all
- remove all signatures from data set
- signature creation options (only with --sign or --sign-item):
- private key password options:
+ps --std-passwdprompt user to type password on stdin (default) - +pw --use-passwd [p]assword: string
- use specified password
- -pw --null-passwd
- use empty string as password
- key and certificate file format options:
-pem --pem-keysread keys/certificates as PEM file (default)- -der --der-keys
- read keys/certificates as DER file
- digital signature profile options:
-pf --profile-nonedon't enforce any signature profile (default)- +pb --profile-base
- enforce base RSA signature profile
- +pc --profile-creator
- enforce creator RSA signature profile
- +pa --profile-auth
- enforce authorization signature profile
- MAC algorithm options:
+mr --mac-ripemd160use RIPEMD 160 (default)- +ms --mac-sha1
- use SHA-1
- +mm --mac-md5
- use MD 5
- tag selection options:
-t --tagtag: "xxxx,xxxx" or a data dictionary name
sign only specified tag
this option can be specified multiple times- -tf --tag-file filename: string
- read list of tags from text file
- signature format options:
-fn --format-newuse correct DICOM signature format (default)- -fo --format-old
- use old (pre-3.5.4) DCMTK signature format, non-conformant
if signature includes compressed pixel data - output options
- output transfer syntax:
+t= --write-xfer-samewrite with same TS as input (default) - +te --write-xfer-little
- write with explicit VR little endian TS
- +tb --write-xfer-big
- write with explicit VR big endian TS
- +ti --write-xfer-implicit
- write with implicit VR little endian TS
- length encoding in sequences and items:
+e --length-explicitwrite with explicit lengths (default)- -e --length-undefined
- write with undefined lengths
NOTES
- Files and Parameters
- The dcmsign utility reads and writes a number of files and file formats
which are described in this section.
Public Key Certificates are expected in X.509v3 format, either with PEM or DER encoding. The dcmsign utility currently supports RSA and DSA public keys, although only RSA keys are defines in the Security Profiles of the DICOM standard.
Private Keys are expected in PEM or DER encoding. PEM is recommended (and default) because this allows to keep private keys in encrypted form. Command line options control the behaviour of dcmsign when an encrypted PEM key is opened (see above). In general it is not recommended to specify the encryption password in the command line because the command line may be visible to other processes in the system, e.g. 'ps -ef'.
The list of data elements to sign can either be read from a file or specified on the command line or both (in this case the keys are combined).
On the command line, attribute keys are specified as
--tag "gggg,eeee" where gggg and eeee are the hexadecimal groupand element numbers - --tag "Name" where 'Name' is a symbolic attribute name from
the DICOM dictionary (see below).
- When attribute tags are read from file with the --tag-file option, a
plain text file of max. 64 kbyte is expected. Tags within the file are
either symbolic names from the data dictionary or have the format
(gggg,eeee) (with braces). Tags are separated by one or more whitespace
characters.
The --sign-item operation requires a location string that describes in which sequence item a signature is to be created. The location string has the following format:
SequenceName[index].SequenceName[index].SequenceName[index](...)
where SequenceName is either a symbolic attribute name from the data dictionary or a numeric tag in the format (gggg,eeee) and index is an unsigned decimal integer for the item number, starting with zero for the first item in a sequence. As an example, the following location string
ReferencedSeriesSequence[0].ReferencedImageSequence[1]
would cause a digital signature to be created in the second item of the ReferencedImageSequence (0008,1140) which is located in the first item of the ReferencedSeriesSequence (0008,1115) which is located in the main DICOM dataset.
COMMAND LINE
All command line tools use the following notation for parameters:
square brackets enclose optional values (0-1), three trailing dots
indicate that multiple values are allowed (1-n), a combination of both
means 0 to n values.
Command line options are distinguished from parameters by a leading '+'
or '-' sign, respectively. Usually, order and position of command line
options are arbitrary (i.e. they can appear anywhere). However, if
options are mutually exclusive the rightmost appearance is used. This
behaviour conforms to the standard evaluation rules of common Unix
shells.
In addition, one or more command files can be specified using an '@'
sign as a prefix to the filename (e.g. @command.txt). Such a command
argument is replaced by the content of the corresponding text file
(multiple whitespaces are treated as a single separator) prior to any
further evaluation. Please note that a command file cannot contain
another command file. This simple but effective approach allows to
summarize common combinations of options/parameters and avoids longish
and confusing command lines (an example is provided in file
share/data/dumppat.txt).
ENVIRONMENT
The dcmsign utility will attempt to load DICOM data dictionaries
specified in the DCMDICTPATH environment variable. By default, i.e. if
the DCMDICTPATH environment variable is not set, the file
<PREFIX>/lib/dicom.dic will be loaded unless the dictionary is built
into the application (default for Windows).
The default behaviour should be preferred and the DCMDICTPATH
environment variable only used when alternative data dictionaries are
required. The DCMDICTPATH environment variable has the same format as
the Unix shell PATH variable in that a colon (':') separates entries.
The data dictionary code will attempt to load each file specified in
the DCMDICTPATH environment variable. It is an error if no data
dictionary can be loaded.
COPYRIGHT
- Copyright (C) 2000-2005 by Kuratorium OFFIS e.V., Escherweg 2, 26121
Oldenburg, Germany.