Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
dcmsign(1)			  OFFIS	DCMTK			    dcmsign(1)

NAME
       dcmsign - Sign and Verify DICOM Files

SYNOPSIS
       dcmsign [options] dcmfile-in [dcmfile-out]

DESCRIPTION
       The dcmsign utility reads a DICOM file (dcmfile-in), performs a digital
       signature  operation  and,  if any modification has taken place,	writes
       the DICOM object	to an output file (dcmfile-out).

       Five digital signature operations are supported:

        verification of all signatures	in the DICOM file

        creation of a new digital signature located in	the main dataset,

        creation of a new digital signature in	an item	of a sequence embedded
	 within	the dataset,

        removal of a single digital signature from the	DICOM file, and

        removal of all	digital	signatures from	the DICOM file.

PARAMETERS
       dcmfile-in   DICOM input	filename to be processed ("-" for stdin)

       dcmfile-out  DICOM output filename ("-" for stdout)

OPTIONS
   general options
	 -h    --help
		 print this help text and exit

	       --version
		 print version information and exit

	       --arguments
		 print expanded	command	line arguments

	 -q    --quiet
		 quiet mode, print no warnings and errors

	 -v    --verbose
		 verbose mode, print processing	details

	 -d    --debug
		 debug mode, print debug information

	 -ll   --log-level  [l]evel: string constant
		 (fatal, error,	warn, info, debug, trace)
		 use level l for the logger

	 -lc   --log-config  [f]ilename: string
		 use config file f for the logger

   input options
       input file format:

	 +f    --read-file
		 read file format or data set (default)

	 +fo   --read-file-only
		 read file format only

	 -f    --read-dataset
		 read data set without file meta information

       input transfer syntax:

	 -t=   --read-xfer-auto
		 use TS	recognition (default)

	 -td   --read-xfer-detect
		 ignore	TS specified in	the file meta header

	 -te   --read-xfer-little
		 read with explicit VR little endian TS

	 -tb   --read-xfer-big
		 read with explicit VR big endian TS

	 -ti   --read-xfer-implicit
		 read with implicit VR little endian TS

       handling	of defined length UN elements:

	 -uc   --retain-un
		 retain	elements as UN (default)

	 +uc   --convert-un
		 convert to real VR if known

   signature commands
	       --verify
		 verify	all signatures (default)

	 +s    --sign  [p]rivate key file, [c]ertificate file: string
		 create	signature in main object

	 +si   --sign-item  [k]eyfile, [c]ertfile, [i]tem location: string
		 create	signature in sequence item

	 +t    --insert-timestamp  ts[q]file, ts[r]file	[u]idfile: string
		 insert	certified timestamp from ts response r
		 from timestamp	query q	at signature UID u

	 +r    --remove	 [s]ignature UID: string
		 remove	signature

	 +ra   --remove-all
		 remove	all signatures from data set

   general signature options
       key and certificate file	format:

	 -pem  --pem-keys
		 read keys/certificates	as PEM file (default)

	 -der  --der-keys
		 read keys/certificates	as DER file

       signature format:

	 -fn   --format-new
		 use correct DICOM signature format (default)

	 -fo   --format-old
		 use old (pre-3.5.4) DCMTK signature format, non-conformant
		 if signature includes compressed pixel	data. This option should
		 only be used to verify	signatures in the old format.

   signature verification options (only	with –verify)
       signature verification:

	 +rv   --verify-if-present
		 verify	signatures if present, pass otherwise
		 (default)

	 +rg   --require-sig
		 fail if no signature at all is	present

	 +rc   --require-creator
		 fail if no creator RSA	signature is present

	 +ru   --require-auth
		 fail if no auth RSA signature is present

	 +rs   --require-sr
		 fail if no SR RSA signature is	present

       timestamp verification:

	 +tv   --verify-ts
		 verify	certified timestamp if present (default)

	 -tv   --ignore-ts
		 ignore	certified timestamps

	 +tr   --require-ts
		 fail if no certified timestamp	is present

       certification authority:

	 +cf   --add-cert-file
		 [f]ilename: string
		 add trusted certificate file to cert store

	 +uf   --add-ucert-file
		 [f]ilename: string
		 add untrusted intermediate certificate	file

	 +cd   --add-cert-dir
		 [d]irectory: string
		 add certificates in d to cert store

	 +cr   --add-crl-file
		 [f]ilename: string
		 add certificate revocation list file
		 (implies --enable-crl-vfy)

	 +cl   --enable-crl-vfy
		 enable	certificate revocation list verification.fi

   signature creation options (only with –sign or	–sign-item)
       private key password:

	 +ps   --std-passwd
		 prompt	user to	type password on stdin (default)

	 +pw   --use-passwd  [p]assword: string
		 use specified password

	 -pw   --null-passwd
		 use empty string as password

       digital signature profile:

	 -pf   --profile-none
		 don't enforce any signature profile (default)

	 +pb   --profile-base
		 enforce base RSA signature profile

	 +pc   --profile-creator
		 enforce creator RSA signature profile

	 +pa   --profile-auth
		 enforce authorization signature profile

	 +pr   --profile-sr
		 enforce SR RSA	signature profile

	 +pv   --profile-srv
		 enforce SR RSA	signature profile (verification)

       MAC algorithm:

	 +mr   --mac-ripemd160
		 use RIPEMD 160	(default)

	 +ms   --mac-sha1
		 use SHA-1

	 +mm   --mac-md5
		 use MD	5

	 +m2   --mac-sha256
		 use SHA-256

	 +m3   --mac-sha384
		 use SHA-384

	 +m5   --mac-sha512
		 use SHA-512

       signature purpose:

	 +lp   --list-purposes
		 show list of signature	purpose	codes and exit

	 -sp   --no-sig-purpose
		 do not	add signature purpose (default)

	 +sp   --sig-purpose
		 [p]urpose code: integer (1..18)
		 add digital signature purpose code p

       tag selection:

	 -t    --tag
		 [t]ag:	"gggg,eeee" or dictionary name
		 sign only specified tag
		 (this option can be specified multiple	times)

	 -tf   --tag-file  [f]ilename: string
		 read list of tags from	text file.fi

   timestamp creation options (only with –sign or	–sign-item)
       timestamp creation:

	 -ts   --timestamp-off
		 do not	create timestamp (default)

	 +ts   --timestamp-file	 [t]sq-filename, [u]id-filename: string
		 create	timestamp query	file t and uid file u

       timestamp MAC algorithm (only with --timestamp-file):

	 +tm2  --ts-mac-sha256
		 use SHA-256 (default)

	 +tm3  --ts-mac-sha384
		 use SHA-384

	 +tm5  --ts-mac-sha512
		 use SHA-512

	 +tmr  --ts-mac-ripemd160
		 use RIPEMD 160

	 +tms  --ts-mac-sha1
		 use SHA-1 (not	recommended)

	 +tmm  --ts-mac-md5
		 use MD5 (not recommended)

       timestamp query nonce options (only with	--timestamp-file):

	 +tn   --ts-use-nonce
		 include random	nonce (default)

	 -tn   --ts-no-nonce
		 do not	include	nonce

       timestamp certificate inclusion options (only with --timestamp-file):

	 +tc   --ts-request-cert
		 request TSA certificate in timestamp (default)

	 -tc   --ts-no-cert
		 do not	request	TSA certificate	in timestamp

       timestamp policy	options	(only with --timestamp-file):

	 -tp   --ts-no-policy
		 do not	specify	ts policy (default)

	 +tp   --ts-policy  [p]olicy-OID: string
		 request timestamp policy p

   output options
       output transfer syntax:

	 +t=   --write-xfer-same
		 write with same TS as input (default)

	 +te   --write-xfer-little
		 write with explicit VR	little endian TS

	 +tb   --write-xfer-big
		 write with explicit VR	big endian TS

	 +ti   --write-xfer-implicit
		 write with implicit VR	little endian TS

       length encoding in sequences and	items:

	 +e    --length-explicit
		 write with explicit lengths (default)

	 -e    --length-undefined
		 write with undefined lengths

       other output options:

	 +d    --dump  [f]ilename: string
		 dump byte stream fed into the MAC codec to file
		 (only with --sign or --sign-item)

NOTES
   Files and Parameters
       The dcmsign utility reads and writes a number of	files and file formats
       which are described in this section.

       Public Key Certificates are expected in X.509v3 format, either with PEM
       or DER encoding.	The dcmsign utility currently  supports	 RSA  and  DSA
       public  keys,  although	only  RSA  keys	 are  defines  in the Security
       Profiles	of the DICOM standard.

       Private Keys are	expected in PEM	or DER encoding.  PEM  is  recommended
       (and default) because this allows one to	keep private keys in encrypted
       form.  Command  line  options  control  the behavior of dcmsign when an
       encrypted PEM  key  is  opened  (see  above).  In  general  it  is  not
       recommended  to	specify	 the  encryption  password in the command line
       because the command line	may be	visible	 to  other  processes  in  the
       system, e.g. 'ps	-ef'.

       By  default, dcmsign will create	a signature covering all data elements
       in the dataset or item. This default can	be  overridden	by  explicitly
       specifying  a  list  of	data  elements (attribute tags). This list can
       either be read from a file or specified on the command line or both (in
       this case the attribute tags are	combined).

       On the command line, attribute tags are specified as

       --tag "gggg,eeee"  where	gggg and eeee are the hexadecimal group
			  and element numbers
       --tag "Name"	  where	'Name' is a symbolic attribute name from
			  the DICOM dictionary (see below).

       When attribute tags are read from file with the	--tag-file  option,  a
       plain  text  file is expected. Tags within the file are either symbolic
       names from the data dictionary or have  the  format  (gggg,eeee)	 (with
       braces).	Tags are separated by one or more whitespace characters.

       The currently selected digital signature	profile	may specify additional
       attribute  tags required	to be included in the signature, which will be
       silently	added.

       The --sign-item operation requires a location string that describes  in
       which  sequence	item a signature is to be created. The location	string
       has the following format:

       SequenceName[index].SequenceName[index].SequenceName[index](...)

       where SequenceName is either a symbolic attribute name  from  the  data
       dictionary  or  a numeric tag in	the format (gggg,eeee) and index is an
       unsigned	decimal	integer	for the	item number, starting  with  zero  for
       the  first  item	 in  a sequence. As an example,	the following location
       string

       ReferencedSeriesSequence[0].ReferencedImageSequence[1]

       would cause a digital signature to be created in	the second item	of the
       ReferencedImageSequence (0008,1140) which is located in the first  item
       of  the	ReferencedSeriesSequence  (0008,1115)  which is	located	in the
       main DICOM dataset.

   Certified Timestamps
       Starting	with release  3.6.6,  dcmsign  offers  support	for  certified
       timestamps  according to	RFC 3161. For now, the tool does not implement
       any of the network protocols defined in RFC 3161	for communicating with
       a timestamp authority (TSA), but	it can write a timestamp  query	 (TSQ)
       during  signature creation, and the new command --insert-timestamp will
       read a timestamp	response (TSR) from file  and  add  it	to  the	 DICOM
       digital	signature. Since a DICOM file can contain multiple signatures,
       a 'UID file' (which contains the	Digital	 Signature  UID)  is  used  to
       identify	 the  signature	 to which the TSR should be added. The dcmsign
       tool will also perform various consistency checks  before  storing  the
       timestamp.

       During  signature  verification,	 the presence of a certified timestamp
       will be detected	and the	timestamp will also be verified	unless	option
       --ignore-ts was used. Signature verification and	timestamp verification
       use  a  common certificate store	to check the certificates of the DICOM
       signature and the timestamp. This  store	 can  be  populated  with  the
       options	--add-cert-file	 and --add-cert-dir, which both	add trusted CA
       certificates, --add-ucert-file, which adds an untrusted intermediate CA
       certificate, and	--add-crl-file,	which adds  a  certificate  revocation
       list.

   Hashed Certificate Directories
       Instead	of  adding  CA	certificates  and certificate revocation lists
       (CRLs) manually using --add-cert-file and --add-crl-file, the user  can
       set-up a	directory where	dcmsign	will look-up and load certificates and
       CRLs from as needed, using --add-cert-dir.

       Th  directory  should  contain  one  certificate	or CRL per file	in PEM
       format, with a filename of  the	form  hash.N  for  a  certificate,  or
       hash.rN for a CRL. The hash is the value	returned by

       openssl	x509  -hash  -noout  -in  <filename.pem>  (for	a certificate)
       openssl crl -hash -noout	-in <filename.pem> (for	a CRL)

       The .N or .rN suffix is a sequence number that starts at	zero,  and  is
       incremented  consecutively  for	each  certificate or CRL with the same
       hash value. Gaps	in the sequence	 numbers  are  not  supported,	it  is
       assumed	that  there  are no more objects with the same hash beyond the
       first missing number in the sequence.

       CRLs will only be verified when option --enable-crl-vfy	is  specified.
       In  this	 case, dcmsign will expect a CRL to be present for each	CA and
       will fail signature verification	if no CRL can be found for the CA that
       issued the signer certificate.

LOGGING
       The level of logging output of  the  various  command  line  tools  and
       underlying  libraries  can  be  specified by the	user. By default, only
       errors and warnings are written to the  standard	 error	stream.	 Using
       option  --verbose  also	informational messages like processing details
       are reported. Option --debug can	be used	to get	more  details  on  the
       internal	 activity,  e.g.  for debugging	purposes. Other	logging	levels
       can be selected using option --log-level. In --quiet  mode  only	 fatal
       errors  are reported. In	such very severe error events, the application
       will usually terminate. For  more  details  on  the  different  logging
       levels, see documentation of module 'oflog'.

       In  case	 the logging output should be written to file (optionally with
       logfile rotation), to syslog (Unix) or the event	log  (Windows)	option
       --log-config  can  be  used.  This  configuration  file also allows for
       directing only certain messages to a particular output stream  and  for
       filtering  certain  messages  based  on the module or application where
       they are	generated.  An	example	 configuration	file  is  provided  in
       <etcdir>/logger.cfg.

COMMAND	LINE
       All  command  line  tools  use  the  following notation for parameters:
       square brackets enclose optional	 values	 (0-1),	 three	trailing  dots
       indicate	 that multiple values are allowed (1-n), a combination of both
       means 0 to n values.

       Command line options are	distinguished from parameters by a leading '+'
       or '-' sign, respectively. Usually, order and position of command  line
       options	are  arbitrary	(i.e.  they  can appear	anywhere). However, if
       options are mutually exclusive the rightmost appearance is  used.  This
       behavior	 conforms  to  the  standard  evaluation  rules	of common Unix
       shells.

       In addition, one	or more	command	files can be specified	using  an  '@'
       sign  as	 a  prefix to the filename (e.g. @command.txt).	Such a command
       argument	is replaced by the content  of	the  corresponding  text  file
       (multiple  whitespaces  are  treated  as	a single separator unless they
       appear between two quotation marks) prior to  any  further  evaluation.
       Please  note  that  a command file cannot contain another command file.
       This simple but effective  approach  allows  one	 to  summarize	common
       combinations  of	 options/parameters  and  avoids longish and confusing
       command lines (an example is provided in	file <datadir>/dumppat.txt).

EXIT CODES
       The dcmsign utility uses	the following  exit  codes  when  terminating.
       This  enables  the  user	 to  check  for	the reason why the application
       terminated.

   general
       EXITCODE_NO_ERROR			 0
       EXITCODE_COMMANDLINE_SYNTAX_ERROR	 1
       EXITCODE_NOOPENSSL			 5

   input file errors
       EXITCODE_CANNOT_READ_INPUT_FILE		20
       EXITCODE_NO_INPUT_FILES			21
       EXITCODE_CANNOT_READ_TAG_FILE		30
       EXITCODE_CANNOT_READ_TSQ_FILE		31
       EXITCODE_CANNOT_READ_TSR_FILE		32
       EXITCODE_CANNOT_READ_UID_FILE		33

   output file errors
       EXITCODE_CANNOT_WRITE_OUTPUT_FILE	40
       EXITCODE_CANNOT_WRITE_SUPPORT_FILE	46

   processing errors
       EXITCODE_CANNOT_ACCESS_SIGNATURE		80
       EXITCODE_CANNOT_ACCESS_TS		81
       EXITCODE_CANNOT_INSERT_TS		82
       EXITCODE_SIGNATURE_REMOVAL_FAILED	83
       EXITCODE_SIGNATURE_UID_NOT_FOUND		84
       EXITCODE_SIGNATURE_CREATION_FAILED	85
       EXITCODE_SYNTAX_ERROR_IN_TAG_FILE	86
       EXITCODE_TS_CONSISTENCY_CHECK_FAILED	87

   application specific	errors
       EXITCODE_NO_SIGNATURES_PRESENT		100
       EXITCODE_SIGNATURE_VERIFICATION_FAILED	101
       EXITCODE_SIGNATURE_VERIFICATION_POLICY	102

ENVIRONMENT
       The dcmsign utility  will  attempt  to  load  DICOM  data  dictionaries
       specified  in the DCMDICTPATH environment variable. By default, i.e. if
       the  DCMDICTPATH	 environment   variable	  is   not   set,   the	  file
       <datadir>/dicom.dic  will be loaded unless the dictionary is built into
       the application (default	for Windows).

       The  default  behavior  should  be  preferred   and   the   DCMDICTPATH
       environment  variable  only used	when alternative data dictionaries are
       required. The DCMDICTPATH environment variable has the same  format  as
       the  Unix  shell	PATH variable in that a	colon (':') separates entries.
       On Windows systems, a semicolon (';') is	used as	a separator. The  data
       dictionary  code	 will  attempt	to  load  each	file  specified	in the
       DCMDICTPATH environment variable. It is an error	if no data  dictionary
       can be loaded.

COPYRIGHT
       Copyright  (C)  2000-2024  by OFFIS e.V., Escherweg 2, 26121 Oldenburg,
       Germany.

Version	3.6.9			Wed Dec	11 2024			    dcmsign(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=dcmsign&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help