nodejs · fru1tworld · May 13, 2026 · May 13, 2026 · May 14, 2026 · Renegade334
diff --git a/src/crypto/crypto_spkac.cc b/src/crypto/crypto_spkac.cc
@@ -11,6 +11,7 @@
 namespace node {
 
 using ncrypto::BIOPointer;
+using ncrypto::MarkPopErrorOnReturn;
 using v8::Context;
 using v8::FunctionCallbackInfo;
 using v8::Local;
@@ -40,8 +41,13 @@ void ExportPublicKey(const FunctionCallbackInfo<Value>& args) {
   if (!input.CheckSizeInt32()) [[unlikely]]
     return THROW_ERR_OUT_OF_RANGE(env, "spkac is too large");
 
+  MarkPopErrorOnReturn mark_pop_error_on_return;
   BIOPointer bio = ncrypto::ExportPublicKey(input.data(), input.size());
-  if (!bio) return args.GetReturnValue().SetEmptyString();
+  if (!bio) {
+    return ThrowCryptoError(env,
+                            mark_pop_error_on_return.peekError(),
+                            "Failed to export public key from SPKAC");
+  }
 
   auto pkey = ByteSource::FromBIO(bio);
   args.GetReturnValue().Set(pkey.ToBuffer(env).FromMaybe(Local<Value>()));

diff --git a/test/parallel/test-crypto-certificate.js b/test/parallel/test-crypto-certificate.js
@@ -49,7 +49,13 @@ function checkMethods(certificate) {
     stripLineEndings(certificate.exportPublicKey(spkacValid).toString('utf8')),
     stripLineEndings(spkacPublicPem.toString('utf8'))
   );
-  assert.strictEqual(certificate.exportPublicKey(spkacFail), '');
+  // Refs: https://github.com/nodejs/node/issues/63264
+  // exportPublicKey surfaces internal OpenSSL failures (including invalid
+  // SPKAC input) via an exception, rather than silently returning ''.
+  assert.throws(
+    () => certificate.exportPublicKey(spkacFail),
+    (err) => err instanceof Error && /^ERR_OSSL_/.test(err.code),
+  );
 
   assert.strictEqual(
     certificate.exportChallenge(spkacValid).toString('utf8'),