I am using tomcat8 Server, .bouncycastle for Document signature.
one war file already running on my server. when i have deployed new war file for my second project then Getting below exception.
I have hit and trial every link on stackoverflow but not luck
org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading
Illegal access: this web application instance has been stopped
already. Could not load
[org.bouncycastle.jcajce.provider.digest.GOST3411$Mappings]. The
following stack trace is thrown for debugging purposes as well as to
attempt to terminate the thread which caused the illegal access.
java.lang.IllegalStateException: Illegal access: this web application
instance has been stopped already. Could not load
public static void xmlSigner(File xmlFile,String pfxFilePath){
try{
File pfxFile=new File(pfxFilePath);
Security.addProvider(new BouncyCastleProvider());
log.info("Above key store ");
KeyStore keyStore = KeyStore.getInstance("pkcs12", "BC");
log.info("below key store ");
keyStore.load(new FileInputStream(pfxFile),password.toCharArray());
log.info("load pfx file key store ");
String alias = (String) keyStore.aliases().nextElement();
PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, password.toCharArray());
Certificate[] certificateChain = keyStore.getCertificateChain(alias);
X509Certificate publickeyCertificate = (X509Certificate) certificateChain[certificateChain.length - 1];
//log.info("privateKey : " + privateKey);
//log.info("xmlSigner : " + xmlFile);
log.info("SignerClient - Above Sign and Zip");
SignerUtil.signAndzipFile(xmlFile, privateKey, publickeyCertificate);
log.info("Successfully Signed");
}
catch(Exception xmlSignerException){
log.error("xmlSigner : ", xmlSignerException);
xmlSignerException.printStackTrace();
}
}
i am getting exception on below line
KeyStore keyStore = KeyStore.getInstance("pkcs12", "BC");
I have face the same issue, Tomcat restart has resolved the issue.
keystore = KeyStore.getInstance("PKCS12", "BC");
// java.security.KeyStoreException: PKCS12 not found
Caused by: java.security.NoSuchAlgorithmException: class configured for KeyStore (provider: BC) cannot be found.
at java.security.Provider$Service.getImplClass(Provider.java:1649)
at java.security.Provider$Service.newInstance(Provider.java:1592)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
at java.security.Security.getImpl(Security.java:698)
at java.security.KeyStore.getInstance(KeyStore.java:896)
... 11 more
Caused by: java.lang.ClassNotFoundException: Illegal access: this web application instance has been stopped already. Could not load [org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi$BCPKCS12KeyStore]. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access.
at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1354)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1211)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1172)
at java.security.Provider$Service.getImplClass(Provider.java:1636)
... 16 more
Caused by: java.lang.IllegalStateException: Illegal access: this web application instance has been stopped already. Could not load [org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi$BCPKCS12KeyStore]. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access.
at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading(WebappClassLoaderBase.java:1364)
at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1352)
... 19 more
Please first check that org.bouncycastle has many versions. Keep one version, and if use tomcat, restart tomcat.
Related
I'm using wso2is-5.5.0. I'm trying to enable Multi factor authentication for Identity Server. I have done by following this link https://docs.wso2.com/display/IS530/Configuring+Multi-factor+Authentication+for+WSO2+IS. After restarting while login to management console, it is redirecting to one page showing
SAML 2.0 based Single Sign-On
Error when processing authentication request!
Please try login again!
In console,
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size or default pa
rameters
Original Exception was java.security.InvalidKeyException: Illegal key size or default parameters
at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1140)
at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1083)
at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:452)
... 66 more
Caused by: java.security.InvalidKeyException: Illegal key size or default parameters
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
at javax.crypto.Cipher.implInit(Cipher.java:801)
at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
at javax.crypto.Cipher.init(Cipher.java:1249)
at javax.crypto.Cipher.init(Cipher.java:1186)
at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1137)
... 68 more
I have downloaded JCE jars for Java 8 and placed in C:\Program Files\Java\jre1.8.0_171\lib\security
Still problem persists.
This exception is thrown, not due to an issue of the Identity Server.
Reason for this issue could be, JCE file is not installed to your JRE properly. But as you have added/replaced local_policy.jar and US_export_policy.jar files, please run the following test code to check whether it is applied properly.
public class JCETest {
public static void main(String args[]) {
int maxKeyLen = 0;
try {
maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
} catch (NoSuchAlgorithmException e) {
Assert.fail();
}
Assert.assertEquals(2147483647, maxKeyLen);
System.out.println(maxKeyLen);
}
}
You should get the following as output, If JCE is successfully installed:
AES key size should be equal to the 2147483647 if JCE files has been installed successfully.
More information is in http://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters
I'm trying to get an instance of org.apache.ws.security.components.crypto.Merlin using org.apache.ws.security.components.crypto.CryptoFactory specifically the CryptoFactory.getInstance(properties) method.
This will consistantly throw
java.lang.RuntimeException: org.apache.ws.security.components.crypto.Merlin cannot create instance
which evantually is caused by
java.security.UnrecoverableKeyException: Password verification failed
The password on the keystore file has been checked with the keytool on the command line and is correct.
the keystore is generated via the following process:
Which is in the root directory of the eclipse porject.
The test applciation is as follows:
public class App {
public static void main(String[] args) throws CredentialException,
IOException {
System.out.println("Starting");
Properties p = new Properties();
p.setProperty("org.apache.ws.security.crypto.merlin.keystore.password",
"password");
p.setProperty("org.apache.ws.security.crypto.provider",
"org.apache.ws.security.components.crypto.Merlin");
p.setProperty("org.apache.ws.security.crypto.merlin.keystore.type",
"jks");
p.setProperty("org.apache.ws.security.crypto.merlin.file", "./testkeystore.jks");
Crypto crypto = CryptoFactory.getInstance(p);
System.out.println(" Complete ");
}
}
and the following exception is generated:
Exception in thread "main" java.lang.RuntimeException: org.apache.ws.security.components.crypto.Merlin cannot create instance
at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:225)
at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:180)
at org.apache.ws.security.components.crypto.CryptoFactory.getInstance(CryptoFactory.java:73)
at com.restart.test.cryptotest2.App.main(App.java:22)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at org.apache.ws.security.components.crypto.CryptoFactory.loadClass(CryptoFactory.java:211)
... 3 more
Caused by: org.apache.ws.security.components.crypto.CredentialException: Failed to load credentials.
at org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:174)
at org.apache.ws.security.components.crypto.AbstractCrypto.<init>(AbstractCrypto.java:135)
at org.apache.ws.security.components.crypto.Merlin.<init>(Merlin.java:71)
... 8 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1214)
at org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:168)
... 10 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
... 13 more
The password as indicated in the cmd window is set to "password" , but by all accounts the application is rejecting it, I can change the password using keytool -storepasswd with no issues, So i know the the password I am providing is correct; can anyone suggest what may be going wrong here? I've been trying to debug this unsuccessfully for full a day now.
If there is any additional information I can provide please let me know.
edit --
the folloing maven dependency is required to build this test:
<dependency>
<groupId>org.apache.ws.security</groupId>
<artifactId>wss4j</artifactId>
<version>1.5.8</version>
<scope>provided</scope>
</dependency>
After reading the comments from User I built it against a different version of the JDK/JRE and it worked, after downloading the sources for rt.java and stepping through I found that the CryptoBase class was instantiating two JavaKeyStores, the first (being my .jks file) which instantiated fine, but the second was the cacerts keystore in jre\lib\security> which did not have the default password of changeit which was causing the failure;
I have now changed the password on the jre keystore and I'm working fine in my original jre/jdk.
I think your problem is related with libraries because stacktrace says
'org.apache.ws.security.components.crypto.Merlin cannot create instance'
it means you don't have (o have an incorrect version) of WSS4J library.
i am trying to put a basic digital signature on a pdf file. i am trying to use the code provided on the itext website.The code is as follows-
public class DigiSign {
public static void main(String a[])
{
try {
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream("C:\\WSR\\keystore.ks"), "password".toCharArray());
String alias = (String) ks.aliases().nextElement();
PrivateKey key = (PrivateKey) ks.getKey(alias, "password".toCharArray());
java.security.cert.Certificate[] chain = ks.getCertificateChain(alias);
PdfReader reader = new PdfReader("C:\\WSR\\a.pdf");
FileOutputStream fout = new FileOutputStream("C:\\WSR\\signed.pdf");
PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0');
PdfSignatureAppearance sap = stp.getSignatureAppearance();
sap.setCrypto(key, chain, null, PdfSignatureAppearance.WINCER_SIGNED);
sap.setReason("arpit");
sap.setLocation("arpit");
// comment next line to have an invisible signature
sap.setVisibleSignature(new Rectangle(10, 10, 20, 20), 1, null);
stp.close();
} catch (Exception ex) {
Logger.getLogger(DigiSign.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
i created the key using
keytool -genkey -keyalg RSA -alias myname -keypass password -keystore keystore.ks -dname "cn=Paulo Soares, c=PT"
and set abc123 as my password.
Now when i run this code i get this exception
Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/asn1/DEREncodable
at com.lowagie.text.pdf.PdfSignatureAppearance.getAppearance(Unknown Source)
at com.lowagie.text.pdf.PdfSignatureAppearance.preClose(Unknown Source)
at com.lowagie.text.pdf.PdfSignatureAppearance.preClose(Unknown Source)
at com.lowagie.text.pdf.PdfStamper.close(Unknown Source)
at DigiSign.main(DigiSign.java:42)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.asn1.DEREncodable
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
What am i doing wrong?
(Just to formulate the cause as an answer which has been presented as a comment before:)
For security low level operations iText is based on the BouncyCastle libraries. This especially concerns creation and verification of integrated PDF signatures but also handling of encrypted documents. In these use cases, therefore, the appropriate BouncyCastle provider libs are required on the class path of the application.
The primary exception information
java.lang.NoClassDefFoundError: org/bouncycastle/asn1/DEREncodable
indicates that this requirement is not fullfilled, either BouncyCastle is not present at all or at least not present in the required version. This meanwhile has been confirmed by #user1946152 for his configuration.
P.S.: Obviously in the case at hand the OP still uses a pre-5.x version of iText. While there are certain conditions enforcing this (e.g. a management not being willing to decide when to buy a license sigh), you should definitively update to a current version of iText. There meanwhile have been many big changes, especially in the fields of electronic signatures, content parsing, and creation of PDF/A documents.
I am working with a Java Web application and I need to generate a MAC using 3DES algorithm. Code is working without problems on a Weblogic 10.3 but the problem came when I tried to run the application in a different Weblogic, similar version (10.3.1).
This is my code:
public String getMac(String inkey, String data) throws Exception {
byte[] out = new byte[8];
try {
// if I commend this line, the result is the same
Security.addProvider(new BouncyCastleProvider());
// this loop proves the BC provider is there
for (Provider p : Security.getProviders()) {
log.debug("--");
log.debug(p.getName());
log.debug(p.getInfo());
}
try {
BouncyCastleProvider bc = new BouncyCastleProvider();
// class is there, no problem
log.debug("info" + bc.getInfo());
DES9797Alg3 alg3 = new DES9797Alg3();
// class is there, no problem
log.debug("alg3" + alg3.toString());
} catch (Exception e) {
log.error("error BouncyCastleProvider classes");
}
log.debug("length: " + inkey.length());
if (inkey.length() < 48)
inkey += inkey.substring(0, 16);
byte[] rawkey = hexStringToByteArray(inkey);
DESedeKeySpec keyspec = new DESedeKeySpec(rawkey);
SecretKeyFactory keyfactory = SecretKeyFactory.getInstance("DESede");
SecretKey key = keyfactory.generateSecret(keyspec);
Mac mac = Mac.getInstance("ISO9797Alg3Mac");
mac.init(key);
mac.update(data.getBytes());
mac.doFinal(out, 0);
} catch (Exception e) {
log.error("Error generating MAC X9_19", e);
throw new Exception("Error generating MAC X9_19", e);
}
And this is the error I get:
Caused by: java.security.InvalidKeyException: No installed provider supports this key: com.sun.crypto.provider.DESedeKey
at javax.crypto.Mac.a(DashoA13*..)
at javax.crypto.Mac.init(DashoA13*..)
at es.indra.netplus.sec.services.util.UtilMac.getMac(UtilMac.java:180)
... 73 more
Caused by: java.security.NoSuchAlgorithmException: class configured for Mac(provider: BC)cannot be found.
at java.security.Provider$Service.getImplClass(Provider.java:1268)
at java.security.Provider$Service.newInstance(Provider.java:1220)
... 76 more
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.JCEMac$DES9797Alg3
at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:283)
at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:256)
at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAwareClassLoader.java:54)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:176)
at weblogic.utils.classloaders.ChangeAwareClassLoader.loadClass(ChangeAwareClassLoader.java:35)
at java.security.Provider$Service.getImplClass(Provider.java:1262)
I do no understand why error says that org.bouncycastle.jce.provider.JCEMac$DES9797Alg3 is not there. It is possible that 'java.security' is looking in another place? I have requested to the server administrator to copy the library in the endorsed directory, but not I am not sure if this is going to work and way this is happening.
Notice that even if I remove 'Security.addProvider(new BouncyCastleProvider());' line, in the list of available providers, BC is listed.
This is the list of providers I got:
-- -- --
CSSX509CertificateFactoryProvider
CSS JDK CertPath provider
1.0
-- -- --
SUN
SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
1.6
-- -- --
SunRsaSign
Sun RSA signature provider
1.5
-- -- --
SunJSSE
Sun JSSE provider(PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
1.6
-- -- --
SunJCE
SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, Diffie-Hellman, HMAC)
1.6
-- -- --
SunJGSS
Sun (Kerberos v5, SPNEGO)
1.0
-- -- --
SunSASL
Sun SASL provider(implements client mechanisms for: DIGEST-MD5, GSSAPI, EXTERNAL, PLAIN, CRAM-MD5; server mechanisms for: DIGEST-MD5, GSSAPI, CRAM-MD5)
1.5
-- -- --
XMLDSig
XMLDSig (DOM XMLSignatureFactory; DOM KeyInfoFactory)
1.0
-- -- --
SunPCSC
Sun PC/SC provider
1.6
-- -- --
WebLogicCertPathProvider
WebLogic CertPath Provider JDK CertPath provider
1.0
-- -- --
WLSJDKCertPathProvider
WebLogic JDK CertPath provider
1.0
-- -- --
BC
BouncyCastle Security Provider v1.46
1.46
BC is there, moreover, the same version I got inside my war file.
I have googled many hours with no luck, hope someone can point me to the right direction.
After spending many hours on google trying to fix the error doing change in the code, the problem was solved adding the library in the server domain lib directory. Anyway, I still do not understand why this happens.
I'm currently working on getting a Java application (JRE 1.5+) to talk to a Windows 2008 OCSP Responder, and I'm getting a strange error on trying to read the Responder's signing cert.
I get the following exception on trying to perform an OCSP validation.
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: short read on DerValue buffer
at sun.security.x509.X509CertInfo.<init>(Unknown Source)
at sun.security.x509.X509CertImpl.parse(Unknown Source)
at sun.security.x509.X509CertImpl.<init>(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
... 6 more
Caused by: java.io.IOException: short read on DerValue buffer
at sun.security.util.DerValue.getOctetString(Unknown Source)
at sun.security.x509.Extension.<init>(Unknown Source)
at sun.security.x509.CertificateExtensions.init(Unknown Source)
at sun.security.x509.CertificateExtensions.<init>(Unknown Source)
at sun.security.x509.X509CertInfo.parse(Unknown Source)
... 11 more
This suggested there was a problem reading the signing cert, so I tried importing that separately using a method similar to the below:
public static List<Certificate> readCerts(String certFile,
CertificateFactory cf, boolean withCRL) throws Exception {
FileInputStream fis = new FileInputStream(certFile);
BufferedInputStream bis = new BufferedInputStream(fis);
List<Certificate> certs = new LinkedList<Certificate>();
while (bis.available() > 0) {
Certificate cert = cf
.generateCertificate(bis);
X509Certificate cx509 = (X509Certificate) cert;
certs.add(cert);
}
return certs;
}
which gave me the same error. This only seems to happen with certificates generated from the OCSP Signing template, user certificates can be read fine.
Has anyone else encountered similar problems with X509 support in Java?
Regards,
Tom
UPDATE: The cert I'm having trouble with is as below:
-----BEGIN CERTIFICATE-----
MIIDzDCCArSgAwIBAgIKYQWrDAAAAAAABjANBgkqhkiG9w0BAQUFADBFMRMwEQYK
CZImiZPyLGQBGRYDaW50MRUwEwYKCZImiZPyLGQBGRYFbG9ucWExFzAVBgNVBAMT
DmxvbnFhLVRFLUNBLUNBMB4XDTA5MDkyMTE2NDIxNloXDTA5MTAwNTE2NDIxNlow
GjEYMBYGA1UEAxMPdGUtY2EubG9ucWEuaW50MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA6rYO7X/PztBE2Do9u95ws3Ob86cySJ1iLrHLSF+VjvTQkZ3J
e0uKxoK4doSikqCZH9zXZ6qFFVMZlzq/FnIP9TLhv3uFom0y+Z0HmPAW7RtrZ8R6
1EAmcQDGpyRhzCWJqrEzgbW1v1QtF854kium97GwUWnVijGv3jQqT3hbmD7++9lh
9ILaLXMAKdTFpL1ao2eHWYf2mChRpuAox2juO1g4xjot9GXsEMhTwAg9F/pZnbKE
hhpeo1c0kgP3uus7ULlwdRnZ4O+tp79GeVKsdJbphmnC6Fc/PdT0KuHSk9Q0v192
Ger5nTQaZk/dmsyGBd8g4Q+0g0Ri+wgpUUsykQIDAQABo4HoMIHlMDYGCSsGAQQB
gjcVBwQpMCcGHysGAQQBgjcVCIHPgWyXxQ2ChYcyg8LhMoWky3ppASACAWUCAQAw
EwYDVR0lBAwwCgYIKwYBBQUHAwkwDgYDVR0PAQH/BAQDAgeAMBsGCSsGAQQBgjcV
CgQOMAwwCgYIKwYBBQUHAwkwDQYJKwYBBQUHMAEFBAAwHQYDVR0OBBYEFNblspp7
Hu07mraeMSyuBUTUnbl3MB8GA1UdIwQYMBaAFK/r521FB+GNls/fe8hrNE8UpQhv
MBoGA1UdEQQTMBGCD3RlLWNhLmxvbnFhLmludDANBgkqhkiG9w0BAQUFAAOCAQEA
FASEVcUJQlrmCD/ysycOxAIAoc2BVLhteOMoZ7V65a5/+Q5JM7Od+gKqoxLVrjb2
BDLlDFp5U8CirQ4lyWV5i1gQpLFTDcjgonp9Ky50KA0Ginn5CmTELB2THwFSQwfm
OFenSaV1mAcEzdyp/hi2xSuMqhveSanQFD0r6y45oZsd9ubdFEWI6nBRrj4hhfw0
Wo2GKUgslXqAqEezdin5JNgsPdj3qsi4+U4llyrd3gG20eoWzGHF4h7wfFiQV+fs
yEPY06Rg9G9m3GlIv+7Gp3sixb+cvZe+e0gO32mVRydTXMaAZu7ZiFk3M6AqxfDw
dO//eCu2dZCLTw6xTbUc9A==
-----END CERTIFICATE-----
I assume you get your factory like this,
cf = CertificateFactory.getInstance("X509");
The default X509 factory has many limitations. It looks like your cert contains an extension the factory doesn't know how to parse. If you post the cert, I can help you to identify the offending extension.
EDIT: The offending extension is
1.3.6.1.5.5.7.48.1.5 - id-pkix-ocsp-nocheck
The only option is to remove this from the cert with Java built-in JCE. You can also try another JCE like BouncyCastle.