I think I've found a problem with GetCertificates in CertificateChain:

I have an application where I use the "additional" argument of the CertificateChain constructor to include an intermediate CA that is not in the registry certificate stores. The chain I expect is:

CA (In registry) -> SubCA (Loaded as a file) -> ClientCert (From browser)

The verification succeeds because Windows builds the chain correctly, but the GetCertificates method rebuilds a chain that can be different from the one Windows SSPI used for verification(!). In my application, it does not use the additional certificate store when building the chain. This prevents additional verification of the chain. :(