Provided by: libdigidoc-tools_3.10.1.1208+ds1-2_amd64 
NAME
cdigidoc - read, digitally sign, verify files in XAdES format and encrypt, decrypt files in XMLENC format
SYNOPSIS
cdigidoc <command(s)> [ -in <input-file> ] [ -out <output-file> ] [ -config <config-file> ]
DESCRIPTION
cdigidoc is an utility which provides a command line interface to the CDigiDoc library, which is a
library in C programming language offering the the functionality to create files in supported DigiDoc
formats, sigitally sign the DigiDoc files using smart cards or other supported cryptographic tokens, add
time marks and validity confirmations to digital signatures using OCSP protocol, verify the digital
signatures, and digitally encrypt and decrypt the DigiDoc files. It is also possible to use cdigidoc
utility as a CGI program in web applications created in environments that cannot easily use the JDigiDoc
library or call the DigiDocService webservice for digital signature functionality.
For full documentation, see
https://svn.eesti.ee/projektid/idkaart_public/branches/3.6/libdigidoc/doc/SK-CDD-PRG-GUIDE.pdf
XAdES format
http://www.w3.org/TR/XAdES
XML-ENC format
http://www.w3.org/TR/xmlenc-core
OPTIONS
-?, -help
Displays help about command syntax.
-in <input-file>
Specifies the input file name. It is recommended to pass the full path to the file in this
parameter.
-out <output-file>
Stores the newly created or modified document in a file.
-config <configuration-file>
Specifies the CDigiDoc configuration file name. If left unspecified, then the configuration file
is looked up from default locations.
-check-cert <certificate-file-in-pem-format>
Checks the certificate validity status. Used for checking the chosen certificate’s validity;
returns an OCSP response from the certificate’s CA’s OCSP responder. Note that the command is
currently not being tested. If the certificate is valid, then the return code’s (RC) value is 0.
-new [format] [version]
Creates a new digidoc container with the specified format and version. The current digidoc format
in CDigiDoc library is DIGIDOC-XML, default version is 1.3 (newest). By using the optional
parameter - version - with this command, you can specify an alternative version to be created.
Note: the older SK-XML format is supported only for backward compatibility.
-add <input-file> <mime-type> [<content-type>] [<charset>]
Adds a new data file to a digidoc document. If digidoc doesn't exist then creates one in the
default format.
Input file (required)
Specifies the name of the data file (it is recommended to include full path in this
parameter; the path is removed when writing to DigiDoc container file).
Mime type (required)
Represents the MIME type of the original file like "text/plain" or "application/msword".
Content type
Reflects how the original files are embedded in the container EMBEDDED_BASE64 (used by
default). In previous versions cdigidoc allowed content type EMBEDDED to sign pure xml or
text.
Charset
UTF-8 encoding is supported and used by default.
-sign <pin-code> [[[manifest] [[city] [state] [zip] [country]] [slot(0)] [ocsp(1)] [token-type(PKCS11)]
[pkcs12-file-name]]
Adds a digital signature to the digidoc document. You can use it with following parameters:
pin code
In case of Estonian ID cards, pin code2 is used for digital signing. If signing with a
software token (PKCS#12 file), then the password of PKCS#12 file should be entered here.
manifest
Role or resolution of the signer
city City where the signature is created
state State or province where the signature is created
zip Postal code of the place where the signature is created
country
Country of origin. ISO 3166-type 2-character country codes are used (e.g. EE)
slot Identifier of the signer’s private key’s slot on a smartcard. When operating for example
with a single Estonian ID card, its signature key can be found in slot 1 - which is used by
default. The library makes some assumptions about PKCS#11 drivers and card layouts:
- you have signature and/or authentication keys on the card
- both key and certificate are in one slot
- if you have many keys like 1 signature and 1 authentication key then they are in
different slots
- you can sign with signature key that has a corresponding certificate with
"NonRepudiation" bit set. You may need to specify a different slot to be used when for
example operating with multiple smart cards on the same system. If the slot needs to be
specified during signing, then the 5 previous optional parameters (manifest, city, state,
zip, country) should be filled first (either with the appropriate data or as "" for no
value).
ocsp Specifies whether an OCSP confirmation is added to the signature that is being created.
Possible values are 0 - confirmation is not added; 1 - confirmation is added. By default,
the value is set to 1. Parameter value 0 can be used when creating a technical signature.
Technical signature is a signature with no OCSP confirmation and no timestamp value.
token type
Speciafies type of signature token to be use.
- PKCS11 default value. Signs with a smart-card or software pkcs11 token
- CNG on windows platforms uses CSP/CNG for signing
- PKCS12 signs with a PKCS#12 key container that must be entered in the next parameter
pkcs12 file name
Name of the PKCS#12 key container file to be used for signing.
-mid-sign <phone-no> <per-code> [[<country>(EE)] [<lang>(EST)] [<service>(Testing)] [<manifest>] [<city>
<state> <zip>]]
Invokes mobile signing of a ddoc file using Mobile-ID and DigiDocService. Mobile-ID is a service
based on Wireless PKI providing for mobile authentication and digital signing, currently supported
by all Estonian and some Lithuanian mobile operators. The Mobile-ID user gets a special SIM card
with private keys on it. Hash to be signed is sent over the GSM network to the phone and the user
shall enter PIN code to sign. The signed result is sent back over the air. DigiDocService is a
SOAP-based web service, access to the service is IP-based and requires a written contract with
provider of DigiDocService. You can use Mobile-ID signing with the following parameters:
phone-no
Phone number of the signer with the country code in format +xxxxxxxxx (for example
+3706234566)
per-code
Identification number of the signer (personal national ID number).
country
Country of origin. ISO 3166-type 2-character country codes are used (e.g. default is EE)
lang Language for user dialog in mobile phone. 3-character capitalized acronyms are used (e.g.
default is EST)
service
Name of the service – previously agreed with Application Provider and DigiDocService
operator. Maximum length – 20 chars. (e.g. default is Testing)
manifest
Role or resolution of the signer
city City where the signature is created
state State or province where the signature is created
zip Postal code of the place where the signature is created
-list Displays the data file and signature info of a DigiDoc document just read in; verifies all
signatures.
Returns Digidoc container data, in format: SignedDoc | <format-identifier> | <version>
List of all data files, in format: DataFile | <file identifier> | <file name> | <file size in
bytes> | <mime type> | <data file embedding option>
List of all signatures (if existing), in format: Signature | <signature identifier> | <signer’s
key info: last name, first name, personal code> | <verification return code> |
<verification result>
Signer’s certificate information.
OCSP responder certificate information
-verify
Returns signature verification results (if signatures exist):
Signature | <signature identifier> | <signer’s key info: last name, first name, personal code> |
<verification return code> | <verification result>
Returns signer’s certificate and OCSP Responder certificate information.
-extract <data-file-id> <output-file>
Extracts the selected data file from the DigiDoc container and stores it in a file. Data file id
represents the ID for data file to be extracted from inside the DigiDoc container (e.g. D0, D1…).
Output file represents the name of the output file.
-denc-list <input-encrypted-file>
Displays the encrypted data and recipient’s info of an encrypted document just read in.
-encrecv <certificate-file> [recipient] [KeyName] [CarriedKeyName]
Adds a new recipient certificate and other metadata to an encrypted document. Certificate file
(required) specifies the file from which the public key component is fetched for encrypting the
data. The decryption can be performed only by using private key corresponding to that certificate.
The input certificate files for encryption must come from the file system (PEM encodings are
supported). Possible sources where the certificate files can be obtained from include: Windows
Certificate Store ("Other Persons"), LDAP directories, ID-card in smart-card reader. For example
the certificate files for Estonian ID card owners can be retrieved from a LDAP directory at
ldap://ldap.sk.ee. The query can be made in following format through the web browser (IE):
ldap://ldap.sk.ee:389/c=EE??sub?(serialNumber= xxxxxxxxxxx) where serial Number is the recipient’s
personal identification number, e,g.38307240240). Other parameters include:
recipient
If left unspecified, then the program assigns the CN value of the certificate passwed as
first parameter. This is later used as a command line option to identify the recipient
whose key and smart card is used to decrypt the data. Note: Although this parameter is
optional, it is recommended to pass on the entire CN value from the recipient’s certificate
as the recipient identifier here, especially when dealing with multiple recipients.
KeyName
Sub-element <KeyName> can be added to better identify the key object. Optional, but can be
used to search for the right recipient’s key or display its data in an application.
CarriedKeyName
Sub-element <CarriedKeyName> can be added to better identify the key object. Optional, but
can be used to search for the right recipient’s key or display its data in an application.
-encrypt-sk <input-file>
Encrypts the data from the given input file and writes the completed encrypted document in a file.
Recommended for providing cross-usability with other DigiDoc software components. This command
places the data file to be encrypted in a new DigiDoc container. Therefore handling such encrypted
documents later with other DigiDoc applications is fully supported (e.g. DigiDoc3 client). Input
file (required) specifies the original data file to be encrypted. Note: There are also
alternative encryption commands which are however not recommended for providing cross-usability
with other DigiDoc software components:
-encrypt <input-file>
Encrypts the data from the given input file and writes the completed encrypted document in
a file. Should be used only for encrypting small documents, already in DIGIDOC-XML format.
Input file (required) specifies the original data file to be encrypted.
-encrypt-file <input-file> <output-file>
Encrypts the input file and writes to output file. Should be used only for encrypting large
documents, already in DIGIDOC-XML format. Note that the command in not currently tested.
Input file (required) specifies the original data file to be encrypted. Output file
(required) specifies the name of the output file which will be created in the current
encrypted document format (ENCDOC-XML ver 1.0), with file extension .cdoc.
-decrypt-sk <input-file> <pin> [pkcs12-file] [slot(0)]
Decrypts and possibly decompresses the encrypted file just read in and writes to output file.
Expects the encrypted file to be inside a DigiDoc container. Input file (required) specifies the
input file’s name. Pin (required) represents the recipient’s pin1 (in context of Estonian ID
cards). pkcs12-file (optional) specifies the PKCS#12 file if decrypting is done with a software
token. slot default is slot 0 containing Estonian ID cards authentication keypair. This parameter
can be used to decrypt with a key from the second id card attached to the computer etc. Note:
There are also alternative commands for decryption, depending on the encrypted file’s format, size
and the certificate type used for decrypting it.
-decrypt <input-file> <pin> [pkcs12-file] [slot(0)]
Offers same functionality as -decrypt-sk, should be used for decrypting small files (which
do not need to be inside a DigiDoc container). Input file (required) specifies the input
file’s name. Pin (required) represents the recipient’s pin1 (in contexts of Estonian ID
cards). pkcs12-file (optional) specifies the PKCS#12 file if decrypting is done with a
software token. slot default is slot 0 containing Estonian ID cards authentication
keypair. This parameter can be used to decrypt with a key from the second id card attached
to the computer etc.
-decrypt-file <input-file> <output-file> <pin> [pkcs12-file]
Offers same functionality as -decrypt for decrypting documents, should be used for
decrypting large files (which do not need to be inside a DigiDoc container). Expects the
encrypted data not to be compressed. Note that the command is not currently tested. Input
file (required) specifies the encrypted file to be decrypted. Output file (required)
specifies the output file name. Pin (required) represents the recipient’s pin1 (in
contexts of Estonian ID cards). pkcs12-file (optional) specifies the PKCS#12 file if
decrypting is done with a software token.
-calc-sign <cert-file> [<manifest>] [<city> <state> <zip> <country>]
Offers an alternative to -sign command to be used in CGI pograms. Adds signers certificate in pem
format and optionally manifest and signers address and calculates the final hash value to be
signed. This value is hex-encoded and can now be sent to users computer to be signed using a web
plugin. This command creates an incomplete signature that lacks the actual RSA signature value. It
must be stored in a temporary file and later completed using the -add-sign-value command. -IP
"-add-sign-value <sign-value-file> <sign-id>" Offers an alternative to -sign command to be used in
CGI pograms. Adds an RSA signature hex-encoded value to an incomplete signature created using the
-calc-sign command. This signature is still lacking the ocsp timemark, that can now be obtained
using the -get-confirmation command producing a complete XAdES signature.
-get-confirmation <signature-id>
Adds an OCSP confirmation to a DigiDoc file’s signature.
EXAMPLES
cdigidoc -new DIGIDOC-XML 1.3 -add <input-file> <mime> -sign <pin2> -out <output-file>
Creates a new signed document in DIGIDOC-XML 1.3 format, adds one input file, signs with smartcard
using the default signature slot and writes to a signed document file.
cdigidoc -in <signed-input-file> -list
Reads in a signed document, verifies signatures and prints the results to console.
cdigidoc -in <signed-input-file> -extract D0 <output-file>
Reads in a signed document, finds the first signed document and writes it to output file.
cdigidoc -encrecv <recipient1.pem> -encrecv <recipient2.pem> -encrypt-sk <file-to-encrypt> -out <output-
file.cdoc>
Creates a new encypted file by encrypting input file that is encrypted using AES-128 and encrypts
the generated randome transport key using RSA for two possible recipients identified by their
certificates. Transport key is encrypted using RSA1.5.
cdigidoc -decrypt-sk <input-file.cdoc> <pin1> -out <output-file>
Reads in encrypted file and decrypts it with smartcards first keypair (Estonian ID cards
authentication key) and writes decrypted data to given putput file.
cdigidoc -decrypt-sk <input-file.cdoc> <password> <keyfile.p12d> -out <output-file>
Reads in encrypted file and decrypts it with a PKCS#12 key-container and writes decrypted data to
given putput file.
AUTHORS
AS Sertifitseerimiskeskus (Certification Centre Ltd.)
SEE ALSO
digidoc-tool(1), qesteidutil(1), qdigidocclient(1), qdigidoccrypto(1)