diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index 73269759f..66e35f5f1 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -113,6 +113,7 @@ command = {
 	name = "cms-verify-sd"
 	option = {
 		long = "anchors"
+		short = "D"
 		type = "strings"
 		argument = "certificate-store"
 		help = "trust anchors"
@@ -150,6 +151,11 @@ command = {
 		type = "-flag"
 		help = "allow no signer"
 	}
+	option = {
+		long = "allow-wrong-oid"
+		type = "flag"
+		help = "allow wrong oid flag"
+	}
 	option = {
 		long = "signed-content"
 		type = "string"
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index c6dfbfc98..d1272fd75 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -282,6 +282,8 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
 
     if (!opt->signer_allowed_flag)
 	flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
+    if (opt->allow_wrong_oid_flag)
+	flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
 
     ret = hx509_cms_verify_signed(context, ctx, flags, co.data, co.length, sd,
 				  store, &type, &c, &signers);