dcmsign: a digital signature library and utility apps
This module contains classes to create digital signatures in DICOM data sets, to verify and to remove signatures. Signatures are conforming to the DICOM "Digital Signatures" extension (formerly Supplement 41). This module requires the external OpenSSL library.
The main interface classes are:
Tools
This module contains the following command line tool:
Examples
The following example shows how to verify all signatures in a DICOM file:
DcmFileFormat fileformat;
if (fileformat.loadFile("test.dcm").good())
{
// Load a root Certification Authority certificate from "ca_cert.pem"
// and declare it as trusted. All certificates issued by this CA will
// be considered trustworthy (if within their validity time).
SiCertificateVerifier certVerifier;
if (certVerifier.addTrustedCertificateFile("ca_cert.pem",
X509_FILETYPE_PEM).bad())
{
cerr << "unable to load CA certificate" << endl;
return;
}
// Verify all signatures in the dataset, and verify the signer
// certificate against the root CA defined above.
// Fail if no signature is present in the dataset, but do not require
// any specific DICOM signature profile. Verify a secure timestamp
// if present, but do not fail signature verification if no timestamp
// is there.
int result = DcmSignatureHelper::do_verify(fileformat.getDataset(),
certVerifier, ESVP_requireSignature, ETVP_verifyTSIfPresent);
if (result == 0)
std::cerr << "signature(s) found and successfully verified" << endl;
else
std::cerr << "signature absent or verification failed" << endl;
}
The following example shows how to sign a DICOM file:
DcmFileFormat fileformat;
if (fileformat.loadFile("test.dcm").good())
{
// dataset to be signed
DcmDataset *dataset = fileformat.getDataset();
// select transfer syntax in which digital signature will be created
E_TransferSyntax xfer = dataset->getOriginalXfer();
// use Little Endian Explicit for uncompressed files
if ((xfer == EXS_LittleEndianImplicit) ||
(xfer == EXS_BigEndianExplicit))
xfer = EXS_LittleEndianExplicit;
SiCreatorProfile profile; // use the "RSA Creator Profile"
SiRIPEMD160 mac; // use RIPEMD160 as MAC algorithm
SiCertificate cert; // our certificate
if (cert.loadCertificate("certificate.pem", X509_FILETYPE_PEM).bad())
{
cerr << "unable to load certificate" << endl;
return;
}
SiPrivateKey key; // private key, must be unencrypted here
if (key.loadPrivateKey("privkey.pem", X509_FILETYPE_PEM).bad())
{
cerr << "unable to load private key" << endl;
return;
}
// list of attributes to be signed. It can remain empty here
// since we're using the RSA Creator Profile to determine the
// list of attributes that needs to be signed
DcmAttributeTag tags;
// now create the signature
int result = DcmSignatureHelper::do_sign(dataset,
key, cert, &mac, &profile, &tags, xfer, NULL,
SiSignaturePurpose::ESP_none, NULL);
if (result == 0)
std::cerr << "signature successfully created" << endl;
else
std::cerr << "signature creation failed" << endl;
}