How does tpm2-tss-engine generate a CSR, specifically the detailed process?

[bronzeMe]

• Command 1: tpm2tss generates a csr by using the persistent handle openssl req -new -engine tpm2tss -keyform engine -out client.csr -key 0x81010003
• Command 2: OpenSSL natively generates a CSR using openssl req -new -key client.key -out client.csr -subj "/CN=TPM AK
• For command 2, OpenSSL first constructs an unsigned CSR structure (extracting the public key information from the private key and filling the public key as a field in the CSR), then uses the private key to sign the CSR, and finally outputs a signed CSR.
• For command 1, I understand that we can only obtain the public key from the TPM handler. How does the tpm2-tss-engine source code construct an unsigned CSR with only the public key, given that the private key cannot be retrieved from the TPM? My understanding is that it first exports the public key from the TPM handler to construct a CSR to be signed, and then calls the TPM's signing function to sign this unsigned CSR. Our goal is to understand and learn how to manually construct a CSR structure to be signed using only the public key.

Thanks a lot.