Man Linux: Main Page and Category List


       dcmsign - Sign and Verify DICOM Files


       dcmsign [options] dcmfile-in [dcmfile-out]


       The  dcmsign  utility  reads  a  DICOM  file (dicomfile-in), performs a
       digital signature operation and, if any modification has  taken  place,
       writes the DICOM object to an output file (dicomfile-out).

       Five digital signature operations are supported:

       · verification of all signatures in the DICOM file
       · creation of a new digital signature located in the main dataset,
       · creation of a new digital signature in an item of a sequence embedded
         within the dataset,
       · removal of a single digital signature from the DICOM file, and
       · removal of all digital signatures from the DICOM file.


       dcmfile-in   DICOM input filename to be processed

       dcmfile-out  DICOM output filename


   general options
         -h    --help
                 print this help text and exit

                 print version information and exit

         -v    --verbose
                 verbose mode, print processing details

         -d    --debug
                 debug mode, print debug information

         +d    --dump  [f]ilename: string
                 dump byte stream fed into the MAC codec to file
                 (only with --sign or --sign-item)

   input options
       input file format:

         +f    --read-file
                 read file format or data set (default)

         +fo   --read-file-only
                 read file format only

         -f    --read-dataset
                 read data set without file meta information

       input transfer syntax:

         -t=   --read-xfer-auto
                 use TS recognition (default)

         -td   --read-xfer-detect
                 ignore TS specified in the file meta header

         -te   --read-xfer-little
                 read with explicit VR little endian TS

         -tb   --read-xfer-big
                 read with explicit VR big endian TS

         -ti   --read-xfer-implicit
                 read with implicit VR little endian TS
   signature commands
                 verify all signatures (default)

         +s    --sign  private key file, certificate file: string
                 create signature in main object

         +si   --sign-item  keyfile, certfile, item location: string
                 create signature in sequence item

         +r    --remove  signature UID: string
                 remove signature

         +ra   --remove-all
                 remove all signatures from data set
   signature creation options (only with --sign or --sign-item):
       private key password options:

         +ps   --std-passwd
                 prompt user to type password on stdin (default)

         +pw   --use-passwd  [p]assword: string
                 use specified password

         -pw   --null-passwd
                 use empty string as password

       key and certificate file format options:

         -pem  --pem-keys
                 read keys/certificates as PEM file (default)

         -der  --der-keys
                 read keys/certificates as DER file

       digital signature profile options:

         -pf   --profile-none
                 don’t enforce any signature profile (default)

         +pb   --profile-base
                 enforce base RSA signature profile

         +pc   --profile-creator
                 enforce creator RSA signature profile

         +pa   --profile-auth
                 enforce authorization signature profile

       MAC algorithm options:

         +mr   --mac-ripemd160
                 use RIPEMD 160 (default)

         +ms   --mac-sha1
                 use SHA-1

         +mm   --mac-md5
                 use MD 5

       tag selection options:

         -t    --tag
                 tag: "xxxx,xxxx" or a data dictionary name
                 sign only specified tag
                 this option can be specified multiple times

         -tf   --tag-file  filename: string
                 read list of tags from text file

       signature format options:

         -fn   --format-new
                 use correct DICOM signature format (default)

         -fo   --format-old
                 use old (pre-3.5.4) DCMTK signature format, non-conformant
                 if signature includes compressed pixel data

   output options
       output transfer syntax:

         +t=   --write-xfer-same
                 write with same TS as input (default)

         +te   --write-xfer-little
                 write with explicit VR little endian TS

         +tb   --write-xfer-big
                 write with explicit VR big endian TS

         +ti   --write-xfer-implicit
                 write with implicit VR little endian TS

       length encoding in sequences and items:

         +e    --length-explicit
                 write with explicit lengths (default)

         -e    --length-undefined
                 write with undefined lengths


   Files and Parameters
       The dcmsign utility reads and writes a number of files and file formats
       which are described in this section.
       Public Key Certificates are expected in X.509v3 format, either with PEM
       or DER encoding. The dcmsign utility currently  supports  RSA  and  DSA
       public  keys,  although  only  RSA  keys  are  defines  in the Security
       Profiles of the DICOM standard.
       Private Keys are expected in PEM or DER encoding.  PEM  is  recommended
       (and  default)  because  this  allows to keep private keys in encrypted
       form. Command line options control the behaviour  of  dcmsign  when  an
       encrypted  PEM  key  is  opened  (see  above).  In  general  it  is not
       recommended to specify the encryption  password  in  the  command  line
       because  the  command  line  may  be  visible to other processes in the
       system, e.g. ’ps -ef’.
       The list of data elements to sign can either be read  from  a  file  or
       specified  on  the  command  line  or  both  (in this case the keys are
       On the command line, attribute keys are specified as

       --tag "gggg,eeee"  where gggg and eeee are the hexadecimal group
                          and element numbers
       --tag "Name"       where ’Name’ is a symbolic attribute name from
                          the DICOM dictionary (see below).
       When attribute tags are read from file with the  --tag-file  option,  a
       plain  text file of max. 64 kbyte is expected. Tags within the file are
       either symbolic names from the  data  dictionary  or  have  the  format
       (gggg,eeee) (with braces). Tags are separated by one or more whitespace
       The --sign-item operation requires a location string that describes  in
       which  sequence  item a signature is to be created. The location string
       has the following format:

       where SequenceName is either a symbolic attribute name  from  the  data
       dictionary  or  a numeric tag in the format (gggg,eeee) and index is an
       unsigned decimal integer for the item number, starting  with  zero  for
       the  first  item  in  a sequence. As an example, the following location

       would cause a digital signature to be created in the second item of the
       ReferencedImageSequence  (0008,1140) which is located in the first item
       of the ReferencedSeriesSequence (0008,1115) which  is  located  in  the
       main DICOM dataset.


       All  command  line  tools  use  the  following notation for parameters:
       square brackets enclose optional  values  (0-1),  three  trailing  dots
       indicate  that multiple values are allowed (1-n), a combination of both
       means 0 to n values.
       Command line options are distinguished from parameters by a leading ’+’
       or  ’-’ sign, respectively. Usually, order and position of command line
       options are arbitrary (i.e. they  can  appear  anywhere).  However,  if
       options  are  mutually exclusive the rightmost appearance is used. This
       behaviour conforms to the standard  evaluation  rules  of  common  Unix
       In  addition,  one  or more command files can be specified using an ’@’
       sign as a prefix to the filename (e.g. @command.txt).  Such  a  command
       argument  is  replaced  by  the  content of the corresponding text file
       (multiple whitespaces are treated as a single separator) prior  to  any
       further  evaluation.  Please  note  that  a command file cannot contain
       another command file. This simple  but  effective  approach  allows  to
       summarize  common combinations of options/parameters and avoids longish
       and  confusing  command  lines  (an  example  is   provided   in   file


       The  dcmsign  utility  will  attempt  to  load  DICOM data dictionaries
       specified in the DCMDICTPATH environment variable. By default, i.e.  if
       the   DCMDICTPATH   environment   variable   is   not   set,  the  file
       <PREFIX>/lib/dicom.dic will be loaded unless the  dictionary  is  built
       into the application (default for Windows).
       The   default   behaviour  should  be  preferred  and  the  DCMDICTPATH
       environment variable only used when alternative data  dictionaries  are
       required.  The  DCMDICTPATH environment variable has the same format as
       the Unix shell PATH variable in that a colon (’:’)  separates  entries.
       The  data  dictionary  code will attempt to load each file specified in
       the DCMDICTPATH environment  variable.  It  is  an  error  if  no  data
       dictionary can be loaded.


       Copyright  (C)  2000-2005  by Kuratorium OFFIS e.V., Escherweg 2, 26121
       Oldenburg, Germany.