diff --git a/tests/meson.build b/tests/meson.build
index 7e7f00bd..03119db0 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -140,6 +140,7 @@ tests = {
   'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']},
   'ecxc': {'suites': ['softhsm', 'kryoptic']},
   'cms': {'suites': ['softokn', 'kryoptic']},
+  'pinlock': {'suites': ['kryoptic']},
 }
 
 test_wrapper = find_program('test-wrapper')
diff --git a/tests/tpinlock b/tests/tpinlock
new file mode 100755
index 00000000..d5921cd0
--- /dev/null
+++ b/tests/tpinlock
@@ -0,0 +1,79 @@
+#!/bin/bash -e
+# Copyright (C) 2022 Simo Sorce <simo@redhat.com>
+# SPDX-License-Identifier: Apache-2.0
+
+source "${TESTSSRCDIR}/helpers.sh"
+
+title PARA "Test PIN lock prevention"
+
+ORIG_OPENSSL_CONF=${OPENSSL_CONF}
+sed "s/^pkcs11-module-token-pin.*$/##nopin/" "${OPENSSL_CONF}" > "${OPENSSL_CONF}.nopin"
+OPENSSL_CONF=${OPENSSL_CONF}.nopin
+
+BADPIN="bad"
+export BADPINURI="${PRIURI}?pin-value=${BADPIN}"
+export GOODPINURI="${PRIURI}?pin-value=${PINVALUE}"
+
+FAIL=0
+pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -T | grep "PIN initialized" && FAIL=1
+if [ $FAIL -eq 0 ]; then
+    echo "Failed to detect PIN status"
+    exit 1
+fi
+
+# Kryoptic allows for 10 tries by default
+for i in {1..10}; do
+    echo "Login attempt: $i"
+    pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -l -T -p "${BADPIN}" && false
+    DETECT=0
+    pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -T | grep "final user PIN try" && DETECT=1
+    if [ $DETECT -eq 1 ]; then
+        break
+    fi
+done
+FAIL=0
+pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -T | grep "final user PIN try" && FAIL=1
+if [ $FAIL -eq 0 ]; then
+    echo "Failed to reach "final try" status"
+    exit 1
+fi
+
+# Now we test one operation with a bad pin.
+# It should fail but not lock the token
+title LINE "Try op with bad pin and fail"
+FAIL=0
+ossl '
+pkeyutl -sign -inkey "${BADPINURI}"
+    -in ${TMPPDIR}/sha256.bin
+    -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1
+if [ $FAIL -eq 0 ]; then
+    echo "Operation should have failed, pin lock prevention not working"
+    exit 1
+fi
+
+# Now we test one operation with a good pin.
+# It should fail because the token is on last try
+title LINE "Try op with good pin and fail"
+FAIL=0
+ossl '
+pkeyutl -sign -inkey "${GOODPINURI}"
+    -in ${TMPPDIR}/sha256.bin
+    -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1
+if [ $FAIL -eq 0 ]; then
+    echo "Operation should have failed, pin lock prevention not working"
+    exit 1
+fi
+
+
+# Now reset the token counter with a good try
+pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -l -T -p "${PINVALUE}"
+
+# Now we test one operation with a good pin.
+# It should succeed
+title LINE "Try op with good pin and succeed"
+ossl '
+pkeyutl -sign -inkey "${GOODPINURI}"
+    -in ${TMPPDIR}/sha256.bin
+    -out ${TMPPDIR}/pinlock-sig.bin'
+
+OPENSSL_CONF=${ORIG_OPENSSL_CONF}