Provided by: dcmtk_3.6.2-3build3_amd64 bug


       dcmsign - Sign and Verify DICOM Files


       dcmsign [options] dcmfile-in [dcmfile-out]


       The  dcmsign  utility  reads  a  DICOM  file  (dcmfile-in),  performs  a digital signature
       operation and, if any modification has taken place, writes the DICOM object to  an  output
       file (dcmfile-out).

       Five digital signature operations are supported:

       · verification of all signatures in the DICOM file
       · creation of a new digital signature located in the main dataset,
       · creation  of  a  new  digital  signature  in  an  item of a sequence embedded within the
       · removal of a single digital signature from the DICOM file, and
       · removal of all digital signatures from the DICOM file.


       dcmfile-in   DICOM input filename to be processed

       dcmfile-out  DICOM output filename


   general options
         -h    --help
                 print this help text and exit

                 print version information and exit

                 print expanded command line arguments

         -q    --quiet
                 quiet mode, print no warnings and errors

         -v    --verbose
                 verbose mode, print processing details

         -d    --debug
                 debug mode, print debug information

         -ll   --log-level  [l]evel: string constant
                 (fatal, error, warn, info, debug, trace)
                 use level l for the logger

         -lc   --log-config  [f]ilename: string
                 use config file f for the logger
   input options
       input file format:

         +f    --read-file
                 read file format or data set (default)

         +fo   --read-file-only
                 read file format only

         -f    --read-dataset
                 read data set without file meta information

       input transfer syntax:

         -t=   --read-xfer-auto
                 use TS recognition (default)

         -td   --read-xfer-detect
                 ignore TS specified in the file meta header

         -te   --read-xfer-little
                 read with explicit VR little endian TS

         -tb   --read-xfer-big
                 read with explicit VR big endian TS

         -ti   --read-xfer-implicit
                 read with implicit VR little endian TS
   signature commands
                 verify all signatures (default)

         +s    --sign  [p]rivate key file, [c]ertificate file: string
                 create signature in main object

         +si   --sign-item  [k]eyfile, [c]ertfile, [i]tem location: string
                 create signature in sequence item

         +r    --remove  [s]ignature UID: string
                 remove signature

         +ra   --remove-all
                 remove all signatures from data set
   signature creation options (only with --sign or --sign-item):
       private key password:

         +ps   --std-passwd
                 prompt user to type password on stdin (default)

         +pw   --use-passwd  [p]assword: string
                 use specified password

         -pw   --null-passwd
                 use empty string as password

       key and certificate file format:

         -pem  --pem-keys
                 read keys/certificates as PEM file (default)

         -der  --der-keys
                 read keys/certificates as DER file

       digital signature profile:

         -pf   --profile-none
                 don't enforce any signature profile (default)

         +pb   --profile-base
                 enforce base RSA signature profile

         +pc   --profile-creator
                 enforce creator RSA signature profile

         +pa   --profile-auth
                 enforce authorization signature profile

       MAC algorithm:

         +mr   --mac-ripemd160
                 use RIPEMD 160 (default)

         +ms   --mac-sha1
                 use SHA-1

         +mm   --mac-md5
                 use MD 5

       tag selection:

         -t    --tag
                 [t]ag: "gggg,eeee" or dictionary name
                 sign only specified tag
                 (this option can be specified multiple times)

         -tf   --tag-file  [f]ilename: string
                 read list of tags from text file

       signature format:

         -fn   --format-new
                 use correct DICOM signature format (default)

         -fo   --format-old
                 use old (pre-3.5.4) DCMTK signature format, non-conformant
                 if signature includes compressed pixel data
   output options
       output transfer syntax:

         +t=   --write-xfer-same
                 write with same TS as input (default)

         +te   --write-xfer-little
                 write with explicit VR little endian TS

         +tb   --write-xfer-big
                 write with explicit VR big endian TS

         +ti   --write-xfer-implicit
                 write with implicit VR little endian TS

       length encoding in sequences and items:

         +e    --length-explicit
                 write with explicit lengths (default)

         -e    --length-undefined
                 write with undefined lengths

       other output options:

         +d    --dump  [f]ilename: string
                 dump byte stream fed into the MAC codec to file
                 (only with --sign or --sign-item)


   Files and Parameters
       The dcmsign utility reads and writes  a  number  of  files  and  file  formats  which  are
       described in this section.
       Public  Key  Certificates are expected in X.509v3 format, either with PEM or DER encoding.
       The dcmsign utility currently supports RSA and DSA public keys, although only RSA keys are
       defines in the Security Profiles of the DICOM standard.
       Private Keys are expected in PEM or DER encoding. PEM is recommended (and default) because
       this allows one to keep private keys in encrypted form. Command line options  control  the
       behavior  of dcmsign when an encrypted PEM key is opened (see above). In general it is not
       recommended to specify the encryption password in the command  line  because  the  command
       line may be visible to other processes in the system, e.g. 'ps -ef'.
       The  list  of  data  elements  to  sign can either be read from a file or specified on the
       command line or both (in this case the keys are combined).
       On the command line, attribute keys are specified as
       --tag "gggg,eeee"  where gggg and eeee are the hexadecimal group
                          and element numbers
       --tag "Name"       where 'Name' is a symbolic attribute name from
                          the DICOM dictionary (see below).
       When attribute tags are read from file with the --tag-file option, a plain  text  file  of
       max.  64  kbyte  is expected. Tags within the file are either symbolic names from the data
       dictionary or have the format (gggg,eeee) (with braces). Tags are separated by one or more
       whitespace characters.
       The --sign-item operation requires a location string that describes in which sequence item
       a signature is to be created. The location string has the following format:
       where SequenceName is either a symbolic attribute name  from  the  data  dictionary  or  a
       numeric  tag  in  the  format (gggg,eeee) and index is an unsigned decimal integer for the
       item number, starting with zero for the first item in  a  sequence.  As  an  example,  the
       following location string
       would   cause   a   digital   signature   to   be  created  in  the  second  item  of  the
       ReferencedImageSequence  (0008,1140)  which  is  located  in  the  first   item   of   the
       ReferencedSeriesSequence (0008,1115) which is located in the main DICOM dataset.


       The level of logging output of the various command line tools and underlying libraries can
       be specified by the user. By default, only errors and warnings are written to the standard
       error  stream.  Using option --verbose also informational messages like processing details
       are reported. Option --debug can be used to get more details  on  the  internal  activity,
       e.g.  for  debugging  purposes.  Other  logging levels can be selected using option --log-
       level. In --quiet mode only fatal errors are reported. In such very severe  error  events,
       the  application will usually terminate. For more details on the different logging levels,
       see documentation of module 'oflog'.
       In case the logging output should be written to file (optionally with  logfile  rotation),
       to  syslog  (Unix)  or  the  event  log  (Windows)  option  --log-config can be used. This
       configuration file also allows for directing only certain messages to a particular  output
       stream  and  for  filtering certain messages based on the module or application where they
       are generated. An example configuration file is provided in <etcdir>/logger.cfg.


       All command line tools use the following notation for parameters: square brackets  enclose
       optional  values  (0-1),  three  trailing  dots  indicate that multiple values are allowed
       (1-n), a combination of both means 0 to n values.
       Command line options are distinguished from parameters by  a  leading  '+'  or  '-'  sign,
       respectively. Usually, order and position of command line options are arbitrary (i.e. they
       can appear anywhere). However, if options are mutually exclusive the rightmost  appearance
       is used. This behavior conforms to the standard evaluation rules of common Unix shells.
       In  addition,  one or more command files can be specified using an '@' sign as a prefix to
       the filename (e.g. @command.txt). Such a command argument is replaced by  the  content  of
       the corresponding text file (multiple whitespaces are treated as a single separator unless
       they appear between two quotation marks) prior to any further evaluation. Please note that
       a  command  file  cannot  contain another command file. This simple but effective approach
       allows one to summarize common combinations of options/parameters and avoids  longish  and
       confusing command lines (an example is provided in file <datadir>/dumppat.txt).


       The  dcmsign  utility  will  attempt  to  load  DICOM  data  dictionaries specified in the
       DCMDICTPATH environment variable. By default, i.e. if the DCMDICTPATH environment variable
       is  not  set,  the  file <datadir>/dicom.dic will be loaded unless the dictionary is built
       into the application (default for Windows).
       The default behavior should be preferred and the  DCMDICTPATH  environment  variable  only
       used when alternative data dictionaries are required. The DCMDICTPATH environment variable
       has the same format as the Unix shell PATH  variable  in  that  a  colon  (':')  separates
       entries. On Windows systems, a semicolon (';') is used as a separator. The data dictionary
       code will attempt to load each file specified in the DCMDICTPATH environment variable.  It
       is an error if no data dictionary can be loaded.


       Copyright (C) 2000-2014 by OFFIS e.V., Escherweg 2, 26121 Oldenburg, Germany.