dcmsign (1) - Linux Manuals

dcmsign: Sign and Verify DICOM Files


dcmsign - Sign and Verify DICOM Files


dcmsign [options] dcmfile-in [dcmfile-out]


The dcmsign utility reads a DICOM file (dcmfile-in), performs a digital signature operation and, if any modification has taken place, writes the DICOM object to an output file (dcmfile-out).

Five digital signature operations are supported:

verification of all signatures in the DICOM file
creation of a new digital signature located in the main dataset,
creation of a new digital signature in an item of a sequence embedded within the dataset,
removal of a single digital signature from the DICOM file, and
removal of all digital signatures from the DICOM file.


dcmfile-in   DICOM input filename to be processed

dcmfile-out  DICOM output filename


general options

  -h    --help
          print this help text and exit

          print version information and exit

          print expanded command line arguments

  -q    --quiet
          quiet mode, print no warnings and errors

  -v    --verbose
          verbose mode, print processing details

  -d    --debug
          debug mode, print debug information

  -ll   --log-level  [l]evel: string constant
          (fatal, error, warn, info, debug, trace)
          use level l for the logger

  -lc   --log-config  [f]ilename: string
          use config file f for the logger

input options

input file format:

  +f    --read-file
          read file format or data set (default)

  +fo   --read-file-only
          read file format only

  -f    --read-dataset
          read data set without file meta information

input transfer syntax:

  -t=   --read-xfer-auto
          use TS recognition (default)

  -td   --read-xfer-detect
          ignore TS specified in the file meta header

  -te   --read-xfer-little
          read with explicit VR little endian TS

  -tb   --read-xfer-big
          read with explicit VR big endian TS

  -ti   --read-xfer-implicit
          read with implicit VR little endian TS

signature commands

          verify all signatures (default)

  +s    --sign  [p]rivate key file, [c]ertificate file: string
          create signature in main object

  +si   --sign-item  [k]eyfile, [c]ertfile, [i]tem location: string
          create signature in sequence item

  +r    --remove  [s]ignature UID: string
          remove signature

  +ra   --remove-all
          remove all signatures from data set

signature creation options (only with --sign or --sign-item):

private key password:

  +ps   --std-passwd
          prompt user to type password on stdin (default)

  +pw   --use-passwd  [p]assword: string
          use specified password

  -pw   --null-passwd
          use empty string as password

key and certificate file format:

  -pem  --pem-keys
          read keys/certificates as PEM file (default)

  -der  --der-keys
          read keys/certificates as DER file

digital signature profile:

  -pf   --profile-none
          don't enforce any signature profile (default)

  +pb   --profile-base
          enforce base RSA signature profile

  +pc   --profile-creator
          enforce creator RSA signature profile

  +pa   --profile-auth
          enforce authorization signature profile

MAC algorithm:

  +mr   --mac-ripemd160
          use RIPEMD 160 (default)

  +ms   --mac-sha1
          use SHA-1

  +mm   --mac-md5
          use MD 5

tag selection:

  -t    --tag
          [t]ag: "gggg,eeee" or dictionary name
          sign only specified tag
          (this option can be specified multiple times)

  -tf   --tag-file  [f]ilename: string
          read list of tags from text file

signature format:

  -fn   --format-new
          use correct DICOM signature format (default)

  -fo   --format-old
          use old (pre-3.5.4) DCMTK signature format, non-conformant
          if signature includes compressed pixel data

output options

output transfer syntax:

  +t=   --write-xfer-same
          write with same TS as input (default)

  +te   --write-xfer-little
          write with explicit VR little endian TS

  +tb   --write-xfer-big
          write with explicit VR big endian TS

  +ti   --write-xfer-implicit
          write with implicit VR little endian TS

length encoding in sequences and items:

  +e    --length-explicit
          write with explicit lengths (default)

  -e    --length-undefined
          write with undefined lengths

other output options:

  +d    --dump  [f]ilename: string
          dump byte stream fed into the MAC codec to file
          (only with --sign or --sign-item)


Files and Parameters

The dcmsign utility reads and writes a number of files and file formats which are described in this section.

Public Key Certificates are expected in X.509v3 format, either with PEM or DER encoding. The dcmsign utility currently supports RSA and DSA public keys, although only RSA keys are defines in the Security Profiles of the DICOM standard.

Private Keys are expected in PEM or DER encoding. PEM is recommended (and default) because this allows to keep private keys in encrypted form. Command line options control the behaviour of dcmsign when an encrypted PEM key is opened (see above). In general it is not recommended to specify the encryption password in the command line because the command line may be visible to other processes in the system, e.g. 'ps -ef'.

The list of data elements to sign can either be read from a file or specified on the command line or both (in this case the keys are combined).

On the command line, attribute keys are specified as

--tag "gggg,eeee"  where gggg and eeee are the hexadecimal group
                   and element numbers
--tag "Name"       where 'Name' is a symbolic attribute name from
                   the DICOM dictionary (see below).

When attribute tags are read from file with the --tag-file option, a plain text file of max. 64 kbyte is expected. Tags within the file are either symbolic names from the data dictionary or have the format (gggg,eeee) (with braces). Tags are separated by one or more whitespace characters.

The --sign-item operation requires a location string that describes in which sequence item a signature is to be created. The location string has the following format:


where SequenceName is either a symbolic attribute name from the data dictionary or a numeric tag in the format (gggg,eeee) and index is an unsigned decimal integer for the item number, starting with zero for the first item in a sequence. As an example, the following location string


would cause a digital signature to be created in the second item of the ReferencedImageSequence (0008,1140) which is located in the first item of the ReferencedSeriesSequence (0008,1115) which is located in the main DICOM dataset.


The level of logging output of the various command line tools and underlying libraries can be specified by the user. By default, only errors and warnings are written to the standard error stream. Using option --verbose also informational messages like processing details are reported. Option --debug can be used to get more details on the internal activity, e.g. for debugging purposes. Other logging levels can be selected using option --log-level. In --quiet mode only fatal errors are reported. In such very severe error events, the application will usually terminate. For more details on the different logging levels, see documentation of module 'oflog'.

In case the logging output should be written to file (optionally with logfile rotation), to syslog (Unix) or the event log (Windows) option --log-config can be used. This configuration file also allows for directing only certain messages to a particular output stream and for filtering certain messages based on the module or application where they are generated. An example configuration file is provided in <etcdir>/logger.cfg).


All command line tools use the following notation for parameters: square brackets enclose optional values (0-1), three trailing dots indicate that multiple values are allowed (1-n), a combination of both means 0 to n values.

Command line options are distinguished from parameters by a leading '+' or '-' sign, respectively. Usually, order and position of command line options are arbitrary (i.e. they can appear anywhere). However, if options are mutually exclusive the rightmost appearance is used. This behaviour conforms to the standard evaluation rules of common Unix shells.

In addition, one or more command files can be specified using an '@' sign as a prefix to the filename (e.g. @command.txt). Such a command argument is replaced by the content of the corresponding text file (multiple whitespaces are treated as a single separator unless they appear between two quotation marks) prior to any further evaluation. Please note that a command file cannot contain another command file. This simple but effective approach allows to summarize common combinations of options/parameters and avoids longish and confusing command lines (an example is provided in file <datadir>/dumppat.txt).


The dcmsign utility will attempt to load DICOM data dictionaries specified in the DCMDICTPATH environment variable. By default, i.e. if the DCMDICTPATH environment variable is not set, the file <datadir>/dicom.dic will be loaded unless the dictionary is built into the application (default for Windows).

The default behaviour should be preferred and the DCMDICTPATH environment variable only used when alternative data dictionaries are required. The DCMDICTPATH environment variable has the same format as the Unix shell PATH variable in that a colon (':') separates entries. On Windows systems, a semicolon (';') is used as a separator. The data dictionary code will attempt to load each file specified in the DCMDICTPATH environment variable. It is an error if no data dictionary can be loaded.


Copyright (C) 2000-2010 by OFFIS e.V., Escherweg 2, 26121 Oldenburg, Germany.