Certificate Request Info on a PKCS#10 to be signed

I'm doing a code that has to create a PKCS#10. To do that, I have to sign my "Certificate Request Info", but when I do, the application says that the signature is invalid.

I'm using the OpenSSL.exe to verify the P10, and the error was: "ANS1_CHECK_TLEN: wrong tag". I think I'm signing what I shouldn't, so my question is, what's the exact format of "Certificate Request Info" that I have to sign?

I know that it must start with a sequence, but the p10 spec tells:

"The signat开发者_开发技巧ure process consists of two steps:

1. The value of the certificationRequestInfo component is DER encoded, yielding an octet string.
2. The result of step 1 is signed with the certification request subject’s private key under the specified signature algorithm, yielding a bit string, the signature."

I'm not sure if the start must be a SEQUENCE (0x30 0x82 "the length>256"), or A OCTET STRING (0x04 0x82 "the length>256"), acording to ANS.1.

If someone please give me an answer like on this post, i could be the happiest man on the world. Thank very much:

PKCS#10 request for a object key pair from PKCS#11

REgards, David M.

The step #1 of the PKCS#10 standard talks about an octet string as the result of the certificationRequestInfo element encoding and does not refer to an ASN.1 type. The request signature is computed on this DER-encoding and therefore the to-be-signed object is an ASN.1 SEQUENCE and not an OCTET STRING.