Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
dcmsign(1)			  OFFIS	DCMTK			    dcmsign(1)

       dcmsign - Sign and Verify DICOM Files

       dcmsign [options] dcmfile-in [dcmfile-out]

       The dcmsign utility reads a DICOM file (dcmfile-in), performs a digital
       signature operation and,	if any modification has	 taken	place,	writes
       the DICOM object	to an output file (dcmfile-out).

       Five digital signature operations are supported:

       o verification of all signatures	in the DICOM file
       o creation of a new digital signature located in	the main dataset,
       o creation of a new digital signature in	an item	of a sequence embedded
	 within	the dataset,
       o removal of a single digital signature from the	DICOM file, and
       o removal of all	digital	signatures from	the DICOM file.
       dcmfile-in   DICOM input	filename to be processed

       dcmfile-out  DICOM output filename
   general options
	 -h    --help
		 print this help text and exit

		 print version information and exit

		 print expanded	command	line arguments

	 -q    --quiet
		 quiet mode, print no warnings and errors

	 -v    --verbose
		 verbose mode, print processing	details

	 -d    --debug
		 debug mode, print debug information

	 -ll   --log-level  [l]evel: string constant
		 (fatal, error,	warn, info, debug, trace)
		 use level l for the logger

	 -lc   --log-config  [f]ilename: string
		 use config file f for the logger
   input options
       input file format:

	 +f    --read-file
		 read file format or data set (default)

	 +fo   --read-file-only
		 read file format only

	 -f    --read-dataset
		 read data set without file meta information

       input transfer syntax:

	 -t=   --read-xfer-auto
		 use TS	recognition (default)

	 -td   --read-xfer-detect
		 ignore	TS specified in	the file meta header

	 -te   --read-xfer-little
		 read with explicit VR little endian TS

	 -tb   --read-xfer-big
		 read with explicit VR big endian TS

	 -ti   --read-xfer-implicit
		 read with implicit VR little endian TS
   signature commands
		 verify	all signatures (default)

	 +s    --sign  [p]rivate key file, [c]ertificate file: string
		 create	signature in main object

	 +si   --sign-item  [k]eyfile, [c]ertfile, [i]tem location: string
		 create	signature in sequence item

	 +r    --remove	 [s]ignature UID: string
		 remove	signature

	 +ra   --remove-all
		 remove	all signatures from data set
   signature creation options (only with –sign or	–sign-item):
       private key password:

	 +ps   --std-passwd
		 prompt	user to	type password on stdin (default)

	 +pw   --use-passwd  [p]assword: string
		 use specified password

	 -pw   --null-passwd
		 use empty string as password

       key and certificate file	format:

	 -pem  --pem-keys
		 read keys/certificates	as PEM file (default)

	 -der  --der-keys
		 read keys/certificates	as DER file

       digital signature profile:

	 -pf   --profile-none
		 don't enforce any signature profile (default)

	 +pb   --profile-base
		 enforce base RSA signature profile

	 +pc   --profile-creator
		 enforce creator RSA signature profile

	 +pa   --profile-auth
		 enforce authorization signature profile

       MAC algorithm:

	 +mr   --mac-ripemd160
		 use RIPEMD 160	(default)

	 +ms   --mac-sha1
		 use SHA-1

	 +mm   --mac-md5
		 use MD	5

       tag selection:

	 -t    --tag
		 [t]ag:	"gggg,eeee" or dictionary name
		 sign only specified tag
		 (this option can be specified multiple	times)

	 -tf   --tag-file  [f]ilename: string
		 read list of tags from	text file

       signature format:

	 -fn   --format-new
		 use correct DICOM signature format (default)

	 -fo   --format-old
		 use old (pre-3.5.4) DCMTK signature format, non-conformant
		 if signature includes compressed pixel	data
   output options
       output transfer syntax:

	 +t=   --write-xfer-same
		 write with same TS as input (default)

	 +te   --write-xfer-little
		 write with explicit VR	little endian TS

	 +tb   --write-xfer-big
		 write with explicit VR	big endian TS

	 +ti   --write-xfer-implicit
		 write with implicit VR	little endian TS

       length encoding in sequences and	items:

	 +e    --length-explicit
		 write with explicit lengths (default)

	 -e    --length-undefined
		 write with undefined lengths

       other output options:

	 +d    --dump  [f]ilename: string
		 dump byte stream fed into the MAC codec to file
		 (only with --sign or --sign-item)
   Files and Parameters
       The dcmsign utility reads and writes a number of	files and file formats
       which are described in this section.
       Public Key Certificates are expected in X.509v3 format, either with PEM
       or DER encoding.	The dcmsign utility currently  supports	 RSA  and  DSA
       public  keys,  although	only  RSA  keys	 are  defines  in the Security
       Profiles	of the DICOM standard.
       Private Keys are	expected in PEM	or DER encoding.  PEM  is  recommended
       (and default) because this allows one to	keep private keys in encrypted
       form. Command line options control the  behavior	 of  dcmsign  when  an
       encrypted  PEM  key  is	opened	(see  above).  In  general  it	is not
       recommended to specify the encryption  password	in  the	 command  line
       because	the  command  line  may	 be  visible to	other processes	in the
       system, e.g. 'ps	-ef'.
       The list	of data	elements to sign can either be read  from  a  file  or
       specified  on  the  command  line  or  both  (in	this case the keys are
       On the command line, attribute keys are specified as
       --tag "gggg,eeee"  where	gggg and eeee are the hexadecimal group
			  and element numbers
       --tag "Name"	  where	'Name' is a symbolic attribute name from
			  the DICOM dictionary (see below).
       When attribute tags are read from file with the	--tag-file  option,  a
       plain  text file	of max.	64 kbyte is expected. Tags within the file are
       either symbolic names from the  data  dictionary	 or  have  the	format
       (gggg,eeee) (with braces). Tags are separated by	one or more whitespace
       The --sign-item operation requires a location string that describes  in
       which  sequence	item a signature is to be created. The location	string
       has the following format:
       where SequenceName is either a symbolic attribute name  from  the  data
       dictionary  or  a numeric tag in	the format (gggg,eeee) and index is an
       unsigned	decimal	integer	for the	item number, starting  with  zero  for
       the  first  item	 in  a sequence. As an example,	the following location
       would cause a digital signature to be created in	the second item	of the
       ReferencedImageSequence	(0008,1140) which is located in	the first item
       of the ReferencedSeriesSequence (0008,1115) which  is  located  in  the
       main DICOM dataset.
       The  level  of  logging	output	of  the	various	command	line tools and
       underlying libraries can	be specified by	the  user.  By	default,  only
       errors  and  warnings  are  written to the standard error stream. Using
       option --verbose	also informational messages  like  processing  details
       are  reported.  Option  --debug	can be used to get more	details	on the
       internal	activity, e.g. for debugging purposes.	Other  logging	levels
       can  be	selected  using	option --log-level. In --quiet mode only fatal
       errors are reported. In such very severe	error events, the  application
       will  usually  terminate.  For  more  details  on the different logging
       levels, see documentation of module 'oflog'.
       In case the logging output should be written to file  (optionally  with
       logfile	rotation),  to syslog (Unix) or	the event log (Windows)	option
       --log-config can	be used.  This	configuration  file  also  allows  for
       directing  only	certain	messages to a particular output	stream and for
       filtering certain messages based	on the	module	or  application	 where
       they  are  generated.  An  example  configuration  file	is provided in
       All command line	tools  use  the	 following  notation  for  parameters:
       square  brackets	 enclose  optional  values  (0-1), three trailing dots
       indicate	that multiple values are allowed (1-n),	a combination of  both
       means 0 to n values.
       Command line options are	distinguished from parameters by a leading '+'
       or '-' sign, respectively. Usually, order and position of command  line
       options	are  arbitrary	(i.e.  they  can appear	anywhere). However, if
       options are mutually exclusive the rightmost appearance is  used.  This
       behavior	 conforms  to  the  standard  evaluation  rules	of common Unix
       In addition, one	or more	command	files can be specified	using  an  '@'
       sign  as	 a  prefix to the filename (e.g. @command.txt).	Such a command
       argument	is replaced by the content  of	the  corresponding  text  file
       (multiple  whitespaces  are  treated  as	a single separator unless they
       appear between two quotation marks) prior to  any  further  evaluation.
       Please  note  that  a command file cannot contain another command file.
       This simple but effective  approach  allows  one	 to  summarize	common
       combinations  of	 options/parameters  and  avoids longish and confusing
       command lines (an example is provided in	file _datadir_/dumppat.txt).
       The dcmsign utility  will  attempt  to  load  DICOM  data  dictionaries
       specified  in the DCMDICTPATH environment variable. By default, i.e. if
       the  DCMDICTPATH	 environment   variable	  is   not   set,   the	  file
       _datadir_/dicom.dic  will be loaded unless the dictionary is built into
       the application (default	for Windows).
       The  default  behavior  should  be  preferred   and   the   DCMDICTPATH
       environment  variable  only used	when alternative data dictionaries are
       required. The DCMDICTPATH environment variable has the same  format  as
       the  Unix  shell	PATH variable in that a	colon (':') separates entries.
       On Windows systems, a semicolon (';') is	used as	a separator. The  data
       dictionary  code	 will  attempt	to  load  each	file  specified	in the
       DCMDICTPATH environment variable. It is an error	if no data  dictionary
       can be loaded.
       Copyright  (C)  2000-2014  by OFFIS e.V., Escherweg 2, 26121 Oldenburg,

Version	3.6.5			Mon Oct	28 2019			    dcmsign(1)


Want to link to this manual page? Use this URL:

home | help