// called by ClientHandshaker with either the server's static or ephemeral public key
SecretKey getAgreedSecret(PublicKey peerPublicKey) {
try {
KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
ka.init(privateKey);
ka.doPhase(peerPublicKey, true);
return ka.generateSecret("TlsPremasterSecret");
} catch (GeneralSecurityException e) {
throw new RuntimeException("Could not generate secret", e);
}
}