Provided by: dcmtk_3.6.8-6_amd64 bug

NAME

       dcmsign - Sign and Verify DICOM Files

SYNOPSIS

       dcmsign [options] dcmfile-in [dcmfile-out]

DESCRIPTION

       The  dcmsign  utility  reads  a  DICOM  file  (dcmfile-in),  performs  a digital signature
       operation and, if any modification has taken place, writes the DICOM object to  an  output
       file (dcmfile-out).

       Five digital signature operations are supported:

       • verification of all signatures in the DICOM file

       • creation of a new digital signature located in the main dataset,

       • creation  of  a  new  digital  signature  in  an  item of a sequence embedded within the
         dataset,

       • removal of a single digital signature from the DICOM file, and

       • removal of all digital signatures from the DICOM file.

PARAMETERS

       dcmfile-in   DICOM input filename to be processed ('-' for stdin)

       dcmfile-out  DICOM output filename ('-' for stdout)

OPTIONS

   general options
         -h    --help
                 print this help text and exit

               --version
                 print version information and exit

               --arguments
                 print expanded command line arguments

         -q    --quiet
                 quiet mode, print no warnings and errors

         -v    --verbose
                 verbose mode, print processing details

         -d    --debug
                 debug mode, print debug information

         -ll   --log-level  [l]evel: string constant
                 (fatal, error, warn, info, debug, trace)
                 use level l for the logger

         -lc   --log-config  [f]ilename: string
                 use config file f for the logger

   input options
       input file format:

         +f    --read-file
                 read file format or data set (default)

         +fo   --read-file-only
                 read file format only

         -f    --read-dataset
                 read data set without file meta information

       input transfer syntax:

         -t=   --read-xfer-auto
                 use TS recognition (default)

         -td   --read-xfer-detect
                 ignore TS specified in the file meta header

         -te   --read-xfer-little
                 read with explicit VR little endian TS

         -tb   --read-xfer-big
                 read with explicit VR big endian TS

         -ti   --read-xfer-implicit
                 read with implicit VR little endian TS

       handling of defined length UN elements:

         -uc   --retain-un
                 retain elements as UN (default)

         +uc   --convert-un
                 convert to real VR if known

   signature commands
               --verify
                 verify all signatures (default)

         +s    --sign  [p]rivate key file, [c]ertificate file: string
                 create signature in main object

         +si   --sign-item  [k]eyfile, [c]ertfile, [i]tem location: string
                 create signature in sequence item

         +t    --insert-timestamp  ts[q]file, ts[r]file [u]idfile: string
                 insert certified timestamp from ts response r
                 from timestamp query q at signature UID u

         +r    --remove  [s]ignature UID: string
                 remove signature

         +ra   --remove-all
                 remove all signatures from data set

   general signature options
       key and certificate file format:

         -pem  --pem-keys
                 read keys/certificates as PEM file (default)

         -der  --der-keys
                 read keys/certificates as DER file

       signature format:

         -fn   --format-new
                 use correct DICOM signature format (default)

         -fo   --format-old
                 use old (pre-3.5.4) DCMTK signature format, non-conformant
                 if signature includes compressed pixel data. This option should
                 only be used to verify signatures in the old format.

   signature verification options (only with –verify)
       signature verification:

         +rv   --verify-if-present
                 verify signatures if present, pass otherwise
                 (default)

         +rg   --require-sig
                 fail if no signature at all is present

         +rc   --require-creator
                 fail if no creator RSA signature is present

         +ru   --require-auth
                 fail if no auth RSA signature is present

         +rs   --require-sr
                 fail if no SR RSA signature is present

       timestamp verification:

         +tv   --verify-ts
                 verify certified timestamp if present (default)

         -tv   --ignore-ts
                 ignore certified timestamps

         +tr   --require-ts
                 fail if no certified timestamp is present

       certification authority:

         +cf   --add-cert-file
                 [f]ilename: string
                 add trusted certificate file to cert store

         +uf   --add-ucert-file
                 [f]ilename: string
                 add untrusted intermediate certificate file

         +cd   --add-cert-dir
                 [d]irectory: string
                 add certificates in d to cert store

         +cr   --add-crl-file
                 [f]ilename: string
                 add certificate revocation list file
                 (implies --enable-crl-vfy)

         +cl   --enable-crl-vfy
                 enable certificate revocation list verification.fi

   signature creation options (only with –sign or –sign-item)
       private key password:

         +ps   --std-passwd
                 prompt user to type password on stdin (default)

         +pw   --use-passwd  [p]assword: string
                 use specified password

         -pw   --null-passwd
                 use empty string as password

       digital signature profile:

         -pf   --profile-none
                 don't enforce any signature profile (default)

         +pb   --profile-base
                 enforce base RSA signature profile

         +pc   --profile-creator
                 enforce creator RSA signature profile

         +pa   --profile-auth
                 enforce authorization signature profile

         +pr   --profile-sr
                 enforce SR RSA signature profile

         +pv   --profile-srv
                 enforce SR RSA signature profile (verification)

       MAC algorithm:

         +mr   --mac-ripemd160
                 use RIPEMD 160 (default)

         +ms   --mac-sha1
                 use SHA-1

         +mm   --mac-md5
                 use MD 5

         +m2   --mac-sha256
                 use SHA-256

         +m3   --mac-sha384
                 use SHA-384

         +m5   --mac-sha512
                 use SHA-512

       signature purpose:

         +lp   --list-purposes
                 show list of signature purpose codes and exit

         -sp   --no-sig-purpose
                 do not add signature purpose (default)

         +sp   --sig-purpose
                 [p]urpose code: integer (1..18)
                 add digital signature purpose code p

       tag selection:

         -t    --tag
                 [t]ag: 'gggg,eeee' or dictionary name
                 sign only specified tag
                 (this option can be specified multiple times)

         -tf   --tag-file  [f]ilename: string
                 read list of tags from text file.fi

   timestamp creation options (only with –sign or –sign-item)
       timestamp creation:

         -ts   --timestamp-off
                 do not create timestamp (default)

         +ts   --timestamp-file  [t]sq-filename, [u]id-filename: string
                 create timestamp query file t and uid file u

       timestamp MAC algorithm (only with --timestamp-file):

         +tm2  --ts-mac-sha256
                 use SHA-256 (default)

         +tm3  --ts-mac-sha384
                 use SHA-384

         +tm5  --ts-mac-sha512
                 use SHA-512

         +tmr  --ts-mac-ripemd160
                 use RIPEMD 160

         +tms  --ts-mac-sha1
                 use SHA-1 (not recommended)

         +tmm  --ts-mac-md5
                 use MD5 (not recommended)

       timestamp query nonce options (only with --timestamp-file):

         +tn   --ts-use-nonce
                 include random nonce (default)

         -tn   --ts-no-nonce
                 do not include nonce

       timestamp certificate inclusion options (only with --timestamp-file):

         +tc   --ts-request-cert
                 request TSA certificate in timestamp (default)

         -tc   --ts-no-cert
                 do not request TSA certificate in timestamp

       timestamp policy options (only with --timestamp-file):

         -tp   --ts-no-policy
                 do not specify ts policy (default)

         +tp   --ts-policy  [p]olicy-OID: string
                 request timestamp policy p

   output options
       output transfer syntax:

         +t=   --write-xfer-same
                 write with same TS as input (default)

         +te   --write-xfer-little
                 write with explicit VR little endian TS

         +tb   --write-xfer-big
                 write with explicit VR big endian TS

         +ti   --write-xfer-implicit
                 write with implicit VR little endian TS

       length encoding in sequences and items:

         +e    --length-explicit
                 write with explicit lengths (default)

         -e    --length-undefined
                 write with undefined lengths

       other output options:

         +d    --dump  [f]ilename: string
                 dump byte stream fed into the MAC codec to file
                 (only with --sign or --sign-item)

NOTES

   Files and Parameters
       The dcmsign utility reads and writes  a  number  of  files  and  file  formats  which  are
       described in this section.

       Public  Key  Certificates are expected in X.509v3 format, either with PEM or DER encoding.
       The dcmsign utility currently supports RSA and DSA public keys, although only RSA keys are
       defines in the Security Profiles of the DICOM standard.

       Private Keys are expected in PEM or DER encoding. PEM is recommended (and default) because
       this allows one to keep private keys in encrypted form. Command line options  control  the
       behavior  of dcmsign when an encrypted PEM key is opened (see above). In general it is not
       recommended to specify the encryption password in the command  line  because  the  command
       line may be visible to other processes in the system, e.g. 'ps -ef'.

       By  default,  dcmsign will create a signature covering all data elements in the dataset or
       item. This default can be overridden by explicitly specifying  a  list  of  data  elements
       (attribute  tags).  This  list  can either be read from a file or specified on the command
       line or both (in this case the attribute tags are combined).

       On the command line, attribute tags are specified as

       --tag 'gggg,eeee'  where gggg and eeee are the hexadecimal group
                          and element numbers
       --tag 'Name'       where 'Name' is a symbolic attribute name from
                          the DICOM dictionary (see below).

       When attribute tags are read from file with the --tag-file option, a plain  text  file  is
       expected.  Tags within the file are either symbolic names from the data dictionary or have
       the format (gggg,eeee) (with braces).  Tags  are  separated  by  one  or  more  whitespace
       characters.

       The  currently  selected  digital  signature profile may specify additional attribute tags
       required to be included in the signature, which will be silently added.

       The --sign-item operation requires a location string that describes in which sequence item
       a signature is to be created. The location string has the following format:

       SequenceName[index].SequenceName[index].SequenceName[index](...)

       where  SequenceName  is  either  a  symbolic  attribute name from the data dictionary or a
       numeric tag in the format (gggg,eeee) and index is an unsigned  decimal  integer  for  the
       item  number,  starting  with  zero  for  the first item in a sequence. As an example, the
       following location string

       ReferencedSeriesSequence[0].ReferencedImageSequence[1]

       would  cause  a  digital  signature  to  be  created   in   the   second   item   of   the
       ReferencedImageSequence   (0008,1140)   which   is  located  in  the  first  item  of  the
       ReferencedSeriesSequence (0008,1115) which is located in the main DICOM dataset.

   Certified Timestamps
       Starting with release 3.6.6, dcmsign offers support for certified timestamps according  to
       RFC 3161. For now, the tool does not implement any of the network protocols defined in RFC
       3161 for communicating with a timestamp authority (TSA), but  it  can  write  a  timestamp
       query  (TSQ) during signature creation, and the new command --insert-timestamp will read a
       timestamp response (TSR) from file and add it to the  DICOM  digital  signature.  Since  a
       DICOM  file  can  contain  multiple  signatures,  a 'UID file' (which contains the Digital
       Signature UID) is used to identify the signature to which the TSR  should  be  added.  The
       dcmsign tool will also perform various consistency checks before storing the timestamp.

       During  signature verification, the presence of a certified timestamp will be detected and
       the timestamp will  also  be  verified  unless  option  --ignore-ts  was  used.  Signature
       verification  and  timestamp  verification  use  a  common  certificate store to check the
       certificates of the DICOM signature and the timestamp. This store can  be  populated  with
       the  options  --add-cert-file  and --add-cert-dir, which both add trusted CA certificates,
       --add-ucert-file, which adds an untrusted intermediate CA certificate, and --add-crl-file,
       which adds a certificate revocation list.

   Hashed Certificate Directories
       Instead  of  adding CA certificates and certificate revocation lists (CRLs) manually using
       --add-cert-file and --add-crl-file, the user can set-up a  directory  where  dcmsign  will
       look-up and load certificates and CRLs from as needed, using --add-cert-dir.

       Th directory should contain one certificate or CRL per file in PEM format, with a filename
       of the form hash.N for a certificate, or hash.rN for a CRL. The hash is the value returned
       by

       openssl  x509 -hash -noout -in <filename.pem> (for a certificate) openssl crl -hash -noout
       -in <filename.pem> (for a CRL)

       The .N or .rN suffix is a  sequence  number  that  starts  at  zero,  and  is  incremented
       consecutively  for  each certificate or CRL with the same hash value. Gaps in the sequence
       numbers are not supported, it is assumed that there are no more objects with the same hash
       beyond the first missing number in the sequence.

       CRLs  will  only  be  verified  when  option  --enable-crl-vfy is specified. In this case,
       dcmsign will expect a CRL to be present for each CA and will fail  signature  verification
       if no CRL can be found for the CA that issued the signer certificate.

LOGGING

       The level of logging output of the various command line tools and underlying libraries can
       be specified by the user. By default, only errors and warnings are written to the standard
       error  stream.  Using option --verbose also informational messages like processing details
       are reported. Option --debug can be used to get more details  on  the  internal  activity,
       e.g.  for  debugging  purposes.  Other  logging levels can be selected using option --log-
       level. In --quiet mode only fatal errors are reported. In such very severe  error  events,
       the  application will usually terminate. For more details on the different logging levels,
       see documentation of module 'oflog'.

       In case the logging output should be written to file (optionally with  logfile  rotation),
       to  syslog  (Unix)  or  the  event  log  (Windows)  option  --log-config can be used. This
       configuration file also allows for directing only certain messages to a particular  output
       stream  and  for  filtering certain messages based on the module or application where they
       are generated. An example configuration file is provided in <etcdir>/logger.cfg.

COMMAND LINE

       All command line tools use the following notation for parameters: square brackets  enclose
       optional  values  (0-1),  three  trailing  dots  indicate that multiple values are allowed
       (1-n), a combination of both means 0 to n values.

       Command line options are distinguished from parameters by  a  leading  '+'  or  '-'  sign,
       respectively. Usually, order and position of command line options are arbitrary (i.e. they
       can appear anywhere). However, if options are mutually exclusive the rightmost  appearance
       is used. This behavior conforms to the standard evaluation rules of common Unix shells.

       In  addition,  one or more command files can be specified using an '@' sign as a prefix to
       the filename (e.g. @command.txt). Such a command argument is replaced by  the  content  of
       the corresponding text file (multiple whitespaces are treated as a single separator unless
       they appear between two quotation marks) prior to any further evaluation. Please note that
       a  command  file  cannot  contain another command file. This simple but effective approach
       allows one to summarize common combinations of options/parameters and avoids  longish  and
       confusing command lines (an example is provided in file <datadir>/dumppat.txt).

EXIT CODES

       The  dcmsign utility uses the following exit codes when terminating. This enables the user
       to check for the reason why the application terminated.

   general
       EXITCODE_NO_ERROR                         0
       EXITCODE_COMMANDLINE_SYNTAX_ERROR         1
       EXITCODE_NOOPENSSL                        5

   input file errors
       EXITCODE_CANNOT_READ_INPUT_FILE          20
       EXITCODE_NO_INPUT_FILES                  21
       EXITCODE_CANNOT_READ_TAG_FILE            30
       EXITCODE_CANNOT_READ_TSQ_FILE            31
       EXITCODE_CANNOT_READ_TSR_FILE            32
       EXITCODE_CANNOT_READ_UID_FILE            33

   output file errors
       EXITCODE_CANNOT_WRITE_OUTPUT_FILE        40
       EXITCODE_CANNOT_WRITE_SUPPORT_FILE       46

   processing errors
       EXITCODE_CANNOT_ACCESS_SIGNATURE         80
       EXITCODE_CANNOT_ACCESS_TS                81
       EXITCODE_CANNOT_INSERT_TS                82
       EXITCODE_SIGNATURE_REMOVAL_FAILED        83
       EXITCODE_SIGNATURE_UID_NOT_FOUND         84
       EXITCODE_SIGNATURE_CREATION_FAILED       85
       EXITCODE_SYNTAX_ERROR_IN_TAG_FILE        86
       EXITCODE_TS_CONSISTENCY_CHECK_FAILED     87

   application specific errors
       EXITCODE_NO_SIGNATURES_PRESENT           100
       EXITCODE_SIGNATURE_VERIFICATION_FAILED   101
       EXITCODE_SIGNATURE_VERIFICATION_POLICY   102

ENVIRONMENT

       The dcmsign utility will  attempt  to  load  DICOM  data  dictionaries  specified  in  the
       DCMDICTPATH environment variable. By default, i.e. if the DCMDICTPATH environment variable
       is not set, the file <datadir>/dicom.dic will be loaded unless  the  dictionary  is  built
       into the application (default for Windows).

       The  default  behavior  should  be preferred and the DCMDICTPATH environment variable only
       used when alternative data dictionaries are required. The DCMDICTPATH environment variable
       has  the  same  format  as  the  Unix  shell PATH variable in that a colon (':') separates
       entries. On Windows systems, a semicolon (';') is used as a separator. The data dictionary
       code  will attempt to load each file specified in the DCMDICTPATH environment variable. It
       is an error if no data dictionary can be loaded.

COPYRIGHT

       Copyright (C) 2000-2023 by OFFIS e.V., Escherweg 2, 26121 Oldenburg, Germany.