diff --git a/src/tools/openpgp-tool.c b/src/tools/openpgp-tool.c
index 4ef592ca..0eee4fbf 100644
--- a/src/tools/openpgp-tool.c
+++ b/src/tools/openpgp-tool.c
@@ -89,7 +89,7 @@ static const char *pin = NULL;
 static int opt_erase = 0;
 static int opt_delkey = 0;
 static int opt_dump_do = 0;
-static u8 do_dump_idx;
+static unsigned int do_dump_idx;
 
 static const char *app_name = "openpgp-tool";
 
@@ -247,6 +247,8 @@ static void display_data(const struct ef_name_map *mapping, char *value)
 static int decode_options(int argc, char **argv)
 {
 	int c;
+	char *endptr;
+	unsigned long val;
 
 	while ((c = getopt_long(argc, argv,"r:x:CUG:L:EhwvVd:", options, (int *) 0)) != EOF) {
 		switch (c) {
@@ -319,7 +321,13 @@ static int decode_options(int argc, char **argv)
 			actions++;
 			break;
 		case 'd':
-			do_dump_idx = optarg[0] - '0';
+			endptr = NULL;
+			val = strtoul(optarg, &endptr, 16);
+			if (endptr == NULL || endptr == optarg || *endptr != '\0') {
+				printf("Unable to parse DO identifier\n");
+				return 1;
+			}
+			do_dump_idx = (unsigned int) (val | 0x100);
 			opt_dump_do++;
 			actions++;
 			break;
@@ -388,6 +396,11 @@ static int do_dump_do(sc_card_t *card, unsigned int tag)
 	unsigned char buffer[254];
 	memset(buffer, '\0', sizeof(buffer));
 
+	if (tag < 0x101 || tag > 0x104) {
+		printf("Illegal DO identifier\n");
+		return 1;
+	}
+
 	r = sc_get_data(card, tag, buffer, sizeof(buffer));
 	if (r < 0) {
 		printf("Failed to get data object: %s\n", sc_strerror(r));
@@ -641,7 +654,7 @@ int main(int argc, char **argv)
 	}
 
 	if (opt_dump_do) {
-		exit_status |= do_dump_do(card, 0x0100 + do_dump_idx);
+		exit_status |= do_dump_do(card, do_dump_idx);
 	}
 
 	if (opt_genkey)