If there is a signed part we should have the protected headers there instead of only the encrypted part.