---
 src/cms_common.c |   10 +++++++++-
 src/cms_common.h |    1 +
 src/pesign.c     |    1 +
 3 files changed, 11 insertions(+), 1 deletion(-)

--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -272,6 +272,7 @@ struct cbdata {
 	CERTCertificate *cert;
 	PK11SlotListElement *psle;
 	secuPWData *pwdata;
+	int privkey_unneeded;
 };
 
 static SECStatus
@@ -283,6 +284,12 @@ is_valid_cert(CERTCertificate *cert, voi
 	void *pwdata = cbdata->pwdata;
 
 	SECKEYPrivateKey *privkey = NULL;
+
+	if (cbdata->privkey_unneeded) {
+		cbdata->cert = cert;
+		return SECSuccess;
+	}
+
 	privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
 	if (privkey != NULL) {
 		cbdata->cert = cert;
@@ -413,7 +420,7 @@ find_certificate(cms_context *cms, int n
 	}
 
 	SECStatus status;
-	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+	if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
 		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
 		if (status != SECSuccess) {
 			PK11_DestroySlotListElement(slots, &psle);
@@ -442,6 +449,7 @@ find_certificate(cms_context *cms, int n
 		.cert = NULL,
 		.psle = psle,
 		.pwdata = pwdata,
+		.privkey_unneeded = cms->privkey_unneeded,
 	};
 
 	if (needs_private_key) {
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -63,6 +63,7 @@ typedef int (*cms_common_logger)(struct
 typedef struct cms_context {
 	PRArenaPool *arena;
 	void *privkey;
+	int privkey_unneeded;
 
 	char *tokenname;
 	char *certname;
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -626,6 +626,7 @@ main(int argc, char *argv[])
 		 */
 		case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
 			check_inputs(ctxp);
+			ctxp->cms_ctx->privkey_unneeded = 1;
 			rc = find_certificate(ctxp->cms_ctx, 0);
 			if (rc < 0) {
 				fprintf(stderr, "pesign: Could not find "