i'm unable to parse the MDNs sent by OpenAS2 using openssl. unsure what i'm doing wrong & would appreciate any input.

The MDN generated by OpenAS2 contains:

Content-Type: application/pkcs7-signature; name=smime.p7s; smime-type=signed-data
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=\"smime.p7s\"
Content-Description: S/MIME Cryptographic Signature

I suspect this may be the problem, as I find this in the openssl documentation:

The parser assumes that the PKCS7 structure is always base64 encoded and will not handle the case where it is in binary format or uses quoted printable format.

https://www.openssl.org/docs/man1.0.2/man3/SMIME_read_PKCS7.html

The actual error I get from openssl is asn1 sig parse error, and I haven't had much luck deciphering that any further, but it seems to align with the caveat quoted above.

it is possible to configure OpenAS2 to base64-encode its signatures in MDNs? I'm already using <attribute name="content_transfer_encoding" value="base64"/> in the partnership definition, but that doesn't seem to apply to signatures in MDNs.

OpenAS2 uses the content_transfer_encoding value on the receiving partnership to determine the transfer encoding:
https://github.com/OpenAS2/OpenAs2App/blob/master/Server/src/main/java/org/openas2/processor/receiver/AS2ReceiverHandler.java#L639

The actual signature algorithm is defined by the sender of the AS2 message. Id OpenAS2 is wending the message, the singature algorithm is defined in this attribute on the sending partnership:

If no content_transfer_encoding is defined for the receiving partnership then the MDN sent back to the sender defaults t o binary.

Doh! That makes perfect sense, and solves the issue completely.

Thank you!